diff options
Diffstat (limited to 'bcpkix/src/main/java/org/bouncycastle')
128 files changed, 3270 insertions, 12454 deletions
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/X509ContentVerifierProviderBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/X509ContentVerifierProviderBuilder.java new file mode 100644 index 0000000..af3bd09 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/X509ContentVerifierProviderBuilder.java @@ -0,0 +1,14 @@ +package org.bouncycastle.cert; + +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.operator.ContentVerifierProvider; +import org.bouncycastle.operator.OperatorCreationException; + +public interface X509ContentVerifierProviderBuilder +{ + ContentVerifierProvider build(SubjectPublicKeyInfo validatingKeyInfo) + throws OperatorCreationException; + + ContentVerifierProvider build(X509CertificateHolder validatingKeyInfo) + throws OperatorCreationException; +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/cmp/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/cmp/package.html deleted file mode 100644 index a58af18..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/cmp/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -Basic support package for handling and creating CMP (RFC 4210) certificate management messages. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/cmp/test/AllTests.java b/bcpkix/src/main/java/org/bouncycastle/cert/cmp/test/AllTests.java index 7ccfd1f..2763083 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cert/cmp/test/AllTests.java +++ b/bcpkix/src/main/java/org/bouncycastle/cert/cmp/test/AllTests.java @@ -36,6 +36,7 @@ import org.bouncycastle.cert.cmp.CertificateStatus; import org.bouncycastle.cert.cmp.GeneralPKIMessage; import org.bouncycastle.cert.cmp.ProtectedPKIMessage; import org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder; +import org.bouncycastle.cert.crmf.CertificateRequestMessage; import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder; import org.bouncycastle.cert.crmf.PKMACBuilder; import org.bouncycastle.cert.crmf.jcajce.JcaCertificateRequestMessageBuilder; @@ -224,6 +225,50 @@ public class AllTests assertEquals(ProofOfPossession.TYPE_KEY_ENCIPHERMENT, reqMsg.getPopo().getType()); } + public void testNotBeforeNotAfter() + throws Exception + { + KeyPairGenerator kGen = KeyPairGenerator.getInstance("RSA", BC); + + kGen.initialize(512); + + KeyPair kp = kGen.generateKeyPair(); + + doNotBeforeNotAfterTest(kp, new Date(0L), new Date(60000L)); + doNotBeforeNotAfterTest(kp, null, new Date(60000L)); + doNotBeforeNotAfterTest(kp, new Date(0L), null); + } + + private void doNotBeforeNotAfterTest(KeyPair kp, Date notBefore, Date notAfter) + throws Exception + { + CertificateRequestMessageBuilder builder = new JcaCertificateRequestMessageBuilder( + BigInteger.valueOf(1)).setPublicKey(kp.getPublic()).setProofOfPossessionSubsequentMessage( + SubsequentMessage.encrCert); + + builder.setValidity(notBefore, notAfter); + + CertificateRequestMessage message = builder.build(); + + if (notBefore != null) + { + assertEquals(notBefore.getTime(), message.getCertTemplate().getValidity().getNotBefore().getDate().getTime()); + } + else + { + assertNull(message.getCertTemplate().getValidity().getNotBefore()); + } + + if (notAfter != null) + { + assertEquals(notAfter.getTime(), message.getCertTemplate().getValidity().getNotAfter().getDate().getTime()); + } + else + { + assertNull(message.getCertTemplate().getValidity().getNotAfter()); + } + } + private static X509CertificateHolder makeV3Certificate(KeyPair subKP, String _subDN, KeyPair issKP, String _issDN) throws GeneralSecurityException, IOException, OperatorCreationException, CertException { diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/CertificateRequestMessageBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/crmf/CertificateRequestMessageBuilder.java index 0147ffc..aa48235 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/CertificateRequestMessageBuilder.java +++ b/bcpkix/src/main/java/org/bouncycastle/cert/crmf/CertificateRequestMessageBuilder.java @@ -2,6 +2,7 @@ package org.bouncycastle.cert.crmf; import java.math.BigInteger; import java.util.ArrayList; +import java.util.Date; import java.util.Iterator; import java.util.List; @@ -17,6 +18,7 @@ import org.bouncycastle.asn1.crmf.CertReqMsg; import org.bouncycastle.asn1.crmf.CertRequest; import org.bouncycastle.asn1.crmf.CertTemplate; import org.bouncycastle.asn1.crmf.CertTemplateBuilder; +import org.bouncycastle.asn1.crmf.OptionalValidity; import org.bouncycastle.asn1.crmf.POPOPrivKey; import org.bouncycastle.asn1.crmf.ProofOfPossession; import org.bouncycastle.asn1.crmf.SubsequentMessage; @@ -24,6 +26,7 @@ import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.ExtensionsGenerator; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.asn1.x509.Time; import org.bouncycastle.cert.CertIOException; import org.bouncycastle.operator.ContentSigner; @@ -90,6 +93,31 @@ public class CertificateRequestMessageBuilder return this; } + /** + * Request a validity period for the certificate. Either, but not both, of the date parameters may be null. + * + * @param notBeforeDate not before date for certificate requested. + * @param notAfterDate not after date for the certificate requested. + * + * @return the current builder. + */ + public CertificateRequestMessageBuilder setValidity(Date notBeforeDate, Date notAfterDate) + { + templateBuilder.setValidity(new OptionalValidity(createTime(notBeforeDate), createTime(notAfterDate))); + + return this; + } + + private Time createTime(Date date) + { + if (date != null) + { + return new Time(date); + } + + return null; + } + public CertificateRequestMessageBuilder addExtension( ASN1ObjectIdentifier oid, boolean critical, diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/CRMFHelper.java b/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/CRMFHelper.java index 30cae1e..8747bc0 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/CRMFHelper.java +++ b/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/CRMFHelper.java @@ -42,6 +42,7 @@ import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.cert.crmf.CRMFException; import org.bouncycastle.cms.CMSAlgorithm; import org.bouncycastle.jcajce.JcaJceHelper; +import org.bouncycastle.jcajce.JcaJceUtils; class CRMFHelper { @@ -157,7 +158,9 @@ class CRMFHelper throw new CRMFException("cannot create key generator: " + e.getMessage(), e); } } - + + + Cipher createContentCipher(final Key sKey, final AlgorithmIdentifier encryptionAlgID) throws CRMFException { @@ -180,7 +183,7 @@ class CRMFHelper try { - params.init(sParams.getEncoded(), "ASN.1"); + JcaJceUtils.loadParameters(params, sParams); } catch (IOException e) { @@ -389,7 +392,7 @@ class CRMFHelper { try { - asn1Params = ASN1Primitive.fromByteArray(params.getEncoded("ASN.1")); + asn1Params = JcaJceUtils.extractParameters(params); } catch (IOException e) { diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/package.html deleted file mode 100644 index e9bc53f..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/jcajce/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -JCA extensions to the CRMF online certificate request package. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/crmf/package.html deleted file mode 100644 index 521fc44..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/crmf/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -Basic support package for handling and creating CRMF (RFC 4211) certificate request messages. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ContentVerifierProviderBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ContentVerifierProviderBuilder.java new file mode 100644 index 0000000..5f4c530 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ContentVerifierProviderBuilder.java @@ -0,0 +1,50 @@ +package org.bouncycastle.cert.jcajce; + +import java.security.Provider; +import java.security.cert.CertificateException; + +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509ContentVerifierProviderBuilder; +import org.bouncycastle.operator.ContentVerifierProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder; + +public class JcaX509ContentVerifierProviderBuilder + implements X509ContentVerifierProviderBuilder +{ + private JcaContentVerifierProviderBuilder builder = new JcaContentVerifierProviderBuilder(); + + public JcaX509ContentVerifierProviderBuilder setProvider(Provider provider) + { + this.builder.setProvider(provider); + + return this; + } + + public JcaX509ContentVerifierProviderBuilder setProvider(String providerName) + { + this.builder.setProvider(providerName); + + return this; + } + + public ContentVerifierProvider build(SubjectPublicKeyInfo validatingKeyInfo) + throws OperatorCreationException + { + return builder.build(validatingKeyInfo); + } + + public ContentVerifierProvider build(X509CertificateHolder validatingKeyInfo) + throws OperatorCreationException + { + try + { + return builder.build(validatingKeyInfo); + } + catch (CertificateException e) + { + throw new OperatorCreationException("Unable to process certificate: " + e.getMessage(), e); + } + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/package.html deleted file mode 100644 index cc15e01..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -JCA extensions to the certificate building and processing package. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/ocsp/jcajce/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/ocsp/jcajce/package.html deleted file mode 100644 index cfe87f2..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/ocsp/jcajce/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -JCA extensions to the OCSP online certificate status package. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/ocsp/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/ocsp/package.html deleted file mode 100644 index 234cb32..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/ocsp/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -Basic support package for handling and creating OCSP (RFC 2560) online certificate status requests. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/package.html deleted file mode 100644 index 1b2a305..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Basic support package for handling and creating X.509 certificates, CRLs, and attribute certificates. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPath.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPath.java new file mode 100644 index 0000000..f91b3a8 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPath.java @@ -0,0 +1,80 @@ +package org.bouncycastle.cert.path; + +import org.bouncycastle.cert.X509CertificateHolder; + +public class CertPath +{ + private final X509CertificateHolder[] certificates; + + public CertPath(X509CertificateHolder[] certificates) + { + this.certificates = copyArray(certificates); + } + + public X509CertificateHolder[] getCertificates() + { + return copyArray(certificates); + } + + public CertPathValidationResult validate(CertPathValidation[] ruleSet) + { + CertPathValidationContext context = new CertPathValidationContext(CertPathUtils.getCriticalExtensionsOIDs(certificates)); + + for (int i = 0; i != ruleSet.length; i++) + { + for (int j = certificates.length - 1; j >= 0; j--) + { + try + { + context.setIsEndEntity(j == 0); + ruleSet[i].validate(context, certificates[j]); + } + catch (CertPathValidationException e) + { // TODO: introduce object to hold (i and e) + return new CertPathValidationResult(context, j, i, e); + } + } + } + + return new CertPathValidationResult(context); + } + + public CertPathValidationResult evaluate(CertPathValidation[] ruleSet) + { + CertPathValidationContext context = new CertPathValidationContext(CertPathUtils.getCriticalExtensionsOIDs(certificates)); + + CertPathValidationResultBuilder builder = new CertPathValidationResultBuilder(); + + for (int i = 0; i != ruleSet.length; i++) + { + for (int j = certificates.length - 1; j >= 0; j--) + { + try + { + context.setIsEndEntity(j == 0); + ruleSet[i].validate(context, certificates[j]); + } + catch (CertPathValidationException e) + { + builder.addException(e); + } + } + } + + return builder.build(); + } + + private X509CertificateHolder[] copyArray(X509CertificateHolder[] array) + { + X509CertificateHolder[] rv = new X509CertificateHolder[array.length]; + + System.arraycopy(array, 0, rv, 0, rv.length); + + return rv; + } + + public int length() + { + return certificates.length; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathUtils.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathUtils.java new file mode 100644 index 0000000..4811a3d --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathUtils.java @@ -0,0 +1,21 @@ +package org.bouncycastle.cert.path; + +import java.util.HashSet; +import java.util.Set; + +import org.bouncycastle.cert.X509CertificateHolder; + +class CertPathUtils +{ + static Set getCriticalExtensionsOIDs(X509CertificateHolder[] certificates) + { + Set criticalExtensions = new HashSet(); + + for (int i = 0; i != certificates.length; i++) + { + criticalExtensions.addAll(certificates[i].getCriticalExtensionOIDs()); + } + + return criticalExtensions; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidation.java new file mode 100644 index 0000000..2704fe6 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidation.java @@ -0,0 +1,11 @@ +package org.bouncycastle.cert.path; + +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.util.Memoable; + +public interface CertPathValidation + extends Memoable +{ + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException; +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationContext.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationContext.java new file mode 100644 index 0000000..6a4b0ec --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationContext.java @@ -0,0 +1,61 @@ +package org.bouncycastle.cert.path; + +import java.util.HashSet; +import java.util.Set; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.util.Memoable; + +public class CertPathValidationContext + implements Memoable +{ + private Set criticalExtensions; + + private Set handledExtensions = new HashSet(); + private boolean endEntity; + private int index; + + public CertPathValidationContext(Set criticalExtensionsOIDs) + { + this.criticalExtensions = criticalExtensionsOIDs; + } + + public void addHandledExtension(ASN1ObjectIdentifier extensionIdentifier) + { + this.handledExtensions.add(extensionIdentifier); + } + + public void setIsEndEntity(boolean isEndEntity) + { + this.endEntity = isEndEntity; + } + + public Set getUnhandledCriticalExtensionOIDs() + { + Set rv = new HashSet(criticalExtensions); + + rv.removeAll(handledExtensions); + + return rv; + } + + /** + * Returns true if the current certificate is the end-entity certificate. + * + * @return if current cert end-entity, false otherwise. + */ + public boolean isEndEntity() + { + return endEntity; + } + + public Memoable copy() + { + return null; //To change body of implemented methods use File | Settings | File Templates. + } + + public void reset(Memoable other) + { + //To change body of implemented methods use File | Settings | File Templates. + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationException.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationException.java new file mode 100644 index 0000000..958f2d0 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationException.java @@ -0,0 +1,24 @@ +package org.bouncycastle.cert.path; + +public class CertPathValidationException + extends Exception +{ + private final Exception cause; + + public CertPathValidationException(String msg) + { + this(msg, null); + } + + public CertPathValidationException(String msg, Exception cause) + { + super(msg); + + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationResult.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationResult.java new file mode 100644 index 0000000..facefb4 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationResult.java @@ -0,0 +1,66 @@ +package org.bouncycastle.cert.path; + +import java.util.Collections; +import java.util.Set; + +public class CertPathValidationResult +{ + private final boolean isValid; + private final CertPathValidationException cause; + private final Set unhandledCriticalExtensionOIDs; + + private int[] certIndexes; + + public CertPathValidationResult(CertPathValidationContext context) + { + this.unhandledCriticalExtensionOIDs = Collections.unmodifiableSet(context.getUnhandledCriticalExtensionOIDs()); + this.isValid = this.unhandledCriticalExtensionOIDs.isEmpty(); + cause = null; + } + + public CertPathValidationResult(CertPathValidationContext context, int certIndex, int ruleIndex, CertPathValidationException cause) + { + this.unhandledCriticalExtensionOIDs = Collections.unmodifiableSet(context.getUnhandledCriticalExtensionOIDs()); + this.isValid = false; + this.cause = cause; + } + + public CertPathValidationResult(CertPathValidationContext context, int[] certIndexes, int[] ruleIndexes, CertPathValidationException[] cause) + { + // TODO + this.unhandledCriticalExtensionOIDs = Collections.unmodifiableSet(context.getUnhandledCriticalExtensionOIDs()); + this.isValid = false; + this.cause = cause[0]; + this.certIndexes = certIndexes; + } + + public boolean isValid() + { + return isValid; + } + + public Exception getCause() + { + if (cause != null) + { + return cause; + } + + if (!unhandledCriticalExtensionOIDs.isEmpty()) + { + return new CertPathValidationException("Unhandled Critical Extensions"); + } + + return null; + } + + public Set getUnhandledCriticalExtensionOIDs() + { + return unhandledCriticalExtensionOIDs; + } + + public boolean isDetailed() + { + return this.certIndexes != null; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationResultBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationResultBuilder.java new file mode 100644 index 0000000..9e81339 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/CertPathValidationResultBuilder.java @@ -0,0 +1,14 @@ +package org.bouncycastle.cert.path; + +class CertPathValidationResultBuilder +{ + public CertPathValidationResult build() + { + return new CertPathValidationResult(null, 0, 0, null); + } + + public void addException(CertPathValidationException exception) + { + //To change body of created methods use File | Settings | File Templates. + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/test/CertPathTest.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/test/CertPathTest.java new file mode 100644 index 0000000..3b8e23e --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/test/CertPathTest.java @@ -0,0 +1,369 @@ +package org.bouncycastle.cert.path.test; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectOutputStream; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderException; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertStore; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Collections; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; +import java.util.Vector; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +public class CertPathTest + extends SimpleTest +{ + public static byte[] rootCertBin = Base64.decode( + "MIIBqzCCARQCAQEwDQYJKoZIhvcNAQEFBQAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZTAeFw0wODA5MDQwNDQ1MDhaFw0wODA5MTEwNDQ1MDhaMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMRLUjhPe4YUdLo6EcjKcWUOG7CydFTH53Pr1lWjOkbmszYDpkhCTT9LOsI+disk18nkBxSl8DAHTqV+VxtuTPt64iyi10YxyDeep+DwZG/f8cVQv97U3hA9cLurZ2CofkMLGr6JpSGCMZ9FcstcTdHB4lbErIJ54YqfF4pNOs4/AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAgyrTEFY7ALpeY59jL6xFOLpuPqoBOWrUWv6O+zy5BCU0qiX71r3BpigtxRj+DYcfLIM9FNERDoHu3TthD3nwYWUBtFX8N0QUJIdJabxqAMhLjSC744koiFpCYse5Ye3ZvEdFwDzgAQsJTp5eFGgTZPkPzcdhkFJ2p9+OWs+cb24="); + + + static byte[] interCertBin = Base64.decode( + "MIICSzCCAbSgAwIBAgIBATANBgkqhkiG9w0BAQUFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlMB4XDTA4MDkwNDA0NDUwOFoXDTA4MDkxMTA0NDUwOFowKDEmMCQGA1UEAxMdVGVzdCBJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAISS9OOZ2wxzdWny9aVvk4Joq+dwSJ+oqvHUxX3PflZyuiLiCBUOUE4q59dGKdtNX5fIfwyK3cpV0e73Y/0fwfM3m9rOWFrCKOhfeswNTes0w/2PqPVVDDsF/nj7NApuqXwioeQlgTL251RDF4sVoxXqAU7lRkcqwZt3mwqS4KTJAgMBAAGjgY4wgYswRgYDVR0jBD8wPYAUhv8BOT27EB9JaCccJD4YASPP5XWhIqQgMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGWCAQEwHQYDVR0OBBYEFL/IwAGOkHzaQyPZegy79CwM5oTFMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4GBAE4TRgUz4sUvZyVdZxqV+XyNRnqXAeLOOqFGYv2D96tQrS+zjd0elVlT6lFrtchZdOmmX7R6/H/tjMWMcTBICZyRYrvK8cCAmDOI+EIdq5p6lj2Oq6Pbw/wruojAqNrpaR6IkwNpWtdOSSupv4IJL+YU9q2YFTh4R1j3tOkPoFGr"); + + static byte[] finalCertBin = Base64.decode( + "MIICRjCCAa+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAoMSYwJAYDVQQDEx1UZXN0IEludGVybWVkaWF0ZSBDZXJ0aWZpY2F0ZTAeFw0wODA5MDQwNDQ1MDhaFw0wODA5MTEwNDQ1MDhaMB8xHTAbBgNVBAMTFFRlc3QgRW5kIENlcnRpZmljYXRlMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChpUeo0tPYywWKiLlbWKNJBcCpSaLSlaZ+4+yer1AxI5yJIVHP6SAlBghlbD5Qne5ImnN/15cz1xwYAiul6vGKJkVPlFEe2Mr+g/J/WJPQQPsjbZ1G+vxbAwXEDA4KaQrnpjRZFq+CdKHwOjuPLYS/MYQNgdIvDVEQcTbPQ8GaiQIDAQABo4GIMIGFMEYGA1UdIwQ/MD2AFL/IwAGOkHzaQyPZegy79CwM5oTFoSKkIDAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlggEBMB0GA1UdDgQWBBSVkw+VpqBf3zsLc/9GdkK9TzHPwDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQUFAAOBgQBLv/0bVDjzTs/y1vN3FUiZNknEbzupIZduTuXJjqv/vBX+LDPjUfu/+iOCXOSKoRn6nlOWhwB1z6taG2usQkFG8InMkRcPREi2uVgFdhJ/1C3dAWhsdlubjdL926bftXvxnx/koDzyrePW5U96RlOQM2qLvbaky2Giz6hrc3Wl+w=="); + public static byte[] rootCrlBin = Base64.decode( + "MIIBYjCBzAIBATANBgkqhkiG9w0BAQsFADAeMRwwGgYDVQQDExNUZXN0IENBIENlcnRpZmljYXRlFw0wODA5MDQwNDQ1MDhaFw0wODA5MDQwNzMxNDhaMCIwIAIBAhcNMDgwOTA0MDQ0NTA4WjAMMAoGA1UdFQQDCgEJoFYwVDBGBgNVHSMEPzA9gBSG/wE5PbsQH0loJxwkPhgBI8/ldaEipCAwHjEcMBoGA1UEAxMTVGVzdCBDQSBDZXJ0aWZpY2F0ZYIBATAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOBgQCAbaFCo0BNG4AktVf6jjBLeawP1u0ELYkOCEGvYZE0mBpQ+OvFg7subZ6r3lRIj030nUli28sPFtu5ZQMBNcpE4nS1ziF44RfT3Lp5UgHx9x17Krz781iEyV+7zU8YxYMY9wULD+DCuK294kGKIssVNbmTYXZatBNoXQN5CLIocA=="); + static byte[] interCrlBin = Base64.decode( + "MIIBbDCB1gIBATANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1UZXN0IEludGVybWVkaWF0ZSBDZXJ0aWZpY2F0ZRcNMDgwOTA0MDQ0NTA4WhcNMDgwOTA0MDczMTQ4WjAiMCACAQIXDTA4MDkwNDA0NDUwOFowDDAKBgNVHRUEAwoBCaBWMFQwRgYDVR0jBD8wPYAUv8jAAY6QfNpDI9l6DLv0LAzmhMWhIqQgMB4xHDAaBgNVBAMTE1Rlc3QgQ0EgQ2VydGlmaWNhdGWCAQEwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQELBQADgYEAEVCr5TKs5yguGgLH+dBzmSPoeSIWJFLsgWwJEit/iUDJH3dgYmaczOcGxIDtbYYHLWIHM+P2YRyQz3MEkCXEgm/cx4y7leAmux5l+xQWgmxFPz+197vaphPeCZo+B7V1CWtm518gcq4mrs9ovfgNqgyFj7KGjcBpWdJE32KMt50="); + + /* + * certpath with a circular reference + */ + static byte[] certA = Base64.decode( + "MIIC6jCCAlOgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIzMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ2NTda" + + "Fw0xNzAzMzAwODQ0MDBaMIGlMScwJQYDVQQDHh4AQQByAG0AaQBuACAASADkAGIA" + + "ZQByAGwAaQBuAGcxCzAJBgNVBAYTAkNIMQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNV" + + "BAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNwaGVyZSBBRzEQMA4GA1UECxMHVGVzdGlu" + + "ZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5AcHJpdmFzcGhlcmUuY29tMIGfMA0GCSqG" + + "SIb3DQEBAQUAA4GNADCBiQKBgQCfHfyVs5dbxG35H/Thd29qR4NZU88taCu/OWA1" + + "GdACI02lXWYpmLWiDgnU0ULP+GG8OnVp1IES9fz2zcrXKQ19xZzsen/To3h5sNte" + + "cJpS00XMM24q/jDwy5NvkBP9YIfFKQ1E/0hFHXcqwlw+b/y/v6YGsZCU2h6QDzc4" + + "5m0+BwIDAQABo0AwPjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIE8DAeBglg" + + "hkgBhvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4GBAJEu" + + "KiSfIwsY7SfobMLrv2v/BtLhGLi4RnmjiwzBhuv5rn4rRfBpq1ppmqQMJ2pmA67v" + + "UWCY+mNwuyjHyivpCCyJGsZ9d5H09g2vqxzkDBMz7X9VNMZYFH8j/R3/Cfvqks31" + + "z0OFslJkeKLa1I0P/dfVHsRKNkLRT3Ws5LKksErQ"); + + static byte[] certB = Base64.decode( + "MIICtTCCAh6gAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIyMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ2Mzha" + + "Fw0xNzAzMzAwODQ0MDBaMIGNMQ8wDQYDVQQDEwZJbnRlcjMxCzAJBgNVBAYTAkNI" + + "MQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNVBAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNw" + + "aGVyZSBBRzEQMA4GA1UECxMHVGVzdGluZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5A" + + "cHJpdmFzcGhlcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxCXIB" + + "QRnmVvl2h7Q+0SsRxDLnyM1dJG9jMa+UCCmHy0k/ZHs5VirSbjEJSjkQ9BGeh9SC" + + "7JwbMpXO7UE+gcVc2RnWUY+MA+fWIeTV4KtkYA8WPu8wVGCXbN8wwh/StOocszxb" + + "g+iLvGeh8CYSRqg6QN3S/02etH3o8H4e7Z0PZwIDAQABoyMwITAPBgNVHRMBAf8E" + + "BTADAQH/MA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQQFAAOBgQCtWdirSsmt" + + "+CBBCNn6ZnbU3QqQfiiQIomjenNEHESJgaS/+PvPE5i3xWFXsunTHLW321/Km16I" + + "7+ZvT8Su1cqHg79NAT8QB0yke1saKSy2C0Pic4HwrNqVBWFNSxMU0hQzpx/ZXDbZ" + + "DqIXAp5EfyRYBy2ul+jm6Rot6aFgzuopKg=="); + + static byte[] certC = Base64.decode( + "MIICtTCCAh6gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIxMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ0Mzla" + + "Fw0xNzAzMzAwODQ0MDBaMIGNMQ8wDQYDVQQDEwZJbnRlcjIxCzAJBgNVBAYTAkNI" + + "MQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNVBAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNw" + + "aGVyZSBBRzEQMA4GA1UECxMHVGVzdGluZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5A" + + "cHJpdmFzcGhlcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0rLr6" + + "f2/ONeJzTb0q9M/NNX+MnAFMSqiQGVBkT76u5nOH4KLkpHXkzI82JI7GuQMzoT3a" + + "+RP1hO6FneO92ms2soC6xiOFb4EC69Dfhh87Nww5O35JxVF0bzmbmIAWd6P/7zGh" + + "nd2S4tKkaZcubps+C0j9Fgi0hipVicAOUVVoDQIDAQABoyMwITAPBgNVHRMBAf8E" + + "BTADAQH/MA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQQFAAOBgQCLPvc1IMA4" + + "YP+PmnEldyUoRWRnvPWjBGeu0WheBP7fdcnGBf93Nmc5j68ZN+eTZ5VMuZ99YdvH" + + "CXGNX6oodONLU//LlFKdLl5xjLAS5X9p1RbOEGytnalqeiEpjk4+C/7rIBG1kllO" + + "dItmI6LlEMV09Hkpg6ZRAUmRkb8KrM4X7A=="); + + static byte[] certD = Base64.decode( + "MIICtTCCAh6gAwIBAgIBBjANBgkqhkiG9w0BAQQFADCBjTEPMA0GA1UEAxMGSW50" + + "ZXIzMQswCQYDVQQGEwJDSDEPMA0GA1UEBxMGWnVyaWNoMQswCQYDVQQIEwJaSDEX" + + "MBUGA1UEChMOUHJpdmFzcGhlcmUgQUcxEDAOBgNVBAsTB1Rlc3RpbmcxJDAiBgkq" + + "hkiG9w0BCQEWFWFybWluQHByaXZhc3BoZXJlLmNvbTAeFw0wNzA0MDIwODQ5NTNa" + + "Fw0xNzAzMzAwODQ0MDBaMIGNMQ8wDQYDVQQDEwZJbnRlcjExCzAJBgNVBAYTAkNI" + + "MQ8wDQYDVQQHEwZadXJpY2gxCzAJBgNVBAgTAlpIMRcwFQYDVQQKEw5Qcml2YXNw" + + "aGVyZSBBRzEQMA4GA1UECxMHVGVzdGluZzEkMCIGCSqGSIb3DQEJARYVYXJtaW5A" + + "cHJpdmFzcGhlcmUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCae3TP" + + "jIVKeASqvNabaiUHAMGUgFxB7L0yUsIj39azLcLtUj4S7XkDf7SMGtYV0JY1XNaQ" + + "sHJAsnJivDZc50oiYvqDYfgFZx5+AsN5l5X5rjRzs/OX+Jo+k1OgsIyu6+mf9Kfb" + + "5IdWOVB2EcOg4f9tPjLM8CIj9Pp7RbKLyqUUgwIDAQABoyMwITAPBgNVHRMBAf8E" + + "BTADAQH/MA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQQFAAOBgQCgr9kUdWUT" + + "Lt9UcztSzR3pnHRsyvS0E/z850OKQKS5/VxLEalpFvhj+3EcZ7Y6mFxaaS2B7vXg" + + "2YWyqV1PRb6iF7/u9EXkpSTKGrJahwANirCa3V/HTUuPdCE2GITlnWI8h3eVA+xQ" + + "D4LF0PXHOkXbwmhXRSb10lW1bSGkUxE9jg=="); + + private void testExceptions() + throws Exception + { + byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 }; + MyCertPath mc = new MyCertPath(enc); + ByteArrayOutputStream os = new ByteArrayOutputStream(); + ByteArrayInputStream is; + byte[] arr; + + ObjectOutputStream oOut = new ObjectOutputStream(os); + oOut.writeObject(mc); + oOut.flush(); + oOut.close(); + + try + { + CertificateFactory cFac = CertificateFactory.getInstance("X.509", + "BC"); + arr = os.toByteArray(); + is = new ByteArrayInputStream(arr); + cFac.generateCertPath(is); + } + catch (CertificateException e) + { + // ignore okay + } + + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + List certCol = new ArrayList(); + + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certA))); + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certB))); + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certC))); + certCol.add(cf.generateCertificate(new ByteArrayInputStream(certD))); + + CertPathBuilder pathBuilder = CertPathBuilder.getInstance("PKIX", "BC"); + X509CertSelector select = new X509CertSelector(); + select.setSubject(((X509Certificate)certCol.get(0)).getSubjectX500Principal().getEncoded()); + + Set trustanchors = new HashSet(); + trustanchors.add(new TrustAnchor((X509Certificate)cf.generateCertificate(new ByteArrayInputStream(rootCertBin)), null)); + + CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); + + PKIXBuilderParameters params = new PKIXBuilderParameters(trustanchors, select); + params.addCertStore(certStore); + + try + { + CertPathBuilderResult result = pathBuilder.build(params); + CertPath path = result.getCertPath(); + fail("found cert path in circular set"); + } + catch (CertPathBuilderException e) + { + // expected + } + } + + public void performTest() + throws Exception + { + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); + + X509Certificate rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(rootCertBin)); + X509Certificate interCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(interCertBin)); + X509Certificate finalCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(finalCertBin)); + + //Testing CertPath generation from List + List list = new ArrayList(); + list.add(interCert); + CertPath certPath1 = cf.generateCertPath(list); + + //Testing CertPath encoding as PkiPath + byte[] encoded = certPath1.getEncoded("PkiPath"); + + //Testing CertPath generation from InputStream + ByteArrayInputStream inStream = new ByteArrayInputStream(encoded); + CertPath certPath2 = cf.generateCertPath(inStream, "PkiPath"); + + //Comparing both CertPathes + if (!certPath2.equals(certPath1)) + { + fail("CertPath differ after encoding and decoding."); + } + + encoded = certPath1.getEncoded("PKCS7"); + + //Testing CertPath generation from InputStream + inStream = new ByteArrayInputStream(encoded); + certPath2 = cf.generateCertPath(inStream, "PKCS7"); + + //Comparing both CertPathes + if (!certPath2.equals(certPath1)) + { + fail("CertPath differ after encoding and decoding."); + } + + encoded = certPath1.getEncoded("PEM"); + + //Testing CertPath generation from InputStream + inStream = new ByteArrayInputStream(encoded); + certPath2 = cf.generateCertPath(inStream, "PEM"); + + //Comparing both CertPathes + if (!certPath2.equals(certPath1)) + { + fail("CertPath differ after encoding and decoding."); + } + + // + // empty list test + // + list = new ArrayList(); + + CertPath certPath = CertificateFactory.getInstance("X.509","BC").generateCertPath(list); + if (certPath.getCertificates().size() != 0) + { + fail("list wrong size."); + } + + // + // exception tests + // + testExceptions(); + } + + public String getName() + { + return "CertPath"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertPathTest()); + } + + private static class MyCertificate extends Certificate + { + private final byte[] encoding; + + public MyCertificate(String type, byte[] encoding) + { + super(type); + // don't copy to allow null parameter in test + this.encoding = encoding; + } + + public byte[] getEncoded() throws CertificateEncodingException + { + // do copy to force NPE in test + return (byte[])encoding.clone(); + } + + public void verify(PublicKey key) throws CertificateException, + NoSuchAlgorithmException, InvalidKeyException, + NoSuchProviderException, SignatureException + { + } + + public void verify(PublicKey key, String sigProvider) + throws CertificateException, NoSuchAlgorithmException, + InvalidKeyException, NoSuchProviderException, + SignatureException + { + } + + public String toString() + { + return "[My test Certificate, type: " + getType() + "]"; + } + + public PublicKey getPublicKey() + { + return new PublicKey() + { + public String getAlgorithm() + { + return "TEST"; + } + + public byte[] getEncoded() + { + return new byte[] { (byte)1, (byte)2, (byte)3 }; + } + + public String getFormat() + { + return "TEST_FORMAT"; + } + }; + } + } + + private static class MyCertPath extends CertPath + { + private final Vector certificates; + + private final Vector encodingNames; + + private final byte[] encoding; + + public MyCertPath(byte[] encoding) + { + super("MyEncoding"); + this.encoding = encoding; + certificates = new Vector(); + certificates.add(new MyCertificate("MyEncoding", encoding)); + encodingNames = new Vector(); + encodingNames.add("MyEncoding"); + } + + public List getCertificates() + { + return Collections.unmodifiableList(certificates); + } + + public byte[] getEncoded() throws CertificateEncodingException + { + return (byte[])encoding.clone(); + } + + public byte[] getEncoded(String encoding) + throws CertificateEncodingException + { + if (getType().equals(encoding)) + { + return (byte[])this.encoding.clone(); + } + throw new CertificateEncodingException("Encoding not supported: " + + encoding); + } + + public Iterator getEncodings() + { + return Collections.unmodifiableCollection(encodingNames).iterator(); + } + } +} + diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/test/CertPathValidationTest.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/test/CertPathValidationTest.java new file mode 100644 index 0000000..a99cb1c --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/test/CertPathValidationTest.java @@ -0,0 +1,403 @@ +package org.bouncycastle.cert.path.test; + +import java.security.Security; +import java.util.ArrayList; +import java.util.List; + +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.cert.X509CRLHolder; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509ContentVerifierProviderBuilder; +import org.bouncycastle.cert.jcajce.JcaX509ContentVerifierProviderBuilder; +import org.bouncycastle.cert.path.CertPath; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationResult; +import org.bouncycastle.cert.path.validations.BasicConstraintsValidation; +import org.bouncycastle.cert.path.validations.CRLValidation; +import org.bouncycastle.cert.path.validations.KeyUsageValidation; +import org.bouncycastle.cert.path.validations.ParentCertIssuedValidation; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Store; +import org.bouncycastle.util.encoders.Base64; +import org.bouncycastle.util.test.SimpleTest; + +public class CertPathValidationTest + extends SimpleTest +{ + private byte[] AC_PR = Base64.decode( + "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFU1RDQ0F6R2dBd0lC" + + "QWdJQkJUQU5CZ2txaGtpRzl3MEJBUVVGQURDQnRERUxNQWtHQTFVRUJoTUNR" + + "bEl4DQpFekFSQmdOVkJBb1RDa2xEVUMxQ2NtRnphV3d4UFRBN0JnTlZCQXNU" + + "TkVsdWMzUnBkSFYwYnlCT1lXTnBiMjVoDQpiQ0JrWlNCVVpXTnViMnh2WjJs" + + "aElHUmhJRWx1Wm05eWJXRmpZVzhnTFNCSlZFa3hFVEFQQmdOVkJBY1RDRUp5" + + "DQpZWE5wYkdsaE1Rc3dDUVlEVlFRSUV3SkVSakV4TUM4R0ExVUVBeE1vUVhW" + + "MGIzSnBaR0ZrWlNCRFpYSjBhV1pwDQpZMkZrYjNKaElGSmhhWG9nUW5KaGMy" + + "bHNaV2x5WVRBZUZ3MHdNakEwTURReE9UTTVNREJhRncwd05UQTBNRFF5DQpN" + + "elU1TURCYU1HRXhDekFKQmdOVkJBWVRBa0pTTVJNd0VRWURWUVFLRXdwSlEx" + + "QXRRbkpoYzJsc01UMHdPd1lEDQpWUVFERXpSQmRYUnZjbWxrWVdSbElFTmxj" + + "blJwWm1sallXUnZjbUVnWkdFZ1VISmxjMmxrWlc1amFXRWdaR0VnDQpVbVZ3" + + "ZFdKc2FXTmhNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJD" + + "Z0tDQVFFQXMwc0t5NGsrDQp6b016aldyMTQxeTVYQ045UGJMZERFQXN2cjZ4" + + "Z0NCN1l5bEhIQ1NBYmpGR3dOQ0R5NlVxN1h0VjZ6UHdIMXpGDQpFWENlS3Jm" + + "UUl5YXBXSEZ4V1VKajBMblFrY1RZM1FOR1huK0JuVk9EVTZDV3M1c3NoZktH" + + "RXZyVlQ1Z214V1NmDQp4OFlsdDgzY1dwUE1QZzg3VDlCaHVIbHQzazh2M2Ev" + + "NmRPbmF2dytOYTAyZExBaDBlNzZqcCtQUS9LK0pHZlBuDQphQjVVWURrZkd0" + + "em5uTTNBV01tY3VJK0o0ek5OMDZaa3ZnbDFsdEo2UU1qcnZEUFlSak9ndDlT" + + "cklpY1NmbEo4DQptVDdHWGRRaXJnQUNXc3g1QURBSklRK253TU1vNHlyTUtx" + + "SlFhNFFDMHhhT0QvdkdVcG9SaDQzT0FTZFp3c3YvDQpPWFlybmVJeVAwVCs4" + + "UUlEQVFBQm80RzNNSUcwTUQwR0ExVWRId1EyTURRd01xQXdvQzZHTEdoMGRI" + + "QTZMeTloDQpZM0poYVhvdWFXTndZbkpoYzJsc0xtZHZkaTVpY2k5TVExSmhZ" + + "M0poYVhvdVkzSnNNQklHQTFVZElBUUxNQWt3DQpCd1lGWUV3QkFRRXdIUVlE" + + "VlIwT0JCWUVGREpUVFlKNE9TWVB5T09KZkVMZXhDaHppK2hiTUI4R0ExVWRJ" + + "d1FZDQpNQmFBRklyNjhWZUVFUk0xa0VMNlYwbFVhUTJreFBBM01BNEdBMVVk" + + "RHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CDQpBZjhFQlRBREFRSC9NQTBHQ1Nx" + + "R1NJYjNEUUVCQlFVQUE0SUJBUUJRUFNoZ1lidnFjaWV2SDVVb3ZMeXhkbkYr" + + "DQpFcjlOeXF1SWNkMnZ3Y0N1SnpKMkQ3WDBUcWhHQ0JmUEpVVkdBVWorS0NP" + + "SDFCVkgva1l1OUhsVHB1MGtKWFBwDQpBQlZkb2hJUERqRHhkbjhXcFFSL0Yr" + + "ejFDaWtVcldIMDR4eTd1N1p6UUpLSlBuR0loY1FpOElyRm1PYkllMEc3DQpY" + + "WTZPTjdPRUZxY21KTFFHWWdtRzFXMklXcytQd1JwWTdENGhLVEFoVjFSNkVv" + + "amE1L3BPcmVDL09kZXlQWmVxDQo1SUZTOUZZZk02U0Npd2hrK3l2Q1FHbVo0" + + "YzE5SjM0ZjVFYkRrK1NQR2tEK25EQ0E3L3VMUWNUMlJURE14SzBaDQpuZlo2" + + "Nm1Sc0ZjcXRGaWdScjVFcmtKZDdoUVV6eHNOV0VrNzJEVUFIcVgvNlNjeWtt" + + "SkR2V0plSUpqZlcNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg=="); + + private byte[] AC_RAIZ_ICPBRASIL = Base64.decode( + "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlFdURDQ0E2Q2dBd0lC" + + "QWdJQkJEQU5CZ2txaGtpRzl3MEJBUVVGQURDQnRERUxNQWtHQTFVRUJoTUNR" + + "bEl4DQpFekFSQmdOVkJBb1RDa2xEVUMxQ2NtRnphV3d4UFRBN0JnTlZCQXNU" + + "TkVsdWMzUnBkSFYwYnlCT1lXTnBiMjVoDQpiQ0JrWlNCVVpXTnViMnh2WjJs" + + "aElHUmhJRWx1Wm05eWJXRmpZVzhnTFNCSlZFa3hFVEFQQmdOVkJBY1RDRUp5" + + "DQpZWE5wYkdsaE1Rc3dDUVlEVlFRSUV3SkVSakV4TUM4R0ExVUVBeE1vUVhW" + + "MGIzSnBaR0ZrWlNCRFpYSjBhV1pwDQpZMkZrYjNKaElGSmhhWG9nUW5KaGMy" + + "bHNaV2x5WVRBZUZ3MHdNVEV4TXpBeE1qVTRNREJhRncweE1URXhNekF5DQpN" + + "elU1TURCYU1JRzBNUXN3Q1FZRFZRUUdFd0pDVWpFVE1CRUdBMVVFQ2hNS1NV" + + "TlFMVUp5WVhOcGJERTlNRHNHDQpBMVVFQ3hNMFNXNXpkR2wwZFhSdklFNWhZ" + + "Mmx2Ym1Gc0lHUmxJRlJsWTI1dmJHOW5hV0VnWkdFZ1NXNW1iM0p0DQpZV05o" + + "YnlBdElFbFVTVEVSTUE4R0ExVUVCeE1JUW5KaGMybHNhV0V4Q3pBSkJnTlZC" + + "QWdUQWtSR01URXdMd1lEDQpWUVFERXloQmRYUnZjbWxrWVdSbElFTmxjblJw" + + "Wm1sallXUnZjbUVnVW1GcGVpQkNjbUZ6YVd4bGFYSmhNSUlCDQpJakFOQmdr" + + "cWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBd1BNdWR3WC9odm0r" + + "VWgyYi9sUUFjSFZBDQppc2FtYUxrV2Rrd1A5L1MvdE9LSWdSckw2T3krWklH" + + "bE9VZGQ2dVl0azlNYS8zcFVwZ2NmTkFqMHZZbTVnc3lqDQpRbzllbXNjK3g2" + + "bTRWV3drOWlxTVpTQ0s1RVFrQXEvVXQ0bjdLdUxFMStnZGZ0d2RJZ3hmVXNQ" + + "dDRDeU5yWTUwDQpRVjU3S00yVVQ4eDVycm16RWpyN1RJQ0dwU1VBbDJnVnFl" + + "NnhhaWkrYm1ZUjFRcm1XYUJTQUc1OUxya3Jqcll0DQpiUmhGYm9VRGUxREsr" + + "NlQ4czVMNms4Yzhva3BiSHBhOXZlTXp0RFZDOXNQSjYwTVdYaDZhblZLbzFV" + + "Y0xjYlVSDQp5RWVOdlpuZVZSS0FBVTZvdXdkakR2d2xzYUt5ZEZLd2VkMFRv" + + "UTQ3Ym1VS2djbSt3VjNlVFJrMzZVT25Ud0lEDQpBUUFCbzRIU01JSFBNRTRH" + + "QTFVZElBUkhNRVV3UXdZRllFd0JBUUF3T2pBNEJnZ3JCZ0VGQlFjQ0FSWXNh" + + "SFIwDQpjRG92TDJGamNtRnBlaTVwWTNCaWNtRnphV3d1WjI5MkxtSnlMMFJR" + + "UTJGamNtRnBlaTV3WkdZd1BRWURWUjBmDQpCRFl3TkRBeW9EQ2dMb1lzYUhS" + + "MGNEb3ZMMkZqY21GcGVpNXBZM0JpY21GemFXd3VaMjkyTG1KeUwweERVbUZq" + + "DQpjbUZwZWk1amNtd3dIUVlEVlIwT0JCWUVGSXI2OFZlRUVSTTFrRUw2VjBs" + + "VWFRMmt4UEEzTUE4R0ExVWRFd0VCDQovd1FGTUFNQkFmOHdEZ1lEVlIwUEFR" + + "SC9CQVFEQWdFR01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQkFRQVpBNWMxDQpV" + + "L2hnSWg2T2NnTEFmaUpnRldwdm1EWldxbFYzMC9iSEZwajhpQm9iSlNtNXVE" + + "cHQ3VGlyWWgxVXhlM2ZRYUdsDQpZakplKzl6ZCtpelBSYkJxWFBWUUEzNEVY" + + "Y3drNHFwV3VmMWhIcmlXZmRyeDhBY3FTcXI2Q3VRRndTcjc1Rm9zDQpTemx3" + + "REFEYTcwbVQ3d1pqQW1RaG5aeDJ4SjZ3ZldsVDlWUWZTLy9KWWVJYzdGdWUy" + + "Sk5MZDAwVU9TTU1haUsvDQp0NzllbktOSEVBMmZ1cEgzdkVpZ2Y1RWg0YlZB" + + "TjVWb2hyVG02TVk1M3g3WFFaWnIxTUU3YTU1bEZFblNlVDB1DQptbE9BalIy" + + "bUFidlNNNVg1b1NaTnJtZXRkenlUajJmbENNOENDN01MYWIwa2tkbmdSSWxV" + + "QkdIRjEvUzVubVBiDQpLKzlBNDZzZDMzb3FLOG44DQotLS0tLUVORCBDRVJU" + + "SUZJQ0FURS0tLS0tDQo="); + + private byte[] schefer = Base64.decode( + "MIIEnDCCBAWgAwIBAgICIPAwDQYJKoZIhvcNAQEEBQAwgcAxCzAJBgNVBAYT" + + "AkRFMQ8wDQYDVQQIEwZIRVNTRU4xGDAWBgNVBAcTDzY1MDA4IFdpZXNiYWRl" + + "bjEaMBgGA1UEChMRU0NIVUZBIEhPTERJTkcgQUcxGjAYBgNVBAsTEVNDSFVG" + + "QSBIT0xESU5HIEFHMSIwIAYDVQQDExlJbnRlcm5ldCBCZW51dHplciBTZXJ2" + + "aWNlMSowKAYJKoZIhvcNAQkBFht6ZXJ0aWZpa2F0QHNjaHVmYS1vbmxpbmUu" + + "ZGUwHhcNMDQwMzMwMTEwODAzWhcNMDUwMzMwMTEwODAzWjCBnTELMAkGA1UE" + + "BhMCREUxCjAIBgNVBAcTASAxIzAhBgNVBAoTGlNIUyBJbmZvcm1hdGlvbnNz" + + "eXN0ZW1lIEFHMRwwGgYDVQQLExM2MDAvMDU5NDktNjAwLzA1OTQ5MRgwFgYD" + + "VQQDEw9TY2hldHRlciBTdGVmYW4xJTAjBgkqhkiG9w0BCQEWFlN0ZWZhbi5T" + + "Y2hldHRlckBzaHMuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJD0" + + "95Bi76fkAMjJNTGPDiLPHmZXNsmakngDeS0juzKMeJA+TjXFouhYh6QyE4Bl" + + "Nf18fT4mInlgLefwf4t6meIWbiseeTo7VQdM+YrbXERMx2uHsRcgZMsiMYHM" + + "kVfYMK3SMJ4nhCmZxrBkoTRed4gXzVA1AA8YjjTqMyyjvt4TAgMBAAGjggHE" + + "MIIBwDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEsDALBgNVHQ8EBAMC" + + "BNAwOQYJYIZIAYb4QgENBCwWKlplcnRpZmlrYXQgbnVyIGZ1ZXIgU0NIVUZB" + + "LU9ubGluZSBndWVsdGlnLjAdBgNVHQ4EFgQUXReirhBfg0Yhf6MsBWoo/nPa" + + "hGwwge0GA1UdIwSB5TCB4oAUf2UyCaBV9JUeG9lS1Yo6OFBUdEKhgcakgcMw" + + "gcAxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIRVNTRU4xGDAWBgNVBAcTDzY1" + + "MDA4IFdpZXNiYWRlbjEaMBgGA1UEChMRU0NIVUZBIEhPTERJTkcgQUcxGjAY" + + "BgNVBAsTEVNDSFVGQSBIT0xESU5HIEFHMSIwIAYDVQQDExlJbnRlcm5ldCBC" + + "ZW51dHplciBTZXJ2aWNlMSowKAYJKoZIhvcNAQkBFht6ZXJ0aWZpa2F0QHNj" + + "aHVmYS1vbmxpbmUuZGWCAQAwIQYDVR0RBBowGIEWU3RlZmFuLlNjaGV0dGVy" + + "QHNocy5kZTAmBgNVHRIEHzAdgRt6ZXJ0aWZpa2F0QHNjaHVmYS1vbmxpbmUu" + + "ZGUwDQYJKoZIhvcNAQEEBQADgYEAWzZtN9XQ9uyrFXqSy3hViYwV751+XZr0" + + "YH5IFhIS+9ixNAu8orP3bxqTaMhpwoU7T/oSsyGGSkb3fhzclgUADbA2lrOI" + + "GkeB/m+FArTwRbwpqhCNTwZywOp0eDosgPjCX1t53BB/m/2EYkRiYdDGsot0" + + "kQPOVGSjQSQ4+/D+TM8="); + + // circular dependency certificates + private static final byte[] circCA = Base64.decode( + "MIIDTzCCAjegAwIBAgIDARAAMA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNVBAYT" + + "AkZSMRAwDgYDVQQKEwdHSVAtQ1BTMRgwFgYDVQQLEw9HSVAtQ1BTIEFOT05Z" + + "TUUwHhcNMDQxMDExMDAwMDAxWhcNMTQxMjMxMjM1OTU5WjA5MQswCQYDVQQG" + + "EwJGUjEQMA4GA1UEChMHR0lQLUNQUzEYMBYGA1UECxMPR0lQLUNQUyBBTk9O" + + "WU1FMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3WyWDwcM58aU" + + "hPX4ueI1mwETt3WdQtMfIdRiCXeBrjCkYCc7nIgCmGbnfTzXSplHRgKColWh" + + "q/Z+1rHYayje1gjAEU2+4/r1P2pnBmPgquDuguktCIbDtCcGZu0ylyKeHh37" + + "aeIKzkcmRSLRzvGf/eO3RdFksrvaPaSjqCVfGRXVDKK2uftE8rIFJE+bCqow" + + "6+WiaAaDDiJaSJPuu5hC1NA5jw0/BFodlCuAvl1GJ8A+TICkYWcSpKS9bkSC" + + "0i8xdGbSSk94shA1PdDvRdFMfFys8g4aupBXV8yqqEAUkBYmOtZSJckc3W4y" + + "2Gx53y7vY07Xh63mcgtJs2T82WJICwIDAQABo2AwXjAdBgNVHQ4EFgQU8c/P" + + "NNJaL0srd9SwHwgtvwPB/3cwDgYDVR0PAQH/BAQDAgIEMBkGA1UdIAQSMBAw" + + "DgYMKoF6AUcDBwgAAAABMBIGA1UdEwEB/wQIMAYBAf8CAQEwDQYJKoZIhvcN" + + "AQEFBQADggEBAHRjYDPJKlfUzID0YzajZpgR/i2ngJrJqYeaWCmwzBgNUPad" + + "uBKSGHmPVg21sfULMSnirnR+e90i/D0EVzLwQzcbjPDD/85rp9QDCeMxqqPe" + + "9ZCHGs2BpE/HOQMP0QfQ3/Kpk7SvOH/ZcpIf6+uE6lLBQYAGs5cxvtTGOzZk" + + "jCVFG+TrAnF4V5sNkn3maCWiYLmyqcnxtKEFSONy2bYqqudx/dBBlRrDbRfZ" + + "9XsCBdiXAHY1hFHldbfDs8rslmkXJi3fJC028HZYB6oiBX/JE7BbMk7bRnUf" + + "HSpP7Sjxeso2SY7Yit+hQDVAlqTDGmh6kLt/hQMpsOMry4vgBL6XHKw="); + + private static final byte[] circCRLCA = Base64.decode( + "MIIDXDCCAkSgAwIBAgIDASAAMA0GCSqGSIb3DQEBBQUAMDkxCzAJBgNVBAYT" + + "AkZSMRAwDgYDVQQKEwdHSVAtQ1BTMRgwFgYDVQQLEw9HSVAtQ1BTIEFOT05Z" + + "TUUwHhcNMDQxMDExMDAwMDAxWhcNMTQxMjMxMjM1OTU5WjA5MQswCQYDVQQG" + + "EwJGUjEQMA4GA1UEChMHR0lQLUNQUzEYMBYGA1UECxMPR0lQLUNQUyBBTk9O" + + "WU1FMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwfEcFK0g7Kfo" + + "o5f2IBF7VEd/AG+RVGSds0Yg+u2kNYu4k04HR/+tOdBQtJvyr4W5jrQKsC5X" + + "skeFWMyWaFKzAjZDWB52HWp/kiMivGcxnYDuYf5piukSC+d2+vL8YaAphDzV" + + "HPnxEKqoM/J66uUussDTqfcL3JC/Bc7kBwn4srrsZOsamMWTQQtEqVQxNN7A" + + "ROSRsdiTt3hMOKditc9/NBNmjZWxgc7Twr/SaZ8CfN5wf2wuOl23knWL0QsJ" + + "0lSMBSBTzTcfAke4/jIT7d4nVMp3t7dsna8rt56pFK4wpRFGuCt+1P5gi51x" + + "xVSdI+JoNXv6zGO4o8YVaRpC5rQeGQIDAQABo20wazAfBgNVHSMEGDAWgBTx" + + "z8800lovSyt31LAfCC2/A8H/dzAdBgNVHQ4EFgQUGa3SbBrJx/wa2MQwhWPl" + + "dwLw1+IwDgYDVR0PAQH/BAQDAgECMBkGA1UdIAQSMBAwDgYMKoF6AUcDBwgA" + + "AAABMA0GCSqGSIb3DQEBBQUAA4IBAQAPDpYe2WPYnXTLsXSIUREBNMLmg+/7" + + "4Yhq9uOm5Hb5LVkDuHoEHGfmpXXEvucx5Ehu69hw+F4YSrd9wPjOiG8G6GXi" + + "RcrK8nE8XDvvV+E1HpJ7NKN4fSAoSb+0gliiq3aF15bvXP8nfespdd/x1xWQ" + + "mpYCx/mJeuqONQv2/D/7hfRKYoDBaAkWGodenPFPVs6FxwnEuH2R+KWCUdA9" + + "L04v8JBeL3kZiALkU7+DCCm7A0imUAgeeArbAbfIPu6eDygm+XndZ9qi7o4O" + + "AntPxrqbeXFIbDrQ4GV1kpxnW+XpSGDd96SWKe715gxkkDBppR5IKYJwRb6O" + + "1TRQIf2F+muQ"); + + private static final byte[] circCRL = Base64.decode( + "MIIB1DCBvQIBATANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJGUjEQMA4G" + + "A1UEChMHR0lQLUNQUzEYMBYGA1UECxMPR0lQLUNQUyBBTk9OWU1FFw0xMDAx" + + "MDcwMzAwMTVaFw0xMDAxMTMwMzAwMTVaMACgTjBMMB8GA1UdIwQYMBaAFBmt" + + "0mwaycf8GtjEMIVj5XcC8NfiMAsGA1UdFAQEAgILgzAcBgNVHRIEFTATgRFh" + + "Yy1naXBAZ2lwLWNwcy5mcjANBgkqhkiG9w0BAQUFAAOCAQEAtF1DdFl1MQvf" + + "vNkbrCPuppNYcHen4+za/ZDepKuwHsH/OpKuaDJc4LndRgd5IwzfpCHkQGzt" + + "shK50bakN8oaYJgthKIOIJzR+fn6NMjftfR2a27Hdk2o3eQXRHQ360qMbpSy" + + "qPb3WfuBhxO2/DlLChJP+OxZIHtT/rNYgE0tlIv7swYi81Gq+DafzaZ9+A5t" + + "I0L2Gp/NUDsp5dF6PllAGiXQzl27qkcu+r50w+u0gul3nobXgbwPcMSYuWUz" + + "1lhA+uDn/EUWV4RSiJciCGSS10WCkFh1/YPo++mV15KDB0m+8chscrSu/bAl" + + "B19LxL/pCX3qr5iLE9ss3olVImyFZg=="); + +// private void checkCircProcessing() +// throws Exception +// { +// CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); +// +// X509Certificate caCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(circCA)); +// X509Certificate crlCaCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(circCRLCA)); +// X509CRL crl = (X509CRL)cf.generateCRL(new ByteArrayInputStream(circCRL)); +// +// List list = new ArrayList(); +// +// list.add(caCert); +// list.add(crlCaCert); +// list.add(crl); +// +// CertStoreParameters ccsp = new CollectionCertStoreParameters(list); +// CertStore store = CertStore.getInstance("Collection", ccsp); +// +// Calendar validDate = Calendar.getInstance(); +// validDate.set(2010,0,8,2,21,10); +// +// //validating path +// List certchain = new ArrayList(); +// +// certchain.add(crlCaCert); +// CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); +// +// Set trust = new HashSet(); +// trust.add(new TrustAnchor(caCert, null)); +// +// CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC"); +// //PKIXParameters param = new PKIXParameters(trust); +// +// PKIXBuilderParameters param = new PKIXBuilderParameters(trust, null); +// X509CertSelector certSelector = new X509CertSelector(); +// certSelector.setCertificate(crlCaCert); +// param.setTargetCertConstraints(certSelector); +// param.addCertStore(store); +// param.setRevocationEnabled(true); +// param.setDate(validDate.getTime()); +// +// PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult)cpv.validate(cp, param); +// } + + public void performTest() + throws Exception + { + // initialise CertStore + X509CertificateHolder rootCert = new X509CertificateHolder(CertPathTest.rootCertBin); + X509CertificateHolder interCert = new X509CertificateHolder(CertPathTest.interCertBin); + X509CertificateHolder finalCert = new X509CertificateHolder(CertPathTest.finalCertBin); + X509CRLHolder rootCrl = new X509CRLHolder(CertPathTest.rootCrlBin); + X509CRLHolder interCrl = new X509CRLHolder(CertPathTest.interCrlBin); + + CertPath path = new CertPath(new X509CertificateHolder[] { finalCert, interCert }); + X509ContentVerifierProviderBuilder verifier = new JcaX509ContentVerifierProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME); + + CertPathValidationResult result = path.validate(new CertPathValidation[]{new ParentCertIssuedValidation(verifier), new BasicConstraintsValidation(), new KeyUsageValidation()}); + + if (!result.isValid()) + { + fail("basic validation (1) not working"); + } + + List crlList = new ArrayList(); + + crlList.add(rootCrl); + crlList.add(interCrl); + + Store crls = new CollectionStore(crlList); + + result = path.validate(new CertPathValidation[]{new ParentCertIssuedValidation(verifier), new BasicConstraintsValidation(), new KeyUsageValidation(), new CRLValidation(rootCert.getSubject(), crls)}); + + if (!result.isValid()) + { + fail("basic validation (2) not working"); + } + + result = path.validate(new CertPathValidation[]{new ParentCertIssuedValidation(verifier), new KeyUsageValidation(), new CRLValidation(rootCert.getSubject(), crls)}); + + if (result.isValid() || result.getUnhandledCriticalExtensionOIDs().size() != 1 + || !result.getUnhandledCriticalExtensionOIDs().contains(Extension.basicConstraints)) + { + fail("basic validation (3) not working"); + } + + result = path.validate(new CertPathValidation[]{new ParentCertIssuedValidation(verifier), new CRLValidation(rootCert.getSubject(), crls)}); + + if (result.isValid() || result.getUnhandledCriticalExtensionOIDs().size() != 2 + || !result.getUnhandledCriticalExtensionOIDs().contains(Extension.basicConstraints) + || !result.getUnhandledCriticalExtensionOIDs().contains(Extension.keyUsage)) + { + fail("basic validation (4) not working"); + } + + path = new CertPath(new X509CertificateHolder[] { interCert, finalCert }); + + result = path.validate(new CertPathValidation[]{new ParentCertIssuedValidation(verifier)}); + + if (result.isValid()) + { + fail("incorrect path validated!!"); + } + + + +// List list = new ArrayList(); +// list.add(rootCert); +// list.add(interCert); +// list.add(finalCert); +// list.add(rootCrl); +// list.add(interCrl); +// CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); +// CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); +// Calendar validDate = Calendar.getInstance(); +// validDate.set(2008,8,4,14,49,10); +// //validating path +// List certchain = new ArrayList(); +// certchain.add(finalCert); +// certchain.add(interCert); +// CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); +// Set trust = new HashSet(); +// trust.add(new TrustAnchor(rootCert, null)); +// +// CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC"); +// PKIXParameters param = new PKIXParameters(trust); +// param.addCertStore(store); +// param.setDate(validDate.getTime()); +// MyChecker checker = new MyChecker(); +// param.addCertPathChecker(checker); +// +// PKIXCertPathValidatorResult result = +// (PKIXCertPathValidatorResult) cpv.validate(cp, param); +// PolicyNode policyTree = result.getPolicyTree(); +// PublicKey subjectPublicKey = result.getPublicKey(); +// +// if (checker.getCount() != 2) +// { +// fail("checker not evaluated for each certificate"); +// } +// +// if (!subjectPublicKey.equals(finalCert.getPublicKey())) +// { +// fail("wrong public key returned"); +// } +// +// // +// // invalid path containing a valid one test +// // +// try +// { +// // initialise CertStore +// rootCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(AC_RAIZ_ICPBRASIL)); +// interCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(AC_PR)); +// finalCert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(schefer)); +// +// list = new ArrayList(); +// list.add(rootCert); +// list.add(interCert); +// list.add(finalCert); +// +// ccsp = new CollectionCertStoreParameters(list); +// store = CertStore.getInstance("Collection", ccsp); +// validDate = Calendar.getInstance(); +// validDate.set(2004,2,21,2,21,10); +// +// //validating path +// certchain = new ArrayList(); +// certchain.add(finalCert); +// certchain.add(interCert); +// cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain); +// trust = new HashSet(); +// trust.add(new TrustAnchor(rootCert, null)); +// +// cpv = CertPathValidator.getInstance("PKIX","BC"); +// param = new PKIXParameters(trust); +// param.addCertStore(store); +// param.setRevocationEnabled(false); +// param.setDate(validDate.getTime()); +// +// result =(PKIXCertPathValidatorResult) cpv.validate(cp, param); +// policyTree = result.getPolicyTree(); +// subjectPublicKey = result.getPublicKey(); +// +// fail("Invalid path validated"); +// } +// catch (Exception e) +// { +// if (!(e instanceof CertPathValidatorException +// && e.getMessage().startsWith("Could not validate certificate signature."))) +// { +// fail("unexpected exception", e); +// } +// } +// +// checkCircProcessing(); + } + + public String getName() + { + return "CertPathValidator"; + } + + public static void main( + String[] args) + { + Security.addProvider(new BouncyCastleProvider()); + + runTest(new CertPathValidationTest()); + } +} + diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/BasicConstraintsValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/BasicConstraintsValidation.java new file mode 100644 index 0000000..db4f852 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/BasicConstraintsValidation.java @@ -0,0 +1,103 @@ +package org.bouncycastle.cert.path.validations; + +import java.math.BigInteger; + +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationContext; +import org.bouncycastle.cert.path.CertPathValidationException; +import org.bouncycastle.util.Memoable; + +public class BasicConstraintsValidation + implements CertPathValidation +{ + private boolean isMandatory; + private BasicConstraints bc; + private int maxPathLength; + + public BasicConstraintsValidation() + { + this(true); + } + + public BasicConstraintsValidation(boolean isMandatory) + { + this.isMandatory = isMandatory; + } + + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException + { + if (maxPathLength < 0) + { + throw new CertPathValidationException("BasicConstraints path length exceeded"); + } + + context.addHandledExtension(Extension.basicConstraints); + + BasicConstraints certBC = BasicConstraints.fromExtensions(certificate.getExtensions()); + + if (certBC != null) + { + if (bc != null) + { + if (certBC.isCA()) + { + BigInteger pathLengthConstraint = certBC.getPathLenConstraint(); + + if (pathLengthConstraint != null) + { + int plc = pathLengthConstraint.intValue(); + + if (plc < maxPathLength) + { + maxPathLength = plc; + bc = certBC; + } + } + } + } + else + { + bc = certBC; + if (certBC.isCA()) + { + maxPathLength = certBC.getPathLenConstraint().intValue(); + } + } + } + else + { + if (bc != null) + { + maxPathLength--; + } + } + + if (isMandatory && bc == null) + { + throw new CertPathValidationException("BasicConstraints not present in path"); + } + } + + public Memoable copy() + { + BasicConstraintsValidation v = new BasicConstraintsValidation(isMandatory); + + v.bc = this.bc; + v.maxPathLength = this.maxPathLength; + + return v; + } + + public void reset(Memoable other) + { + BasicConstraintsValidation v = (BasicConstraintsValidation)other; + + this.isMandatory = v.isMandatory; + this.bc = v.bc; + this.maxPathLength = v.maxPathLength; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CRLValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CRLValidation.java new file mode 100644 index 0000000..c44b7c0 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CRLValidation.java @@ -0,0 +1,78 @@ +package org.bouncycastle.cert.path.validations; + +import java.util.Collection; +import java.util.Iterator; + +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.cert.X509CRLHolder; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationContext; +import org.bouncycastle.cert.path.CertPathValidationException; +import org.bouncycastle.util.Memoable; +import org.bouncycastle.util.Selector; +import org.bouncycastle.util.Store; + +public class CRLValidation + implements CertPathValidation +{ + private Store crls; + private X500Name workingIssuerName; + + public CRLValidation(X500Name trustAnchorName, Store crls) + { + this.workingIssuerName = trustAnchorName; + this.crls = crls; + } + + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException + { + // TODO: add handling of delta CRLs + Collection matches = crls.getMatches(new Selector() + { + public boolean match(Object obj) + { + X509CRLHolder crl = (X509CRLHolder)obj; + + return (crl.getIssuer().equals(workingIssuerName)); + } + + public Object clone() + { + return this; + } + }); + + if (matches.isEmpty()) + { + throw new CertPathValidationException("CRL for " + workingIssuerName + " not found"); + } + + for (Iterator it = matches.iterator(); it.hasNext();) + { + X509CRLHolder crl = (X509CRLHolder)it.next(); + + // TODO: not quite right! + if (crl.getRevokedCertificate(certificate.getSerialNumber()) != null) + { + throw new CertPathValidationException("Certificate revoked"); + } + } + + this.workingIssuerName = certificate.getSubject(); + } + + public Memoable copy() + { + return new CRLValidation(workingIssuerName, crls); + } + + public void reset(Memoable other) + { + CRLValidation v = (CRLValidation)other; + + this.workingIssuerName = v.workingIssuerName; + this.crls = v.crls; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CertificatePoliciesValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CertificatePoliciesValidation.java new file mode 100644 index 0000000..ebaf989 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CertificatePoliciesValidation.java @@ -0,0 +1,146 @@ +package org.bouncycastle.cert.path.validations; + +import java.math.BigInteger; + +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.PolicyConstraints; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationContext; +import org.bouncycastle.cert.path.CertPathValidationException; +import org.bouncycastle.util.Memoable; + +public class CertificatePoliciesValidation + implements CertPathValidation +{ + private int explicitPolicy; + private int policyMapping; + private int inhibitAnyPolicy; + + CertificatePoliciesValidation(int pathLength) + { + this(pathLength, false, false, false); + } + + CertificatePoliciesValidation(int pathLength, boolean isExplicitPolicyRequired, boolean isAnyPolicyInhibited, boolean isPolicyMappingInhibited) + { + // + // (d) + // + + if (isExplicitPolicyRequired) + { + explicitPolicy = 0; + } + else + { + explicitPolicy = pathLength + 1; + } + + // + // (e) + // + if (isAnyPolicyInhibited) + { + inhibitAnyPolicy = 0; + } + else + { + inhibitAnyPolicy = pathLength + 1; + } + + // + // (f) + // + if (isPolicyMappingInhibited) + { + policyMapping = 0; + } + else + { + policyMapping = pathLength + 1; + } + } + + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException + { + context.addHandledExtension(Extension.policyConstraints); + context.addHandledExtension(Extension.inhibitAnyPolicy); + + if (!context.isEndEntity()) + { + if (!ValidationUtils.isSelfIssued(certificate)) + { + // + // H (1), (2), (3) + // + explicitPolicy = countDown(explicitPolicy); + policyMapping = countDown(policyMapping); + inhibitAnyPolicy = countDown(inhibitAnyPolicy); + + // + // I (1), (2) + // + PolicyConstraints policyConstraints = PolicyConstraints.fromExtensions(certificate.getExtensions()); + + if (policyConstraints != null) + { + BigInteger requireExplicitPolicyMapping = policyConstraints.getRequireExplicitPolicyMapping(); + if (requireExplicitPolicyMapping != null) + { + if (requireExplicitPolicyMapping.intValue() < explicitPolicy) + { + explicitPolicy = requireExplicitPolicyMapping.intValue(); + } + } + + BigInteger inhibitPolicyMapping = policyConstraints.getInhibitPolicyMapping(); + if (inhibitPolicyMapping != null) + { + if (inhibitPolicyMapping.intValue() < policyMapping) + { + policyMapping = inhibitPolicyMapping.intValue(); + } + } + } + + // + // J + // + Extension ext = certificate.getExtension(Extension.inhibitAnyPolicy); + + if (ext != null) + { + int extValue = ASN1Integer.getInstance(ext.getParsedValue()).getValue().intValue(); + + if (extValue < inhibitAnyPolicy) + { + inhibitAnyPolicy = extValue; + } + } + } + } + } + + private int countDown(int policyCounter) + { + if (policyCounter != 0) + { + return policyCounter - 1; + } + + return 0; + } + + public Memoable copy() + { + return new CertificatePoliciesValidation(0); // TODO: + } + + public void reset(Memoable other) + { + CertificatePoliciesValidation v = (CertificatePoliciesValidation)other; // TODO: + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CertificatePoliciesValidationBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CertificatePoliciesValidationBuilder.java new file mode 100644 index 0000000..74b622e --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/CertificatePoliciesValidationBuilder.java @@ -0,0 +1,35 @@ +package org.bouncycastle.cert.path.validations; + +import org.bouncycastle.cert.path.CertPath; + +public class CertificatePoliciesValidationBuilder +{ + private boolean isExplicitPolicyRequired; + private boolean isAnyPolicyInhibited; + private boolean isPolicyMappingInhibited; + + public void setAnyPolicyInhibited(boolean anyPolicyInhibited) + { + isAnyPolicyInhibited = anyPolicyInhibited; + } + + public void setExplicitPolicyRequired(boolean explicitPolicyRequired) + { + isExplicitPolicyRequired = explicitPolicyRequired; + } + + public void setPolicyMappingInhibited(boolean policyMappingInhibited) + { + isPolicyMappingInhibited = policyMappingInhibited; + } + + public CertificatePoliciesValidation build(int pathLen) + { + return new CertificatePoliciesValidation(pathLen, isExplicitPolicyRequired, isAnyPolicyInhibited, isPolicyMappingInhibited); + } + + public CertificatePoliciesValidation build(CertPath path) + { + return build(path.length()); + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java new file mode 100644 index 0000000..5d9adc8 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/KeyUsageValidation.java @@ -0,0 +1,63 @@ +package org.bouncycastle.cert.path.validations; + +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationContext; +import org.bouncycastle.cert.path.CertPathValidationException; +import org.bouncycastle.util.Memoable; + +public class KeyUsageValidation + implements CertPathValidation +{ + private boolean isMandatory; + + public KeyUsageValidation() + { + this(true); + } + + public KeyUsageValidation(boolean isMandatory) + { + this.isMandatory = isMandatory; + } + + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException + { + context.addHandledExtension(Extension.keyUsage); + + if (!context.isEndEntity()) + { + KeyUsage usage = KeyUsage.fromExtensions(certificate.getExtensions()); + + if (usage != null) + { + if (!usage.hasUsages(KeyUsage.keyCertSign)) + { + throw new CertPathValidationException("Issuer certificate KeyUsage extension does not permit key signing"); + } + } + else + { + if (isMandatory) + { + throw new CertPathValidationException("KeyUsage extension not present in CA certificate"); + } + } + } + } + + public Memoable copy() + { + return new KeyUsageValidation(isMandatory); + } + + public void reset(Memoable other) + { + KeyUsageValidation v = (KeyUsageValidation)other; + + this.isMandatory = v.isMandatory; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/ParentCertIssuedValidation.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/ParentCertIssuedValidation.java new file mode 100644 index 0000000..a21ad1c --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/ParentCertIssuedValidation.java @@ -0,0 +1,127 @@ +package org.bouncycastle.cert.path.validations; + +import java.io.IOException; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Null; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cert.CertException; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509ContentVerifierProviderBuilder; +import org.bouncycastle.cert.path.CertPathValidation; +import org.bouncycastle.cert.path.CertPathValidationContext; +import org.bouncycastle.cert.path.CertPathValidationException; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.util.Memoable; + +public class ParentCertIssuedValidation + implements CertPathValidation +{ + private X509ContentVerifierProviderBuilder contentVerifierProvider; + + private X500Name workingIssuerName; + private SubjectPublicKeyInfo workingPublicKey; + private AlgorithmIdentifier workingAlgId; + + public ParentCertIssuedValidation(X509ContentVerifierProviderBuilder contentVerifierProvider) + { + this.contentVerifierProvider = contentVerifierProvider; + } + + public void validate(CertPathValidationContext context, X509CertificateHolder certificate) + throws CertPathValidationException + { + if (workingIssuerName != null) + { + if (!workingIssuerName.equals(certificate.getIssuer())) + { + throw new CertPathValidationException("Certificate issue does not match parent"); + } + } + + if (workingPublicKey != null) + { + try + { + SubjectPublicKeyInfo validatingKeyInfo; + + if (workingPublicKey.getAlgorithm().equals(workingAlgId)) + { + validatingKeyInfo = workingPublicKey; + } + else + { + validatingKeyInfo = new SubjectPublicKeyInfo(workingAlgId, workingPublicKey.parsePublicKey()); + } + + if (!certificate.isSignatureValid(contentVerifierProvider.build(validatingKeyInfo))) + { + throw new CertPathValidationException("Certificate signature not for public key in parent"); + } + } + catch (OperatorCreationException e) + { + throw new CertPathValidationException("Unable to create verifier: " + e.getMessage(), e); + } + catch (CertException e) + { + throw new CertPathValidationException("Unable to validate signature: " + e.getMessage(), e); + } + catch (IOException e) + { + throw new CertPathValidationException("Unable to build public key: " + e.getMessage(), e); + } + } + + workingIssuerName = certificate.getSubject(); + workingPublicKey = certificate.getSubjectPublicKeyInfo(); + + if (workingAlgId != null) + { + // check for inherited parameters + if (workingPublicKey.getAlgorithm().getAlgorithm().equals(workingAlgId.getAlgorithm())) + { + if (!isNull(workingPublicKey.getAlgorithm().getParameters())) + { + workingAlgId = workingPublicKey.getAlgorithm(); + } + } + else + { + workingAlgId = workingPublicKey.getAlgorithm(); + } + } + else + { + workingAlgId = workingPublicKey.getAlgorithm(); + } + } + + private boolean isNull(ASN1Encodable obj) + { + return obj == null || obj instanceof ASN1Null; + } + + public Memoable copy() + { + ParentCertIssuedValidation v = new ParentCertIssuedValidation(contentVerifierProvider); + + v.workingAlgId = this.workingAlgId; + v.workingIssuerName = this.workingIssuerName; + v.workingPublicKey = this.workingPublicKey; + + return v; + } + + public void reset(Memoable other) + { + ParentCertIssuedValidation v = (ParentCertIssuedValidation)other; + + this.contentVerifierProvider = v.contentVerifierProvider; + this.workingAlgId = v.workingAlgId; + this.workingIssuerName = v.workingIssuerName; + this.workingPublicKey = v.workingPublicKey; + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/ValidationUtils.java b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/ValidationUtils.java new file mode 100644 index 0000000..2a58706 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/cert/path/validations/ValidationUtils.java @@ -0,0 +1,11 @@ +package org.bouncycastle.cert.path.validations; + +import org.bouncycastle.cert.X509CertificateHolder; + +class ValidationUtils +{ + static boolean isSelfIssued(X509CertificateHolder cert) + { + return cert.getSubject().equals(cert.getIssuer()); + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/selector/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/selector/package.html deleted file mode 100644 index c5c4211..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cert/selector/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -Specialised Selector classes for certificates, CRLs, and attribute certificates. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/test/BcCertTest.java b/bcpkix/src/main/java/org/bouncycastle/cert/test/BcCertTest.java index 5f382e0..018dde3 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cert/test/BcCertTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cert/test/BcCertTest.java @@ -1265,7 +1265,7 @@ public class BcCertTest private void pemTest() throws Exception { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); + CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); X509Certificate cert = readPEMCert(cf, PEMData.CERTIFICATE_1); if (cert == null) diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/test/PKCS10Test.java b/bcpkix/src/main/java/org/bouncycastle/cert/test/PKCS10Test.java index 6146711..c3ca869 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cert/test/PKCS10Test.java +++ b/bcpkix/src/main/java/org/bouncycastle/cert/test/PKCS10Test.java @@ -11,7 +11,6 @@ import java.security.Security; import java.security.Signature; import java.security.spec.RSAPrivateCrtKeySpec; import java.security.spec.RSAPublicKeySpec; -import java.util.Vector; import javax.security.auth.x500.X500Principal; @@ -24,11 +23,11 @@ import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500NameBuilder; import org.bouncycastle.asn1.x500.style.BCStyle; import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; -import org.bouncycastle.asn1.x509.X509Extension; -import org.bouncycastle.asn1.x509.X509Extensions; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; import org.bouncycastle.jce.ECGOST3410NamedCurveTable; import org.bouncycastle.jce.ECNamedCurveTable; import org.bouncycastle.jce.interfaces.ECPointEncoder; @@ -50,7 +49,6 @@ import org.bouncycastle.util.Arrays; import org.bouncycastle.util.encoders.Base64; import org.bouncycastle.util.encoders.Hex; import org.bouncycastle.util.test.SimpleTest; -import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure; /** **/ @@ -463,28 +461,23 @@ public class PKCS10Test KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC"); keyGen.initialize(1024, new SecureRandom()); KeyPair pair = keyGen.generateKeyPair(); + JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); - Vector oids = new Vector(); - Vector values = new Vector(); - oids.add(X509Extension.basicConstraints); - values.add(new X509Extension(true, new DEROctetString(new BasicConstraints(true)))); - oids.add(X509Extension.keyUsage); - values.add(new X509Extension(true, new DEROctetString( - new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)))); - SubjectKeyIdentifier subjectKeyIdentifier = new SubjectKeyIdentifierStructure(pair.getPublic()); - X509Extension ski = new X509Extension(false, new DEROctetString(subjectKeyIdentifier)); - oids.add(X509Extension.subjectKeyIdentifier); - values.add(ski); + Extension[] ext = new Extension[] { + new Extension(Extension.basicConstraints, true, new DEROctetString(new BasicConstraints(true))), + new Extension(Extension.keyUsage, true, new DEROctetString(new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign))), + new Extension(Extension.subjectKeyIdentifier, false, new DEROctetString(extUtils.createSubjectKeyIdentifier(pair.getPublic()))) + }; PKCS10CertificationRequest p1 = new JcaPKCS10CertificationRequestBuilder( new X500Name("cn=csr"), pair.getPublic()) - .addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new X509Extensions(oids, values)) + .addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new Extensions(ext)) .build(new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(pair.getPrivate())); PKCS10CertificationRequest p2 = new JcaPKCS10CertificationRequestBuilder( new X500Name("cn=csr"), pair.getPublic()) - .addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new X509Extensions(oids, values)) + .addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new Extensions(ext)) .build(new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(pair.getPrivate())); if (!p1.equals(p2)) diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedData.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedData.java index ec5fcfb..bd9d544 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedData.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedData.java @@ -2,9 +2,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.InputStream; -import java.security.AlgorithmParameters; -import java.security.NoSuchProviderException; -import java.security.Provider; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1OctetString; @@ -14,7 +11,6 @@ import org.bouncycastle.asn1.cms.AuthenticatedData; import org.bouncycastle.asn1.cms.CMSAttributes; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceAlgorithmIdentifierConverter; import org.bouncycastle.operator.DigestCalculatorProvider; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.util.Arrays; @@ -180,7 +176,7 @@ public class CMSAuthenticatedData */ public String getMacAlgOID() { - return macAlg.getObjectId().getId(); + return macAlg.getAlgorithm().getId(); } /** @@ -200,39 +196,6 @@ public class CMSAuthenticatedData } /** - * Return an AlgorithmParameters object giving the MAC parameters - * used to digest the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws org.bouncycastle.cms.CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @throws java.security.NoSuchProviderException if the provider cannot be found. - * @deprecated use getMacAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getMacAlgorithmParameters( - String provider) - throws CMSException, NoSuchProviderException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(macAlg); - } - - /** - * Return an AlgorithmParameters object giving the MAC parameters - * used to digest the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws org.bouncycastle.cms.CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @deprecated use getMacAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getMacAlgorithmParameters( - Provider provider) - throws CMSException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(macAlg); - } - - /** * return a store of the intended recipients for this message */ public RecipientInformationStore getRecipientInfos() diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataGenerator.java index 3c3185f..82f8294 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataGenerator.java @@ -3,20 +3,13 @@ package org.bouncycastle.cms; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.SecureRandom; import java.util.Collections; import java.util.HashMap; import java.util.Iterator; import java.util.Map; -import javax.crypto.KeyGenerator; - import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.BEROctetString; @@ -27,7 +20,6 @@ import org.bouncycastle.asn1.cms.AuthenticatedData; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceCMSMacCalculatorBuilder; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.DigestCalculatorProvider; import org.bouncycastle.operator.MacCalculator; @@ -186,81 +178,4 @@ public class CMSAuthenticatedDataGenerator } }); } - - /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - * @deprecated no longer required, use simple constructor. - */ - public CMSAuthenticatedDataGenerator( - SecureRandom rand) - { - super(rand); - } - - /** - * generate an authenticated object that contains an CMS Authenticated Data - * object using the given provider and the passed in key generator. - * @deprecated - */ - private CMSAuthenticatedData generate( - final CMSProcessable content, - String macOID, - KeyGenerator keyGen, - Provider provider) - throws NoSuchAlgorithmException, CMSException - { - Provider encProvider = keyGen.getProvider(); - - convertOldRecipients(rand, provider); - - return generate(new CMSTypedData() - { - public ASN1ObjectIdentifier getContentType() - { - return CMSObjectIdentifiers.data; - } - - public void write(OutputStream out) - throws IOException, CMSException - { - content.write(out); - } - - public Object getContent() - { - return content; - } - }, new JceCMSMacCalculatorBuilder(new ASN1ObjectIdentifier(macOID)).setProvider(encProvider).setSecureRandom(rand).build()); - } - - /** - * generate an authenticated object that contains an CMS Authenticated Data - * object using the given provider. - * @deprecated use addRecipientInfoGenerator method. - */ - public CMSAuthenticatedData generate( - CMSProcessable content, - String macOID, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return generate(content, macOID, CMSUtils.getProvider(provider)); - } - - /** - * generate an authenticated object that contains an CMS Authenticated Data - * object using the given provider - * @deprecated use addRecipientInfoGenerator method.. - */ - public CMSAuthenticatedData generate( - CMSProcessable content, - String encryptionOID, - Provider provider) - throws NoSuchAlgorithmException, CMSException - { - KeyGenerator keyGen = CMSEnvelopedHelper.INSTANCE.createSymmetricKeyGenerator(encryptionOID, provider); - - return generate(content, encryptionOID, keyGen, provider); - } }
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataParser.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataParser.java index cae9988..57ea305 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataParser.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataParser.java @@ -3,9 +3,6 @@ package org.bouncycastle.cms; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; -import java.security.AlgorithmParameters; -import java.security.NoSuchProviderException; -import java.security.Provider; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; @@ -22,7 +19,6 @@ import org.bouncycastle.asn1.cms.CMSAttributes; import org.bouncycastle.asn1.cms.ContentInfoParser; import org.bouncycastle.asn1.cms.OriginatorInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceAlgorithmIdentifierConverter; import org.bouncycastle.operator.DigestCalculatorProvider; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.util.Arrays; @@ -143,7 +139,7 @@ public class CMSAuthenticatedDataParser // // read the authenticated content info // - ContentInfoParser data = authData.getEnapsulatedContentInfo(); + ContentInfoParser data = authData.getEncapsulatedContentInfo(); CMSReadable readable = new CMSProcessableInputStream( ((ASN1OctetStringParser)data.getContent(BERTags.OCTET_STRING)).getOctetStream()); @@ -176,7 +172,7 @@ public class CMSAuthenticatedDataParser // // read the authenticated content info // - ContentInfoParser data = authData.getEnapsulatedContentInfo(); + ContentInfoParser data = authData.getEncapsulatedContentInfo(); CMSReadable readable = new CMSProcessableInputStream( ((ASN1OctetStringParser)data.getContent(BERTags.OCTET_STRING)).getOctetStream()); @@ -233,39 +229,6 @@ public class CMSAuthenticatedDataParser } /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the message content. - * - * @param provider the name of the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws org.bouncycastle.cms.CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @throws java.security.NoSuchProviderException if the provider cannot be found. - * @deprecated use getMacAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getMacAlgorithmParameters( - String provider) - throws CMSException, NoSuchProviderException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(macAlg); - } - - /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws org.bouncycastle.cms.CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @deprecated use getMacAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getMacAlgorithmParameters( - Provider provider) - throws CMSException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(macAlg); - } - - /** * return a store of the intended recipients for this message */ public RecipientInformationStore getRecipientInfos() diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataStreamGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataStreamGenerator.java index 3bdd450..87afd70 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataStreamGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedDataStreamGenerator.java @@ -2,10 +2,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.SecureRandom; import java.util.Collections; import java.util.HashMap; import java.util.Iterator; @@ -24,7 +20,6 @@ import org.bouncycastle.asn1.DERTaggedObject; import org.bouncycastle.asn1.cms.AuthenticatedData; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceCMSMacCalculatorBuilder; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.MacCalculator; import org.bouncycastle.util.io.TeeOutputStream; @@ -312,81 +307,4 @@ public class CMSAuthenticatedDataStreamGenerator cGen.close(); } } - - - /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - * @deprecated no longer of any use, use basic constructor. - */ - public CMSAuthenticatedDataStreamGenerator( - SecureRandom rand) - { - super(rand); - } - - /** - * generate an authenticated object that contains an CMS Authenticated Data - * object using the given provider. - * @throws java.io.IOException - * @deprecated use open(out, MacCalculator) - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, IOException - { - convertOldRecipients(rand, CMSUtils.getProvider(provider)); - - return open(out, new JceCMSMacCalculatorBuilder(new ASN1ObjectIdentifier(encryptionOID)).setSecureRandom(rand).setProvider(provider).build()); - } - - /** - * @deprecated use open(out, MacCalculator) - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - Provider provider) - throws NoSuchAlgorithmException, CMSException, IOException - { - convertOldRecipients(rand, provider); - - return open(out, new JceCMSMacCalculatorBuilder(new ASN1ObjectIdentifier(encryptionOID)).setSecureRandom(rand).setProvider(provider).build()); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated use open(out, MacCalculator) - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - int keySize, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, IOException - { - convertOldRecipients(rand, CMSUtils.getProvider(provider)); - - return open(out, new JceCMSMacCalculatorBuilder(new ASN1ObjectIdentifier(encryptionOID), keySize).setSecureRandom(rand).setProvider(provider).build()); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated use open(out, MacCalculator) - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - int keySize, - Provider provider) - throws NoSuchAlgorithmException, CMSException, IOException - { - convertOldRecipients(rand, provider); - - return open(out, new JceCMSMacCalculatorBuilder(new ASN1ObjectIdentifier(encryptionOID), keySize).setSecureRandom(rand).setProvider(provider).build()); - } }
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedGenerator.java index 064f996..4022c8e 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSAuthenticatedGenerator.java @@ -1,6 +1,5 @@ package org.bouncycastle.cms; -import java.security.SecureRandom; import java.util.HashMap; import java.util.Map; @@ -20,17 +19,6 @@ public class CMSAuthenticatedGenerator { } - /** - * constructor allowing specific source of randomness - * - * @param rand instance of SecureRandom to use - */ - public CMSAuthenticatedGenerator( - SecureRandom rand) - { - super(rand); - } - public void setAuthenticatedAttributeGenerator(CMSAttributeTableGenerator authGen) { this.authGen = authGen; diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedData.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedData.java index 5a02ea9..3e44908 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedData.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedData.java @@ -2,7 +2,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.InputStream; -import java.util.zip.InflaterInputStream; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; @@ -58,61 +57,6 @@ public class CMSCompressedData } } - /** - * Return the uncompressed content. - * - * @return the uncompressed content - * @throws CMSException if there is an exception uncompressing the data. - * @deprecated use getContent(InputExpanderProvider) - */ - public byte[] getContent() - throws CMSException - { - ContentInfo content = comData.getEncapContentInfo(); - - ASN1OctetString bytes = (ASN1OctetString)content.getContent(); - - InflaterInputStream zIn = new InflaterInputStream(bytes.getOctetStream()); - - try - { - return CMSUtils.streamToByteArray(zIn); - } - catch (IOException e) - { - throw new CMSException("exception reading compressed stream.", e); - } - } - - /** - * Return the uncompressed content, throwing an exception if the data size - * is greater than the passed in limit. If the content is exceeded getCause() - * on the CMSException will contain a StreamOverflowException - * - * @param limit maximum number of bytes to read - * @return the content read - * @throws CMSException if there is an exception uncompressing the data. - * @deprecated use getContent(InputExpanderProvider) - */ - public byte[] getContent(int limit) - throws CMSException - { - ContentInfo content = comData.getEncapContentInfo(); - - ASN1OctetString bytes = (ASN1OctetString)content.getContent(); - - InflaterInputStream zIn = new InflaterInputStream(bytes.getOctetStream()); - - try - { - return CMSUtils.streamToByteArray(zIn, limit); - } - catch (IOException e) - { - throw new CMSException("exception reading compressed stream.", e); - } - } - public ASN1ObjectIdentifier getContentType() { return contentInfo.getContentType(); @@ -145,15 +89,6 @@ public class CMSCompressedData } /** - * return the ContentInfo - * @deprecated use toASN1Structure() - */ - public ContentInfo getContentInfo() - { - return contentInfo; - } - - /** * return the ContentInfo */ public ContentInfo toASN1Structure() diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataGenerator.java index d2b497b..d50391a 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataGenerator.java @@ -3,9 +3,7 @@ package org.bouncycastle.cms; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; -import java.util.zip.DeflaterOutputStream; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.BEROctetString; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; @@ -38,45 +36,6 @@ public class CMSCompressedDataGenerator /** * generate an object that contains an CMS Compressed Data - * @deprecated use generate(CMSTypedData, OutputCompressor) - */ - public CMSCompressedData generate( - CMSProcessable content, - String compressionOID) - throws CMSException - { - AlgorithmIdentifier comAlgId; - ASN1OctetString comOcts; - - try - { - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - DeflaterOutputStream zOut = new DeflaterOutputStream(bOut); - - content.write(zOut); - - zOut.close(); - - comAlgId = new AlgorithmIdentifier(new ASN1ObjectIdentifier(compressionOID)); - comOcts = new BEROctetString(bOut.toByteArray()); - } - catch (IOException e) - { - throw new CMSException("exception encoding data.", e); - } - - ContentInfo comContent = new ContentInfo( - CMSObjectIdentifiers.data, comOcts); - - ContentInfo contentInfo = new ContentInfo( - CMSObjectIdentifiers.compressedData, - new CompressedData(comAlgId, comContent)); - - return new CMSCompressedData(contentInfo); - } - - /** - * generate an object that contains an CMS Compressed Data */ public CMSCompressedData generate( CMSTypedData content, diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataParser.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataParser.java index 910b3f0..c3da87b 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataParser.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataParser.java @@ -3,7 +3,6 @@ package org.bouncycastle.cms; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; -import java.util.zip.InflaterInputStream; import org.bouncycastle.asn1.ASN1OctetStringParser; import org.bouncycastle.asn1.ASN1SequenceParser; @@ -45,27 +44,6 @@ public class CMSCompressedDataParser } /** - * @deprecated use getContent(InputExpandedProvider) - */ - public CMSTypedStream getContent() - throws CMSException - { - try - { - CompressedDataParser comData = new CompressedDataParser((ASN1SequenceParser)_contentInfo.getContent(BERTags.SEQUENCE)); - ContentInfoParser content = comData.getEncapContentInfo(); - - ASN1OctetStringParser bytes = (ASN1OctetStringParser)content.getContent(BERTags.OCTET_STRING); - - return new CMSTypedStream(content.getContentType().toString(), new InflaterInputStream(bytes.getOctetStream())); - } - catch (IOException e) - { - throw new CMSException("IOException reading compressed content.", e); - } - } - - /** * Return a typed stream which will allow the reading of the compressed content in * expanded form. * diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataStreamGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataStreamGenerator.java index bb917d0..8a34eb0 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataStreamGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSCompressedDataStreamGenerator.java @@ -2,12 +2,10 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.OutputStream; -import java.util.zip.DeflaterOutputStream; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.BERSequenceGenerator; -import org.bouncycastle.asn1.DERSequenceGenerator; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.operator.OutputCompressor; @@ -51,60 +49,14 @@ public class CMSCompressedDataStreamGenerator } /** - * @deprecated use open(OutputStream, ContentCompressor) - */ - public OutputStream open( - OutputStream out, - String compressionOID) - throws IOException - { - return open(out, CMSObjectIdentifiers.data.getId(), compressionOID); - } - - /** - * @deprecated use open(OutputStream, ASN1ObjectIdentifier, ContentCompressor) + * Open a compressing output stream with the PKCS#7 content type OID of "data". + * + * @param out the stream to encode to. + * @param compressor the type of compressor to use. + * @return an output stream to write the data be compressed to. + * @throws IOException */ public OutputStream open( - OutputStream out, - String contentOID, - String compressionOID) - throws IOException - { - BERSequenceGenerator sGen = new BERSequenceGenerator(out); - - sGen.addObject(CMSObjectIdentifiers.compressedData); - - // - // Compressed Data - // - BERSequenceGenerator cGen = new BERSequenceGenerator(sGen.getRawOutputStream(), 0, true); - - cGen.addObject(new ASN1Integer(0)); - - // - // AlgorithmIdentifier - // - DERSequenceGenerator algGen = new DERSequenceGenerator(cGen.getRawOutputStream()); - - algGen.addObject(new ASN1ObjectIdentifier(ZLIB)); - - algGen.close(); - - // - // Encapsulated ContentInfo - // - BERSequenceGenerator eiGen = new BERSequenceGenerator(cGen.getRawOutputStream()); - - eiGen.addObject(new ASN1ObjectIdentifier(contentOID)); - - OutputStream octetStream = CMSUtils.createBEROctetOutputStream( - eiGen.getRawOutputStream(), 0, true, _bufferSize); - - return new CmsCompressedOutputStream( - new DeflaterOutputStream(octetStream), sGen, cGen, eiGen); - } - - public OutputStream open( OutputStream out, OutputCompressor compressor) throws IOException @@ -115,10 +67,10 @@ public class CMSCompressedDataStreamGenerator /** * Open a compressing output stream. * - * @param contentOID - * @param out - * @param compressor - * @return + * @param contentOID the content type OID. + * @param out the stream to encode to. + * @param compressor the type of compressor to use. + * @return an output stream to write the data be compressed to. * @throws IOException */ public OutputStream open( diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedData.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedData.java index 131faec..56b9663 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedData.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedData.java @@ -2,9 +2,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.InputStream; -import java.security.AlgorithmParameters; -import java.security.NoSuchProviderException; -import java.security.Provider; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Set; @@ -13,7 +10,6 @@ import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.cms.EncryptedContentInfo; import org.bouncycastle.asn1.cms.EnvelopedData; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceAlgorithmIdentifierConverter; /** * containing class for an CMS Enveloped Data object @@ -170,39 +166,6 @@ public class CMSEnvelopedData } /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @throws NoSuchProviderException if the provider cannot be found. - * @deprecated use getContentEncryptionAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getEncryptionAlgorithmParameters( - String provider) - throws CMSException, NoSuchProviderException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(encAlg); - } - - /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @deprecated use getContentEncryptionAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getEncryptionAlgorithmParameters( - Provider provider) - throws CMSException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(encAlg); - } - - /** * return a store of the intended recipients for this message */ public RecipientInformationStore getRecipientInfos() @@ -212,15 +175,6 @@ public class CMSEnvelopedData /** * return the ContentInfo - * @deprecated use toASN1Structure() - */ - public ContentInfo getContentInfo() - { - return contentInfo; - } - - /** - * return the ContentInfo */ public ContentInfo toASN1Structure() { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataGenerator.java index 135367e..0038f90 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataGenerator.java @@ -3,17 +3,10 @@ package org.bouncycastle.cms; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.SecureRandom; import java.util.HashMap; import java.util.Iterator; -import javax.crypto.KeyGenerator; - import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.BEROctetString; @@ -25,7 +18,6 @@ import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.cms.EncryptedContentInfo; import org.bouncycastle.asn1.cms.EnvelopedData; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder; import org.bouncycastle.operator.GenericKey; import org.bouncycastle.operator.OutputEncryptor; @@ -58,65 +50,6 @@ public class CMSEnvelopedDataGenerator { } - /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - * @deprecated use no args constructor. - */ - public CMSEnvelopedDataGenerator( - SecureRandom rand) - { - super(rand); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider and the passed in key generator. - */ - private CMSEnvelopedData generate( - final CMSProcessable content, - String encryptionOID, - int keySize, - Provider encProvider, - Provider provider) - throws NoSuchAlgorithmException, CMSException - { - convertOldRecipients(rand, provider); - - JceCMSContentEncryptorBuilder builder; - - if (keySize != -1) - { - builder = new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(encryptionOID), keySize); - } - else - { - builder = new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(encryptionOID)); - } - - builder.setProvider(encProvider); - builder.setSecureRandom(rand); - - return doGenerate(new CMSTypedData() - { - public ASN1ObjectIdentifier getContentType() - { - return CMSObjectIdentifiers.data; - } - - public void write(OutputStream out) - throws IOException, CMSException - { - content.write(out); - } - - public Object getContent() - { - return content; - } - }, builder.build()); - } - private CMSEnvelopedData doGenerate( CMSTypedData content, OutputEncryptor contentEncryptor) @@ -184,68 +117,6 @@ public class CMSEnvelopedDataGenerator /** * generate an enveloped object that contains an CMS Enveloped Data * object using the given provider. - * @deprecated use OutputEncryptor method. - */ - public CMSEnvelopedData generate( - CMSProcessable content, - String encryptionOID, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return generate(content, encryptionOID, CMSUtils.getProvider(provider)); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated use OutputEncryptor method. - */ - public CMSEnvelopedData generate( - CMSProcessable content, - String encryptionOID, - Provider provider) - throws NoSuchAlgorithmException, CMSException - { - KeyGenerator keyGen = CMSEnvelopedHelper.INSTANCE.createSymmetricKeyGenerator(encryptionOID, provider); - - return generate(content, encryptionOID, -1, keyGen.getProvider(), provider); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated use OutputEncryptor method. - */ - public CMSEnvelopedData generate( - CMSProcessable content, - String encryptionOID, - int keySize, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return generate(content, encryptionOID, keySize, CMSUtils.getProvider(provider)); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated use OutputEncryptor method. - */ - public CMSEnvelopedData generate( - CMSProcessable content, - String encryptionOID, - int keySize, - Provider provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - KeyGenerator keyGen = CMSEnvelopedHelper.INSTANCE.createSymmetricKeyGenerator(encryptionOID, provider); - - return generate(content, encryptionOID, keySize, keyGen.getProvider(), provider); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. * * @param content the content to be encrypted * @param contentEncryptor the symmetric key based encryptor to encrypt the content with. diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataParser.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataParser.java index 627b0ca..defd2f7 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataParser.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataParser.java @@ -3,9 +3,6 @@ package org.bouncycastle.cms; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; -import java.security.AlgorithmParameters; -import java.security.NoSuchProviderException; -import java.security.Provider; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; @@ -20,7 +17,6 @@ import org.bouncycastle.asn1.cms.EncryptedContentInfoParser; import org.bouncycastle.asn1.cms.EnvelopedDataParser; import org.bouncycastle.asn1.cms.OriginatorInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceAlgorithmIdentifierConverter; /** * Parsing class for an CMS Enveloped Data object from an input stream. @@ -148,39 +144,6 @@ public class CMSEnvelopedDataParser } /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @throws NoSuchProviderException if the provider cannot be found. - * @deprecated use getContentEncryptionAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getEncryptionAlgorithmParameters( - String provider) - throws CMSException, NoSuchProviderException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(encAlg); - } - - /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the message content. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @deprecated use getContentEncryptionAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getEncryptionAlgorithmParameters( - Provider provider) - throws CMSException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(encAlg); - } - - /** * Return the originator information associated with this message if present. * * @return OriginatorInformation, null if not present. diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataStreamGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataStreamGenerator.java index 072a1da..92abca0 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataStreamGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedDataStreamGenerator.java @@ -2,15 +2,9 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.SecureRandom; import java.util.HashMap; import java.util.Iterator; -import javax.crypto.KeyGenerator; - import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; @@ -23,7 +17,6 @@ import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.cms.EnvelopedData; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder; import org.bouncycastle.operator.GenericKey; import org.bouncycastle.operator.OutputEncryptor; @@ -61,17 +54,6 @@ public class CMSEnvelopedDataStreamGenerator } /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - * @deprecated no longer required - specify randomness via RecipientInfoGenerator or ContentEncryptor. - */ - public CMSEnvelopedDataStreamGenerator( - SecureRandom rand) - { - super(rand); - } - - /** * Set the underlying string size for encapsulated data * * @param bufferSize length of octet strings to buffer the data. @@ -102,39 +84,6 @@ public class CMSEnvelopedDataStreamGenerator return new ASN1Integer(0); } } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider and the passed in key generator. - * @throws IOException - * @deprecated - */ - private OutputStream open( - OutputStream out, - String encryptionOID, - int keySize, - Provider encProvider, - Provider provider) - throws NoSuchAlgorithmException, CMSException, IOException - { - convertOldRecipients(rand, provider); - - JceCMSContentEncryptorBuilder builder; - - if (keySize != -1) - { - builder = new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(encryptionOID), keySize); - } - else - { - builder = new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(encryptionOID)); - } - - builder.setProvider(encProvider); - builder.setSecureRandom(rand); - - return doOpen(CMSObjectIdentifiers.data, out, builder.build()); - } private OutputStream doOpen( ASN1ObjectIdentifier dataType, @@ -267,71 +216,6 @@ public class CMSEnvelopedDataStreamGenerator /** * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @throws IOException - * @deprecated - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, IOException - { - return open(out, encryptionOID, CMSUtils.getProvider(provider)); - } - - /** - * @deprecated - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - Provider provider) - throws NoSuchAlgorithmException, CMSException, IOException - { - KeyGenerator keyGen = CMSEnvelopedHelper.INSTANCE.createSymmetricKeyGenerator(encryptionOID, provider); - - keyGen.init(rand); - - return open(out, encryptionOID, -1, keyGen.getProvider(), provider); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - int keySize, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException, IOException - { - return open(out, encryptionOID, keySize, CMSUtils.getProvider(provider)); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data - * object using the given provider. - * @deprecated - */ - public OutputStream open( - OutputStream out, - String encryptionOID, - int keySize, - Provider provider) - throws NoSuchAlgorithmException, CMSException, IOException - { - KeyGenerator keyGen = CMSEnvelopedHelper.INSTANCE.createSymmetricKeyGenerator(encryptionOID, provider); - - keyGen.init(keySize, rand); - - return open(out, encryptionOID, -1, keyGen.getProvider(), provider); - } - - /** - * generate an enveloped object that contains an CMS Enveloped Data * object using the given encryptor. */ public OutputStream open( diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedGenerator.java index aeda9a1..012b440 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedGenerator.java @@ -1,39 +1,14 @@ package org.bouncycastle.cms; -import java.io.IOException; -import java.security.AlgorithmParameters; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Provider; -import java.security.PublicKey; -import java.security.SecureRandom; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; import java.util.ArrayList; -import java.util.Collection; -import java.util.Iterator; import java.util.List; -import javax.crypto.SecretKey; - -import org.bouncycastle.asn1.ASN1Encodable; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.cms.KEKIdentifier; import org.bouncycastle.asn1.cms.OriginatorInfo; import org.bouncycastle.asn1.kisa.KISAObjectIdentifiers; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.ntt.NTTObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; -import org.bouncycastle.cms.jcajce.JceKEKRecipientInfoGenerator; -import org.bouncycastle.cms.jcajce.JceKeyAgreeRecipientInfoGenerator; -import org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator; -import org.bouncycastle.cms.jcajce.JcePasswordRecipientInfoGenerator; /** * General class for generating a CMS enveloped-data message. @@ -69,7 +44,6 @@ public class CMSEnvelopedGenerator protected CMSAttributeTableGenerator unprotectedAttributeGenerator = null; - final SecureRandom rand; protected OriginatorInfo originatorInfo; /** @@ -77,17 +51,6 @@ public class CMSEnvelopedGenerator */ public CMSEnvelopedGenerator() { - this(new SecureRandom()); - } - - /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - */ - public CMSEnvelopedGenerator( - SecureRandom rand) - { - this.rand = rand; } public void setUnprotectedAttributeGenerator(CMSAttributeTableGenerator unprotectedAttributeGenerator) @@ -95,212 +58,12 @@ public class CMSEnvelopedGenerator this.unprotectedAttributeGenerator = unprotectedAttributeGenerator; } - public void setOriginatorInfo(OriginatorInformation originatorInfo) { this.originatorInfo = originatorInfo.toASN1Structure(); } /** - * add a recipient. - * - * @deprecated use the addRecipientGenerator and JceKeyTransRecipientInfoGenerator - * @param cert recipient's public key certificate - * @exception IllegalArgumentException if there is a problem with the certificate - */ - public void addKeyTransRecipient( - X509Certificate cert) - throws IllegalArgumentException - { - try - { - oldRecipientInfoGenerators.add(new JceKeyTransRecipientInfoGenerator(cert)); - } - catch (CertificateEncodingException e) - { - throw new IllegalArgumentException("unable to encode certificate: " + e.getMessage()); - } - } - - /** - * add a recipient - * - * @deprecated use the addRecipientGenerator and JceKeyTransRecipientInfoGenerator - * @param key the public key used by the recipient - * @param subKeyId the identifier for the recipient's public key - * @exception IllegalArgumentException if there is a problem with the key - */ - public void addKeyTransRecipient( - PublicKey key, - byte[] subKeyId) - throws IllegalArgumentException - { - oldRecipientInfoGenerators.add(new JceKeyTransRecipientInfoGenerator(subKeyId, key)); - } - - /** - * add a KEK recipient. - * - * @deprecated use the addRecipientGenerator and JceKEKRecipientInfoGenerator - * @param key the secret key to use for wrapping - * @param keyIdentifier the byte string that identifies the key - */ - public void addKEKRecipient( - SecretKey key, - byte[] keyIdentifier) - { - addKEKRecipient(key, new KEKIdentifier(keyIdentifier, null, null)); - } - - /** - * add a KEK recipient. - * - * @deprecated use the addRecipientGenerator and JceKEKRecipientInfoGenerator - * @param key the secret key to use for wrapping - * @param kekIdentifier a KEKIdentifier structure (identifies the key) - */ - public void addKEKRecipient( - SecretKey key, - KEKIdentifier kekIdentifier) - { - oldRecipientInfoGenerators.add(new JceKEKRecipientInfoGenerator(kekIdentifier, key)); - } - - /** - * @deprecated use addRecipientGenerator and JcePasswordRecipientInfoGenerator - * @param pbeKey PBE key - * @param kekAlgorithmOid key encryption algorithm to use. - */ - public void addPasswordRecipient( - CMSPBEKey pbeKey, - String kekAlgorithmOid) - { - oldRecipientInfoGenerators.add(new JcePasswordRecipientInfoGenerator(new ASN1ObjectIdentifier(kekAlgorithmOid), pbeKey.getPassword()) - .setSaltAndIterationCount(pbeKey.getSalt(), pbeKey.getIterationCount()) - .setPasswordConversionScheme((pbeKey instanceof PKCS5Scheme2UTF8PBEKey) ? PasswordRecipient.PKCS5_SCHEME2_UTF8 : PasswordRecipient.PKCS5_SCHEME2)); - } - - /** - * Add a key agreement based recipient. - * - * @deprecated use the addRecipientGenerator and JceKeyAgreeRecipientInfoGenerator - * @param agreementAlgorithm key agreement algorithm to use. - * @param senderPrivateKey private key to initialise sender side of agreement with. - * @param senderPublicKey sender public key to include with message. - * @param recipientCert recipient's public key certificate. - * @param cekWrapAlgorithm OID for key wrapping algorithm to use. - * @param provider provider to use for the agreement calculation. - * @exception NoSuchProviderException if the specified provider cannot be found - * @exception NoSuchAlgorithmException if the algorithm requested cannot be found - * @exception InvalidKeyException if the keys are inappropriate for the algorithm specified - */ - public void addKeyAgreementRecipient( - String agreementAlgorithm, - PrivateKey senderPrivateKey, - PublicKey senderPublicKey, - X509Certificate recipientCert, - String cekWrapAlgorithm, - String provider) - throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException - { - addKeyAgreementRecipient(agreementAlgorithm, senderPrivateKey, senderPublicKey, recipientCert, cekWrapAlgorithm, CMSUtils.getProvider(provider)); - } - - /** - * Add a key agreement based recipient. - * - * @deprecated use the addRecipientGenerator and JceKeyAgreeRecipientInfoGenerator - * @param agreementAlgorithm key agreement algorithm to use. - * @param senderPrivateKey private key to initialise sender side of agreement with. - * @param senderPublicKey sender public key to include with message. - * @param recipientCert recipient's public key certificate. - * @param cekWrapAlgorithm OID for key wrapping algorithm to use. - * @param provider provider to use for the agreement calculation. - * @exception NoSuchAlgorithmException if the algorithm requested cannot be found - * @exception InvalidKeyException if the keys are inappropriate for the algorithm specified - */ - public void addKeyAgreementRecipient( - String agreementAlgorithm, - PrivateKey senderPrivateKey, - PublicKey senderPublicKey, - X509Certificate recipientCert, - String cekWrapAlgorithm, - Provider provider) - throws NoSuchAlgorithmException, InvalidKeyException - { - List recipients = new ArrayList(); - - recipients.add(recipientCert); - - addKeyAgreementRecipients(agreementAlgorithm, senderPrivateKey, senderPublicKey, - recipients, cekWrapAlgorithm, provider); - } - - /** - * Add multiple key agreement based recipients (sharing a single KeyAgreeRecipientInfo structure). - * - * @deprecated use the addRecipientGenerator and JceKeyAgreeRecipientInfoGenerator - * @param agreementAlgorithm key agreement algorithm to use. - * @param senderPrivateKey private key to initialise sender side of agreement with. - * @param senderPublicKey sender public key to include with message. - * @param recipientCerts recipients' public key certificates. - * @param cekWrapAlgorithm OID for key wrapping algorithm to use. - * @param provider provider to use for the agreement calculation. - * @exception NoSuchAlgorithmException if the algorithm requested cannot be found - * @exception InvalidKeyException if the keys are inappropriate for the algorithm specified - */ - public void addKeyAgreementRecipients( - String agreementAlgorithm, - PrivateKey senderPrivateKey, - PublicKey senderPublicKey, - Collection recipientCerts, - String cekWrapAlgorithm, - String provider) - throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException - { - addKeyAgreementRecipients(agreementAlgorithm, senderPrivateKey, senderPublicKey, recipientCerts, cekWrapAlgorithm, CMSUtils.getProvider(provider)); - } - - /** - * Add multiple key agreement based recipients (sharing a single KeyAgreeRecipientInfo structure). - * - * @deprecated use the addRecipientGenerator and JceKeyAgreeRecipientInfoGenerator - * @param agreementAlgorithm key agreement algorithm to use. - * @param senderPrivateKey private key to initialise sender side of agreement with. - * @param senderPublicKey sender public key to include with message. - * @param recipientCerts recipients' public key certificates. - * @param cekWrapAlgorithm OID for key wrapping algorithm to use. - * @param provider provider to use for the agreement calculation. - * @exception NoSuchAlgorithmException if the algorithm requested cannot be found - * @exception InvalidKeyException if the keys are inappropriate for the algorithm specified - */ - public void addKeyAgreementRecipients( - String agreementAlgorithm, - PrivateKey senderPrivateKey, - PublicKey senderPublicKey, - Collection recipientCerts, - String cekWrapAlgorithm, - Provider provider) - throws NoSuchAlgorithmException, InvalidKeyException - { - JceKeyAgreeRecipientInfoGenerator recipientInfoGenerator = new JceKeyAgreeRecipientInfoGenerator(new ASN1ObjectIdentifier(agreementAlgorithm), senderPrivateKey, senderPublicKey, new ASN1ObjectIdentifier(cekWrapAlgorithm)).setProvider(provider); - - for (Iterator it = recipientCerts.iterator(); it.hasNext();) - { - try - { - recipientInfoGenerator.addRecipient((X509Certificate)it.next()); - } - catch (CertificateEncodingException e) - { - throw new IllegalArgumentException("unable to encode certificate: " + e.getMessage()); - } - } - - oldRecipientInfoGenerators.add(recipientInfoGenerator); - } - - /** * Add a generator to produce the recipient info required. * * @param recipientGenerator a generator of a recipient info object. @@ -309,82 +72,4 @@ public class CMSEnvelopedGenerator { recipientInfoGenerators.add(recipientGenerator); } - - protected AlgorithmIdentifier getAlgorithmIdentifier(String encryptionOID, AlgorithmParameters params) throws IOException - { - ASN1Encodable asn1Params; - if (params != null) - { - asn1Params = ASN1Primitive.fromByteArray(params.getEncoded("ASN.1")); - } - else - { - asn1Params = DERNull.INSTANCE; - } - - return new AlgorithmIdentifier( - new ASN1ObjectIdentifier(encryptionOID), - asn1Params); - } - - protected void convertOldRecipients(SecureRandom rand, Provider provider) - { - for (Iterator it = oldRecipientInfoGenerators.iterator(); it.hasNext();) - { - Object recipient = it.next(); - - if (recipient instanceof JceKeyTransRecipientInfoGenerator) - { - JceKeyTransRecipientInfoGenerator recip = (JceKeyTransRecipientInfoGenerator)recipient; - - if (provider != null) - { - recip.setProvider(provider); - } - - recipientInfoGenerators.add(recip); - } - else if (recipient instanceof KEKRecipientInfoGenerator) - { - JceKEKRecipientInfoGenerator recip = (JceKEKRecipientInfoGenerator)recipient; - - if (provider != null) - { - recip.setProvider(provider); - } - - recip.setSecureRandom(rand); - - recipientInfoGenerators.add(recip); - } - else if (recipient instanceof JcePasswordRecipientInfoGenerator) - { - JcePasswordRecipientInfoGenerator recip = (JcePasswordRecipientInfoGenerator)recipient; - - if (provider != null) - { - recip.setProvider(provider); - } - - recip.setSecureRandom(rand); - - recipientInfoGenerators.add(recip); - } - else if (recipient instanceof JceKeyAgreeRecipientInfoGenerator) - { - JceKeyAgreeRecipientInfoGenerator recip = (JceKeyAgreeRecipientInfoGenerator)recipient; - - if (provider != null) - { - recip.setProvider(provider); - } - - recip.setSecureRandom(rand); - - recipientInfoGenerators.add(recip); - } - } - - oldRecipientInfoGenerators.clear(); - } } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedHelper.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedHelper.java index fcb662b..9172706 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedHelper.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSEnvelopedHelper.java @@ -3,15 +3,11 @@ package org.bouncycastle.cms; import java.io.FilterInputStream; import java.io.IOException; import java.io.InputStream; -import java.security.NoSuchAlgorithmException; -import java.security.Provider; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -import javax.crypto.KeyGenerator; - import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.cms.KEKRecipientInfo; @@ -55,36 +51,7 @@ class CMSEnvelopedHelper MAC_ALG_NAMES.put(CMSEnvelopedGenerator.AES256_CBC, "AESMac"); } - KeyGenerator createSymmetricKeyGenerator( - String encryptionOID, - Provider provider) - throws NoSuchAlgorithmException - { - try - { - return createKeyGenerator(encryptionOID, provider); - } - catch (NoSuchAlgorithmException e) - { - try - { - String algName = (String)BASE_CIPHER_NAMES.get(encryptionOID); - if (algName != null) - { - return createKeyGenerator(algName, provider); - } - } - catch (NoSuchAlgorithmException ex) - { - // ignore - } - if (provider != null) - { - return createSymmetricKeyGenerator(encryptionOID, null); - } - throw e; - } - } + int getKeySize(String oid) { @@ -98,20 +65,7 @@ class CMSEnvelopedHelper return keySize.intValue(); } - private KeyGenerator createKeyGenerator( - String algName, - Provider provider) - throws NoSuchAlgorithmException - { - if (provider != null) - { - return KeyGenerator.getInstance(algName, provider); - } - else - { - return KeyGenerator.getInstance(algName); - } - } + static RecipientInformationStore buildRecipientInformationStore( ASN1Set recipientInfos, AlgorithmIdentifier messageAlgorithm, CMSSecureReadable secureReadable) diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSPBEKey.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSPBEKey.java deleted file mode 100644 index d37bb31..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSPBEKey.java +++ /dev/null @@ -1,73 +0,0 @@ -package org.bouncycastle.cms; - -import java.security.AlgorithmParameters; -import java.security.InvalidAlgorithmParameterException; -import java.security.spec.InvalidParameterSpecException; - -import javax.crypto.interfaces.PBEKey; -import javax.crypto.spec.PBEParameterSpec; - -public abstract class CMSPBEKey - implements PBEKey -{ - private char[] password; - private byte[] salt; - private int iterationCount; - - protected static PBEParameterSpec getParamSpec(AlgorithmParameters algParams) - throws InvalidAlgorithmParameterException - { - try - { - return (PBEParameterSpec)algParams.getParameterSpec(PBEParameterSpec.class); - } - catch (InvalidParameterSpecException e) - { - throw new InvalidAlgorithmParameterException("cannot process PBE spec: " + e.getMessage()); - } - } - - public CMSPBEKey(char[] password, byte[] salt, int iterationCount) - { - this.password = password; - this.salt = salt; - this.iterationCount = iterationCount; - } - - public CMSPBEKey(char[] password, PBEParameterSpec pbeSpec) - { - this(password, pbeSpec.getSalt(), pbeSpec.getIterationCount()); - } - - public char[] getPassword() - { - return password; - } - - public byte[] getSalt() - { - return salt; - } - - public int getIterationCount() - { - return iterationCount; - } - - public String getAlgorithm() - { - return "PKCS5S2"; - } - - public String getFormat() - { - return "RAW"; - } - - public byte[] getEncoded() - { - return null; - } - - abstract byte[] getEncoded(String algorithmOid); -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java index 7a3cb4b..0465b77 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedData.java @@ -3,11 +3,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; @@ -25,13 +20,10 @@ import org.bouncycastle.asn1.DERSet; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.cms.SignedData; import org.bouncycastle.asn1.cms.SignerInfo; -import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder; import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.SignatureAlgorithmIdentifierFinder; import org.bouncycastle.util.Store; -import org.bouncycastle.x509.NoSuchStoreException; -import org.bouncycastle.x509.X509Store; /** * general class for handling a pkcs7-signature message. @@ -69,9 +61,7 @@ public class CMSSignedData ContentInfo contentInfo; CMSTypedData signedContent; SignerInformationStore signerInfoStore; - X509Store attributeStore; - X509Store certificateStore; - X509Store crlStore; + private Map hashes; private CMSSignedData( @@ -266,192 +256,6 @@ public class CMSSignedData } /** - * return a X509Store containing the attribute certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider name of provider to use - * @return a store of attribute certificates - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use base Store returning method - */ - public X509Store getAttributeCertificates( - String type, - String provider) - throws NoSuchStoreException, NoSuchProviderException, CMSException - { - return getAttributeCertificates(type, CMSUtils.getProvider(provider)); - } - - /** - * return a X509Store containing the attribute certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of attribute certificates - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use base Store returning method - */ - public X509Store getAttributeCertificates( - String type, - Provider provider) - throws NoSuchStoreException, CMSException - { - if (attributeStore == null) - { - attributeStore = HELPER.createAttributeStore(type, provider, this.getAttributeCertificates()); - } - - return attributeStore; - } - - /** - * return a X509Store containing the public key certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider name of provider to use - * @return a store of public key certificates - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use base Store returning method - */ - public X509Store getCertificates( - String type, - String provider) - throws NoSuchStoreException, NoSuchProviderException, CMSException - { - return getCertificates(type, CMSUtils.getProvider(provider)); - } - - /** - * return a X509Store containing the public key certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of public key certificates - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use base Store returning method - */ - public X509Store getCertificates( - String type, - Provider provider) - throws NoSuchStoreException, CMSException - { - if (certificateStore == null) - { - certificateStore = HELPER.createCertificateStore(type, provider, this.getCertificates()); - } - - return certificateStore; - } - - /** - * return a X509Store containing CRLs, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider name of provider to use - * @return a store of CRLs - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use base Store returning method - */ - public X509Store getCRLs( - String type, - String provider) - throws NoSuchStoreException, NoSuchProviderException, CMSException - { - return getCRLs(type, CMSUtils.getProvider(provider)); - } - - /** - * return a X509Store containing CRLs, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of CRLs - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use base Store returning method - */ - public X509Store getCRLs( - String type, - Provider provider) - throws NoSuchStoreException, CMSException - { - if (crlStore == null) - { - crlStore = HELPER.createCRLsStore(type, provider, getCRLs()); - } - - return crlStore; - } - - /** - * return a CertStore containing the certificates and CRLs associated with - * this message. - * - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchAlgorithmException if the cert store isn't available. - * @exception CMSException if a general exception prevents creation of the CertStore - * @deprecated use base Store returning method and org.bouncycastle.cert.jcajce.JcaCertStoreBuilder - */ - public CertStore getCertificatesAndCRLs( - String type, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return getCertificatesAndCRLs(type, CMSUtils.getProvider(provider)); - } - - /** - * return a CertStore containing the certificates and CRLs associated with - * this message. - * - * @exception NoSuchAlgorithmException if the cert store isn't available. - * @exception CMSException if a general exception prevents creation of the CertStore - * @deprecated use base Store returning method and org.bouncycastle.cert.jcajce.JcaCertStoreBuilder - */ - public CertStore getCertificatesAndCRLs( - String type, - Provider provider) - throws NoSuchAlgorithmException, CMSException - { - try - { - JcaCertStoreBuilder certStoreBuilder = new JcaCertStoreBuilder().setType(type); - - if (provider != null) - { - certStoreBuilder.setProvider(provider); - } - - certStoreBuilder.addCertificates(this.getCertificates()); - certStoreBuilder.addCRLs(this.getCRLs()); - - return certStoreBuilder.build(); - } - catch (NoSuchAlgorithmException e) - { - throw e; - } - catch (Exception e) - { - throw new CMSException("exception creating CertStore: " + e.getMessage(), e); - } - } - - /** * Return any X.509 certificate objects in this SignedData structure as a Store of X509CertificateHolder objects. * * @return a Store of X509CertificateHolder objects. @@ -512,15 +316,6 @@ public class CMSSignedData /** * return the ContentInfo - * @deprecated use toASN1Structure() - */ - public ContentInfo getContentInfo() - { - return contentInfo; - } - - /** - * return the ContentInfo */ public ContentInfo toASN1Structure() { @@ -672,77 +467,6 @@ public class CMSSignedData /** * Replace the certificate and CRL information associated with this * CMSSignedData object with the new one passed in. - * - * @param signedData the signed data object to be used as a base. - * @param certsAndCrls the new certificates and CRLs to be used. - * @return a new signed data object. - * @exception CMSException if there is an error processing the CertStore - * @deprecated use method taking Store arguments. - */ - public static CMSSignedData replaceCertificatesAndCRLs( - CMSSignedData signedData, - CertStore certsAndCrls) - throws CMSException - { - // - // copy - // - CMSSignedData cms = new CMSSignedData(signedData); - - // - // replace the certs and crls in the SignedData object - // - ASN1Set certs = null; - ASN1Set crls = null; - - try - { - ASN1Set set = CMSUtils.createBerSetFromList(CMSUtils.getCertificatesFromStore(certsAndCrls)); - - if (set.size() != 0) - { - certs = set; - } - } - catch (CertStoreException e) - { - throw new CMSException("error getting certs from certStore", e); - } - - try - { - ASN1Set set = CMSUtils.createBerSetFromList(CMSUtils.getCRLsFromStore(certsAndCrls)); - - if (set.size() != 0) - { - crls = set; - } - } - catch (CertStoreException e) - { - throw new CMSException("error getting crls from certStore", e); - } - - // - // replace the CMS structure. - // - cms.signedData = new SignedData(signedData.signedData.getDigestAlgorithms(), - signedData.signedData.getEncapContentInfo(), - certs, - crls, - signedData.signedData.getSignerInfos()); - - // - // replace the contentInfo with the new one - // - cms.contentInfo = new ContentInfo(cms.contentInfo.getContentType(), cms.signedData); - - return cms; - } - - /** - * Replace the certificate and CRL information associated with this - * CMSSignedData object with the new one passed in. * * @param signedData the signed data object to be used as a base. * @param certificates the new certificates to be used. diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataGenerator.java index 9692e15..eea8a1a 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataGenerator.java @@ -3,13 +3,6 @@ package org.bouncycastle.cms; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Provider; -import java.security.SecureRandom; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Iterator; import java.util.List; @@ -20,16 +13,10 @@ import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.BEROctetString; import org.bouncycastle.asn1.DERSet; -import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.cms.SignedData; import org.bouncycastle.asn1.cms.SignerInfo; -import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.bc.BcDigestCalculatorProvider; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; /** * general class for generating a pkcs7-signature message. @@ -62,80 +49,6 @@ public class CMSSignedDataGenerator { private List signerInfs = new ArrayList(); - private class SignerInf - { - final PrivateKey key; - final Object signerIdentifier; - final String digestOID; - final String encOID; - final CMSAttributeTableGenerator sAttr; - final CMSAttributeTableGenerator unsAttr; - final AttributeTable baseSignedTable; - - SignerInf( - PrivateKey key, - Object signerIdentifier, - String digestOID, - String encOID, - CMSAttributeTableGenerator sAttr, - CMSAttributeTableGenerator unsAttr, - AttributeTable baseSignedTable) - { - this.key = key; - this.signerIdentifier = signerIdentifier; - this.digestOID = digestOID; - this.encOID = encOID; - this.sAttr = sAttr; - this.unsAttr = unsAttr; - this.baseSignedTable = baseSignedTable; - } - - SignerInfoGenerator toSignerInfoGenerator( - SecureRandom random, - Provider sigProvider, - boolean addDefaultAttributes) - throws IOException, CertificateEncodingException, CMSException, OperatorCreationException, NoSuchAlgorithmException - { - String digestName = CMSSignedHelper.INSTANCE.getDigestAlgName(digestOID); - String signatureName = digestName + "with" + CMSSignedHelper.INSTANCE.getEncryptionAlgName(encOID); - - JcaSignerInfoGeneratorBuilder builder = new JcaSignerInfoGeneratorBuilder(new BcDigestCalculatorProvider()); - - if (addDefaultAttributes) - { - builder.setSignedAttributeGenerator(sAttr); - } - builder.setDirectSignature(!addDefaultAttributes); - - builder.setUnsignedAttributeGenerator(unsAttr); - - JcaContentSignerBuilder signerBuilder; - - try - { - signerBuilder = new JcaContentSignerBuilder(signatureName).setSecureRandom(random); - } - catch (IllegalArgumentException e) - { - throw new NoSuchAlgorithmException(e.getMessage()); - } - - if (sigProvider != null) - { - signerBuilder.setProvider(sigProvider); - } - - ContentSigner contentSigner = signerBuilder.build(key); - if (signerIdentifier instanceof X509Certificate) - { - return builder.build(contentSigner, (X509Certificate)signerIdentifier); - } - else - { - return builder.build(contentSigner, (byte[])signerIdentifier); - } - } - } /** * base constructor */ @@ -144,463 +57,24 @@ public class CMSSignedDataGenerator } /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - * @deprecated rand ignored in new API, use base constructor. - */ - public CMSSignedDataGenerator( - SecureRandom rand) - { - super(rand); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * - * @param key signing key to use - * @param cert certificate containing corresponding public key - * @param digestOID digest algorithm OID - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID) - throws IllegalArgumentException - { - addSigner(key, cert, getEncOID(key, digestOID), digestOID); - } - - /** - * add a signer, specifying the digest encryption algorithm to use - no attributes other than the default ones will be - * provided here. - * - * @param key signing key to use - * @param cert certificate containing corresponding public key - * @param encryptionOID digest encryption algorithm OID - * @param digestOID digest algorithm OID - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID) - throws IllegalArgumentException - { - doAddSigner(key, cert, encryptionOID, digestOID, - new DefaultSignedAttributeTableGenerator(), null, null); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID) - throws IllegalArgumentException - { - addSigner(key, subjectKeyID, getEncOID(key, digestOID), digestOID); - } - - /** - * add a signer, specifying the digest encryption algorithm to use - no attributes other than the default ones will be - * provided here. - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID) - throws IllegalArgumentException - { - doAddSigner(key, subjectKeyID, encryptionOID, digestOID, - new DefaultSignedAttributeTableGenerator(), null, null); - } - - /** - * add a signer with extra signed/unsigned attributes. + * Generate a CMS Signed Data object carrying a detached CMS signature. * - * @param key signing key to use - * @param cert certificate containing corresponding public key - * @param digestOID digest algorithm OID - * @param signedAttr table of attributes to be included in signature - * @param unsignedAttr table of attributes to be included as unsigned - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr) - throws IllegalArgumentException - { - addSigner(key, cert, getEncOID(key, digestOID), digestOID, signedAttr, unsignedAttr); - } - - /** - * add a signer, specifying the digest encryption algorithm, with extra signed/unsigned attributes. - * - * @param key signing key to use - * @param cert certificate containing corresponding public key - * @param encryptionOID digest encryption algorithm OID - * @param digestOID digest algorithm OID - * @param signedAttr table of attributes to be included in signature - * @param unsignedAttr table of attributes to be included as unsigned - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr) - throws IllegalArgumentException - { - doAddSigner(key, cert, encryptionOID, digestOID, - new DefaultSignedAttributeTableGenerator(signedAttr), - new SimpleAttributeTableGenerator(unsignedAttr), signedAttr); - } - - /** - * add a signer with extra signed/unsigned attributes. - * - * @param key signing key to use - * @param subjectKeyID subjectKeyID of corresponding public key - * @param digestOID digest algorithm OID - * @param signedAttr table of attributes to be included in signature - * @param unsignedAttr table of attributes to be included as unsigned - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr) - throws IllegalArgumentException - { - addSigner(key, subjectKeyID, getEncOID(key, digestOID), digestOID, signedAttr, - unsignedAttr); - } - - /** - * add a signer, specifying the digest encryption algorithm, with extra signed/unsigned attributes. - * - * @param key signing key to use - * @param subjectKeyID subjectKeyID of corresponding public key - * @param encryptionOID digest encryption algorithm OID - * @param digestOID digest algorithm OID - * @param signedAttr table of attributes to be included in signature - * @param unsignedAttr table of attributes to be included as unsigned - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr) - throws IllegalArgumentException - { - doAddSigner(key, subjectKeyID, encryptionOID, digestOID, - new DefaultSignedAttributeTableGenerator(signedAttr), - new SimpleAttributeTableGenerator(unsignedAttr), signedAttr); - } - - /** - * add a signer with extra signed/unsigned attributes based on generators. - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - CMSAttributeTableGenerator signedAttrGen, - CMSAttributeTableGenerator unsignedAttrGen) - throws IllegalArgumentException - { - addSigner(key, cert, getEncOID(key, digestOID), digestOID, signedAttrGen, unsignedAttrGen); - } - - /** - * add a signer, specifying the digest encryption algorithm, with extra signed/unsigned attributes based on generators. - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGen, - CMSAttributeTableGenerator unsignedAttrGen) - throws IllegalArgumentException - { - doAddSigner(key, cert, encryptionOID, digestOID, signedAttrGen, - unsignedAttrGen, null); - } - - /** - * add a signer with extra signed/unsigned attributes based on generators. - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - CMSAttributeTableGenerator signedAttrGen, - CMSAttributeTableGenerator unsignedAttrGen) - throws IllegalArgumentException - { - addSigner(key, subjectKeyID, getEncOID(key, digestOID), digestOID, signedAttrGen, - unsignedAttrGen); - } - - /** - * add a signer, including digest encryption algorithm, with extra signed/unsigned attributes based on generators. - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGen, - CMSAttributeTableGenerator unsignedAttrGen) - throws IllegalArgumentException - { - doAddSigner(key, subjectKeyID, encryptionOID, digestOID, - signedAttrGen, unsignedAttrGen, null); - } - - private void doAddSigner( - PrivateKey key, - Object signerIdentifier, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGen, - CMSAttributeTableGenerator unsignedAttrGen, - AttributeTable baseSignedTable) - throws IllegalArgumentException - { - signerInfs.add(new SignerInf(key, signerIdentifier, digestOID, encryptionOID, - signedAttrGen, unsignedAttrGen, baseSignedTable)); - } - - /** - * generate a signed object that for a CMS Signed Data - * object using the given provider. - * @deprecated use generate() method not taking provider. + * @param content the content to be signed. */ public CMSSignedData generate( - CMSProcessable content, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return generate(content, CMSUtils.getProvider(sigProvider)); - } - - /** - * generate a signed object that for a CMS Signed Data - * object using the given provider. - * @deprecated use generate() method not taking provider. - */ - public CMSSignedData generate( - CMSProcessable content, - Provider sigProvider) - throws NoSuchAlgorithmException, CMSException - { - return generate(content, false, sigProvider); - } - - /** - * generate a signed object that for a CMS Signed Data - * object using the given provider - if encapsulate is true a copy - * of the message will be included in the signature. The content type - * is set according to the OID represented by the string signedContentType. - * @deprecated use generate(CMSTypedData, boolean) - */ - public CMSSignedData generate( - String eContentType, - CMSProcessable content, - boolean encapsulate, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return generate(eContentType, content, encapsulate, CMSUtils.getProvider(sigProvider), - true); - } - - /** - * generate a signed object that for a CMS Signed Data - * object using the given provider - if encapsulate is true a copy - * of the message will be included in the signature. The content type - * is set according to the OID represented by the string signedContentType. - * @deprecated use generate(CMSTypedData, boolean) - */ - public CMSSignedData generate( - String eContentType, - CMSProcessable content, - boolean encapsulate, - Provider sigProvider) - throws NoSuchAlgorithmException, CMSException - { - return generate(eContentType, content, encapsulate, sigProvider, true); - } - - /** - * Similar method to the other generate methods. The additional argument - * addDefaultAttributes indicates whether or not a default set of signed attributes - * need to be added automatically. If the argument is set to false, no - * attributes will get added at all. - * @deprecated use generate(CMSTypedData, boolean) - */ - public CMSSignedData generate( - String eContentType, - CMSProcessable content, - boolean encapsulate, - String sigProvider, - boolean addDefaultAttributes) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return generate(eContentType, content, encapsulate, CMSUtils.getProvider(sigProvider), - addDefaultAttributes); - } - - /** - * Similar method to the other generate methods. The additional argument - * addDefaultAttributes indicates whether or not a default set of signed attributes - * need to be added automatically. If the argument is set to false, no - * attributes will get added at all. - * @deprecated use setDirectSignature() on SignerInformationGenerator. - */ - public CMSSignedData generate( - String eContentType, - final CMSProcessable content, - boolean encapsulate, - Provider sigProvider, - boolean addDefaultAttributes) - throws NoSuchAlgorithmException, CMSException - { - boolean isCounterSignature = (eContentType == null); - - final ASN1ObjectIdentifier contentTypeOID = isCounterSignature - ? null - : new ASN1ObjectIdentifier(eContentType); - - for (Iterator it = signerInfs.iterator(); it.hasNext();) - { - SignerInf signer = (SignerInf)it.next(); - - try - { - signerGens.add(signer.toSignerInfoGenerator(rand, sigProvider, - addDefaultAttributes)); - } - catch (OperatorCreationException e) - { - throw new CMSException("exception creating signerInf", e); - } - catch (IOException e) - { - throw new CMSException("exception encoding attributes", e); - } - catch (CertificateEncodingException e) - { - throw new CMSException("error creating sid.", e); - } - } - - signerInfs.clear(); - - if (content != null) - { - return generate(new CMSTypedData() - { - public ASN1ObjectIdentifier getContentType() - { - return contentTypeOID; - } - - public void write(OutputStream out) - throws IOException, CMSException - { - content.write(out); - } - - public Object getContent() - { - return content.getContent(); - } - }, encapsulate); - } - else - { - return generate(new CMSAbsentContent(contentTypeOID), encapsulate); - } - } - - /** - * generate a signed object that for a CMS Signed Data - * object using the given provider - if encapsulate is true a copy - * of the message will be included in the signature with the - * default content type "data". - * @deprecated use generate(CMSTypedData, boolean) - */ - public CMSSignedData generate( - CMSProcessable content, - boolean encapsulate, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - if (content instanceof CMSTypedData) - { - return this.generate(((CMSTypedData)content).getContentType().getId(), content, encapsulate, sigProvider); - } - else - { - return this.generate(DATA, content, encapsulate, sigProvider); - } - } - - /** - * generate a signed object that for a CMS Signed Data - * object using the given provider - if encapsulate is true a copy - * of the message will be included in the signature with the - * default content type "data". - * @deprecated use generate(CMSTypedData, boolean) - */ - public CMSSignedData generate( - CMSProcessable content, - boolean encapsulate, - Provider sigProvider) - throws NoSuchAlgorithmException, CMSException - { - if (content instanceof CMSTypedData) - { - return this.generate(((CMSTypedData)content).getContentType().getId(), content, encapsulate, sigProvider); - } - else - { - return this.generate(DATA, content, encapsulate, sigProvider); - } - } - - public CMSSignedData generate( CMSTypedData content) throws CMSException { return generate(content, false); } + /** + * Generate a CMS Signed Data object which can be carrying a detached CMS signature, or have encapsulated data, depending on the value + * of the encapsulated parameter. + * + * @param content the content to be signed. + * @param encapsulate true if the content should be encapsulated in the signature, false otherwise. + */ public CMSSignedData generate( // FIXME Avoid accessing more than once to support CMSProcessableInputStream CMSTypedData content, @@ -747,36 +221,6 @@ public class CMSSignedDataGenerator * the passed in SignerInformation object. * * @param signer the signer to be countersigned - * @param sigProvider the provider to be used for counter signing. - * @return a store containing the signers. - * @deprecated use generateCounterSigners(SignerInformation) - */ - public SignerInformationStore generateCounterSigners(SignerInformation signer, Provider sigProvider) - throws NoSuchAlgorithmException, CMSException - { - return this.generate(null, new CMSProcessableByteArray(signer.getSignature()), false, sigProvider).getSignerInfos(); - } - - /** - * generate a set of one or more SignerInformation objects representing counter signatures on - * the passed in SignerInformation object. - * - * @param signer the signer to be countersigned - * @param sigProvider the provider to be used for counter signing. - * @return a store containing the signers. - * @deprecated use generateCounterSigners(SignerInformation) - */ - public SignerInformationStore generateCounterSigners(SignerInformation signer, String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return this.generate(null, new CMSProcessableByteArray(signer.getSignature()), false, CMSUtils.getProvider(sigProvider)).getSignerInfos(); - } - - /** - * generate a set of one or more SignerInformation objects representing counter signatures on - * the passed in SignerInformation object. - * - * @param signer the signer to be countersigned * @return a store containing the signers. */ public SignerInformationStore generateCounterSigners(SignerInformation signer) diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataParser.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataParser.java index 6c80bb4..329f089 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataParser.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataParser.java @@ -4,11 +4,6 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; @@ -35,15 +30,11 @@ import org.bouncycastle.asn1.cms.ContentInfoParser; import org.bouncycastle.asn1.cms.SignedDataParser; import org.bouncycastle.asn1.cms.SignerInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cert.jcajce.JcaCertStoreBuilder; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.DigestCalculatorProvider; import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.bc.BcDigestCalculatorProvider; import org.bouncycastle.util.Store; import org.bouncycastle.util.io.Streams; -import org.bouncycastle.x509.NoSuchStoreException; -import org.bouncycastle.x509.X509Store; /** * Parsing class for an CMS Signed Data object from an input stream. @@ -100,22 +91,8 @@ public class CMSSignedDataParser private Map digests; private SignerInformationStore _signerInfoStore; - private X509Store _attributeStore; private ASN1Set _certSet, _crlSet; private boolean _isCertCrlParsed; - private X509Store _certificateStore; - private X509Store _crlStore; - - /** - * @deprecated use method taking a DigestCalculatorProvider - */ - public CMSSignedDataParser( - byte[] sigBlock) - throws CMSException - { - this(createDefaultDigestProvider(), new ByteArrayInputStream(sigBlock)); - } - public CMSSignedDataParser( DigestCalculatorProvider digestCalculatorProvider, @@ -125,20 +102,6 @@ public class CMSSignedDataParser this(digestCalculatorProvider, new ByteArrayInputStream(sigBlock)); } - /** - * @deprecated use method taking digest calculator provider. - * @param signedContent - * @param sigBlock - * @throws CMSException - */ - public CMSSignedDataParser( - CMSTypedStream signedContent, - byte[] sigBlock) - throws CMSException - { - this(createDefaultDigestProvider(), signedContent, new ByteArrayInputStream(sigBlock)); - } - public CMSSignedDataParser( DigestCalculatorProvider digestCalculatorProvider, CMSTypedStream signedContent, @@ -148,26 +111,8 @@ public class CMSSignedDataParser this(digestCalculatorProvider, signedContent, new ByteArrayInputStream(sigBlock)); } - private static DigestCalculatorProvider createDefaultDigestProvider() - throws CMSException - { - return new BcDigestCalculatorProvider(); - } - /** * base constructor - with encapsulated content - * - * @deprecated use method taking a DigestCalculatorProvider - */ - public CMSSignedDataParser( - InputStream sigData) - throws CMSException - { - this(createDefaultDigestProvider(), null, sigData); - } - - /** - * base constructor - with encapsulated content */ public CMSSignedDataParser( DigestCalculatorProvider digestCalculatorProvider, @@ -180,22 +125,6 @@ public class CMSSignedDataParser /** * base constructor * - * @param signedContent the content that was signed. - * @param sigData the signature object stream. - * * - * @deprecated use method taking a DigestCalculatorProvider - */ - public CMSSignedDataParser( - CMSTypedStream signedContent, - InputStream sigData) - throws CMSException - { - this(createDefaultDigestProvider(), signedContent, sigData); - } - - /** - * base constructor - * * @param digestCalculatorProvider for generating accumulating digests * @param signedContent the content that was signed. * @param sigData the signature object stream. @@ -273,11 +202,6 @@ public class CMSSignedDataParser { throw new CMSException("io exception: " + e.getMessage(), e); } - - if (digests.isEmpty()) - { - throw new CMSException("no digests could be created for message."); - } } /** @@ -339,201 +263,6 @@ public class CMSSignedDataParser } /** - * return a X509Store containing the attribute certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider name of provider to use - * @return a store of attribute certificates - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception org.bouncycastle.x509.NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use getAttributeCertificates() - */ - public X509Store getAttributeCertificates( - String type, - String provider) - throws NoSuchStoreException, NoSuchProviderException, CMSException - { - return getAttributeCertificates(type, CMSUtils.getProvider(provider)); - } - - /** - * return a X509Store containing the attribute certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of attribute certificates - * @exception org.bouncycastle.x509.NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use getAttributeCertificates() - */ - public X509Store getAttributeCertificates( - String type, - Provider provider) - throws NoSuchStoreException, CMSException - { - if (_attributeStore == null) - { - populateCertCrlSets(); - - _attributeStore = HELPER.createAttributeStore(type, provider, this.getAttributeCertificates()); - } - - return _attributeStore; - } - - /** - * return a X509Store containing the public key certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of public key certificates - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use getCertificates() - */ - public X509Store getCertificates( - String type, - String provider) - throws NoSuchStoreException, NoSuchProviderException, CMSException - { - return getCertificates(type, CMSUtils.getProvider(provider)); - } - - /** - * return a X509Store containing the public key certificates, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of public key certificates - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use getCertificates() - */ - public X509Store getCertificates( - String type, - Provider provider) - throws NoSuchStoreException, CMSException - { - if (_certificateStore == null) - { - populateCertCrlSets(); - - _certificateStore = HELPER.createCertificateStore(type, provider, this.getCertificates()); - } - - return _certificateStore; - } - - /** - * return a X509Store containing CRLs, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider name of provider to use - * @return a store of CRLs - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use getCRLs() - */ - public X509Store getCRLs( - String type, - String provider) - throws NoSuchStoreException, NoSuchProviderException, CMSException - { - return getCRLs(type, CMSUtils.getProvider(provider)); - } - - /** - * return a X509Store containing CRLs, if any, contained - * in this message. - * - * @param type type of store to create - * @param provider provider to use - * @return a store of CRLs - * @exception NoSuchStoreException if the store type isn't available. - * @exception CMSException if a general exception prevents creation of the X509Store - * @deprecated use getCRLs() - */ - public X509Store getCRLs( - String type, - Provider provider) - throws NoSuchStoreException, CMSException - { - if (_crlStore == null) - { - populateCertCrlSets(); - - _crlStore = HELPER.createCRLsStore(type, provider, getCRLs()); - } - - return _crlStore; - } - - /** - * return a CertStore containing the certificates and CRLs associated with - * this message. - * - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchAlgorithmException if the cert store isn't available. - * @exception CMSException if a general exception prevents creation of the CertStore - * @deprecated use getCertificates() and org.bouncycastle.cert.jcajce.JcaCertStoreBuilder - */ - public CertStore getCertificatesAndCRLs( - String type, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return getCertificatesAndCRLs(type, CMSUtils.getProvider(provider)); - } - - /** - * return a CertStore containing the certificates and CRLs associated with - * this message. - * - * @exception NoSuchProviderException if the provider requested isn't available. - * @exception NoSuchAlgorithmException if the cert store isn't available. - * @exception CMSException if a general exception prevents creation of the CertStore - * @deprecated use getCertificates() and org.bouncycastle.cert.jcajce.JcaCertStoreBuilder - */ - public CertStore getCertificatesAndCRLs( - String type, - Provider provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - populateCertCrlSets(); - - try - { - JcaCertStoreBuilder certStoreBuilder = new JcaCertStoreBuilder().setType(type); - - if (provider != null) - { - certStoreBuilder.setProvider(provider); - } - - certStoreBuilder.addCertificates(this.getCertificates()); - certStoreBuilder.addCRLs(this.getCRLs()); - - return certStoreBuilder.build(); - } - catch (NoSuchAlgorithmException e) - { - throw e; - } - catch (Exception e) - { - throw new CMSException("exception creating CertStore: " + e.getMessage(), e); - } - } - - /** * Return any X.509 certificate objects in this SignedData structure as a Store of X509CertificateHolder objects. * * @return a Store of X509CertificateHolder objects. @@ -719,102 +448,6 @@ public class CMSSignedDataParser * The output stream is returned unclosed. * </p> * @param original the signed data stream to be used as a base. - * @param certsAndCrls the new certificates and CRLs to be used. - * @param out the stream to write the new signed data object to. - * @return out. - * @exception CMSException if there is an error processing the CertStore - * @deprecated use method that takes Store objects. - */ - public static OutputStream replaceCertificatesAndCRLs( - InputStream original, - CertStore certsAndCrls, - OutputStream out) - throws CMSException, IOException - { - ASN1StreamParser in = new ASN1StreamParser(original); - ContentInfoParser contentInfo = new ContentInfoParser((ASN1SequenceParser)in.readObject()); - SignedDataParser signedData = SignedDataParser.getInstance(contentInfo.getContent(BERTags.SEQUENCE)); - - BERSequenceGenerator sGen = new BERSequenceGenerator(out); - - sGen.addObject(CMSObjectIdentifiers.signedData); - - BERSequenceGenerator sigGen = new BERSequenceGenerator(sGen.getRawOutputStream(), 0, true); - - // version number - sigGen.addObject(signedData.getVersion()); - - // digests - sigGen.getRawOutputStream().write(signedData.getDigestAlgorithms().toASN1Primitive().getEncoded()); - - // encap content info - ContentInfoParser encapContentInfo = signedData.getEncapContentInfo(); - - BERSequenceGenerator eiGen = new BERSequenceGenerator(sigGen.getRawOutputStream()); - - eiGen.addObject(encapContentInfo.getContentType()); - - pipeEncapsulatedOctetString(encapContentInfo, eiGen.getRawOutputStream()); - - eiGen.close(); - - // - // skip existing certs and CRLs - // - getASN1Set(signedData.getCertificates()); - getASN1Set(signedData.getCrls()); - - // - // replace the certs and crls in the SignedData object - // - ASN1Set certs; - - try - { - certs = CMSUtils.createBerSetFromList(CMSUtils.getCertificatesFromStore(certsAndCrls)); - } - catch (CertStoreException e) - { - throw new CMSException("error getting certs from certStore", e); - } - - if (certs.size() > 0) - { - sigGen.getRawOutputStream().write(new DERTaggedObject(false, 0, certs).getEncoded()); - } - - ASN1Set crls; - - try - { - crls = CMSUtils.createBerSetFromList(CMSUtils.getCRLsFromStore(certsAndCrls)); - } - catch (CertStoreException e) - { - throw new CMSException("error getting crls from certStore", e); - } - - if (crls.size() > 0) - { - sigGen.getRawOutputStream().write(new DERTaggedObject(false, 1, crls).getEncoded()); - } - - sigGen.getRawOutputStream().write(signedData.getSignerInfos().toASN1Primitive().getEncoded()); - - sigGen.close(); - - sGen.close(); - - return out; - } - - /** - * Replace the certificate and CRL information associated with this - * CMSSignedData object with the new one passed in. - * <p> - * The output stream is returned unclosed. - * </p> - * @param original the signed data stream to be used as a base. * @param certs new certificates to be used, if any. * @param crls new CRLs to be used, if any. * @param attrCerts new attribute certificates to be used, if any. diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataStreamGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataStreamGenerator.java index cbd1c50..1e09b48 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataStreamGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedDataStreamGenerator.java @@ -2,14 +2,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.OutputStream; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Provider; -import java.security.SecureRandom; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; import java.util.Iterator; import java.util.List; @@ -21,14 +13,8 @@ import org.bouncycastle.asn1.ASN1TaggedObject; import org.bouncycastle.asn1.BERSequenceGenerator; import org.bouncycastle.asn1.BERTaggedObject; import org.bouncycastle.asn1.DERSet; -import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.cms.SignerInfo; -import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; /** * General class for generating a pkcs7-signature message stream. @@ -71,17 +57,6 @@ public class CMSSignedDataStreamGenerator } /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - * @deprecated no longer required if the addSignerInfoGenerator method is used. - */ - public CMSSignedDataStreamGenerator( - SecureRandom rand) - { - super(rand); - } - - /** * Set the underlying string size for encapsulated data * * @param bufferSize length of octet strings to buffer the data. @@ -91,514 +66,6 @@ public class CMSSignedDataStreamGenerator { _bufferSize = bufferSize; } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, digestOID, CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - Provider sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, digestOID, new DefaultSignedAttributeTableGenerator(), - (CMSAttributeTableGenerator)null, sigProvider); - } - - /** - * add a signer, specifying the digest encryption algorithm - no attributes other than the default ones will be - * provided here. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, encryptionOID, digestOID, CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer, specifying digest encryptionOID - no attributes other than the default ones will be - * provided here. - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - Provider sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, encryptionOID, digestOID, new DefaultSignedAttributeTableGenerator(), - (CMSAttributeTableGenerator)null, sigProvider); - } - - /** - * add a signer with extra signed/unsigned attributes. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, digestOID, signedAttr, unsignedAttr, - CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer with extra signed/unsigned attributes. - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, cert, digestOID, new DefaultSignedAttributeTableGenerator(signedAttr), - new SimpleAttributeTableGenerator(unsignedAttr), sigProvider); - } - - /** - * add a signer with extra signed/unsigned attributes - specifying digest - * encryption algorithm. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, encryptionOID, digestOID, signedAttr, unsignedAttr, - CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer with extra signed/unsigned attributes and the digest encryption algorithm. - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, cert, encryptionOID, digestOID, - new DefaultSignedAttributeTableGenerator(signedAttr), - new SimpleAttributeTableGenerator(unsignedAttr), sigProvider); - } - - /** - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, digestOID, signedAttrGenerator, unsignedAttrGenerator, - CMSUtils.getProvider(sigProvider)); - } - - /** - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, cert, getEncOID(key, digestOID), digestOID, signedAttrGenerator, - unsignedAttrGenerator, sigProvider); - } - - /** - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, cert, encryptionOID, digestOID, signedAttrGenerator, unsignedAttrGenerator, - CMSUtils.getProvider(sigProvider)); - } - - /** - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, cert, encryptionOID, digestOID, signedAttrGenerator, unsignedAttrGenerator, sigProvider, sigProvider); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, digestOID, CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - Provider sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, digestOID, new DefaultSignedAttributeTableGenerator(), - (CMSAttributeTableGenerator)null, sigProvider); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignedInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, encryptionOID, digestOID, CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer - no attributes other than the default ones will be - * provided here, specifying the digest encryption algorithm. - * - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - Provider sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, encryptionOID, digestOID, - new DefaultSignedAttributeTableGenerator(), (CMSAttributeTableGenerator)null, - sigProvider); - } - - /** - * add a signer with extra signed/unsigned attributes. - * @throws NoSuchProviderException - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, digestOID, signedAttr, unsignedAttr, - CMSUtils.getProvider(sigProvider)); - } - - /** - * add a signer with extra signed/unsigned attributes. - * @throws NoSuchAlgorithmException - * @throws InvalidKeyException - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, subjectKeyID, digestOID, - new DefaultSignedAttributeTableGenerator(signedAttr), - new SimpleAttributeTableGenerator(unsignedAttr), sigProvider); - } - - /** - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, digestOID, signedAttrGenerator, unsignedAttrGenerator, - CMSUtils.getProvider(sigProvider)); - } - - /** - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, subjectKeyID, getEncOID(key, digestOID), digestOID, signedAttrGenerator, - unsignedAttrGenerator, sigProvider); - } - - /** - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException - { - addSigner(key, subjectKeyID, encryptionOID, digestOID, signedAttrGenerator, - unsignedAttrGenerator, CMSUtils.getProvider(sigProvider)); - } - - /** - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - Provider sigProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - addSigner(key, subjectKeyID, encryptionOID, digestOID, signedAttrGenerator, unsignedAttrGenerator, sigProvider, sigProvider); - } - - /** - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - X509Certificate cert, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - Provider sigProvider, - Provider digProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - doAddSigner(key, cert, encryptionOID, digestOID, signedAttrGenerator, unsignedAttrGenerator, sigProvider, digProvider); - } - - private void doAddSigner(PrivateKey key, Object signerId, String encryptionOID, String digestOID, CMSAttributeTableGenerator signedAttrGenerator, CMSAttributeTableGenerator unsignedAttrGenerator, Provider sigProvider, Provider digProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - String digestName = CMSSignedHelper.INSTANCE.getDigestAlgName(digestOID); - String signatureName = digestName + "with" + CMSSignedHelper.INSTANCE.getEncryptionAlgName(encryptionOID); - - JcaContentSignerBuilder signerBuilder; - - try - { - signerBuilder = new JcaContentSignerBuilder(signatureName).setSecureRandom(rand); - } - catch (IllegalArgumentException e) - { - throw new NoSuchAlgorithmException(e.getMessage()); - } - - if (sigProvider != null) - { - signerBuilder.setProvider(sigProvider); - } - - try - { - JcaDigestCalculatorProviderBuilder calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder(); - - if (digProvider != null && !digProvider.getName().equalsIgnoreCase("SunRsaSign")) - { - calculatorProviderBuilder.setProvider(digProvider); - } - - JcaSignerInfoGeneratorBuilder builder = new JcaSignerInfoGeneratorBuilder(calculatorProviderBuilder.build()); - - builder.setSignedAttributeGenerator(signedAttrGenerator); - - builder.setUnsignedAttributeGenerator(unsignedAttrGenerator); - - try - { - ContentSigner contentSigner = signerBuilder.build(key); - - if (signerId instanceof X509Certificate) - { - addSignerInfoGenerator(builder.build(contentSigner, (X509Certificate)signerId)); - } - else - { - addSignerInfoGenerator(builder.build(contentSigner, (byte[])signerId)); - } - } - catch (OperatorCreationException e) - { - if (e.getCause() instanceof NoSuchAlgorithmException) - { - throw (NoSuchAlgorithmException)e.getCause(); - } - if (e.getCause() instanceof InvalidKeyException) - { - throw (InvalidKeyException)e.getCause(); - } - } - } - catch (OperatorCreationException e) - { - throw new NoSuchAlgorithmException("unable to create operators: " + e.getMessage()); - } - catch (CertificateEncodingException e) - { - throw new IllegalStateException("unable to encode certificate"); - } - } - - /** - * @deprecated use addSignerInfoGenerator - */ - public void addSigner( - PrivateKey key, - byte[] subjectKeyID, - String encryptionOID, - String digestOID, - CMSAttributeTableGenerator signedAttrGenerator, - CMSAttributeTableGenerator unsignedAttrGenerator, - Provider sigProvider, - Provider digProvider) - throws NoSuchAlgorithmException, InvalidKeyException - { - doAddSigner(key, subjectKeyID, encryptionOID, digestOID, signedAttrGenerator, unsignedAttrGenerator, sigProvider, digProvider); - } /** * generate a signed object that for a CMS Signed Data @@ -645,18 +112,6 @@ public class CMSSignedDataStreamGenerator } /** - * @deprecated use open(ASN1ObjectIdentifier, OutputStream, boolean) - */ - public OutputStream open( - OutputStream out, - String eContentType, - boolean encapsulate) - throws IOException - { - return open(out, eContentType, encapsulate, null); - } - - /** * generate a signed object that for a CMS Signed Data * object using the given provider - if encapsulate is true a copy * of the message will be included in the signature. The content type @@ -672,19 +127,6 @@ public class CMSSignedDataStreamGenerator } /** - * @deprecated use open(ASN1ObjectIdenfier, OutputStream, boolean, OutputStream) - */ - public OutputStream open( - OutputStream out, - String eContentType, - boolean encapsulate, - OutputStream dataOutputStream) - throws IOException - { - return open(new ASN1ObjectIdentifier(eContentType), out, encapsulate, dataOutputStream); - } - - /** * generate a signed object that for a CMS Signed Data * object using the given provider - if encapsulate is true a copy * of the message will be included in the signature. The content type @@ -786,23 +228,6 @@ public class CMSSignedDataStreamGenerator return new CmsSignedDataOutputStream(sigStream, eContentType, sGen, sigGen, eiGen); } - // TODO Make public? - void generate( - OutputStream out, - String eContentType, - boolean encapsulate, - OutputStream dataOutputStream, - CMSProcessable content) - throws CMSException, IOException - { - OutputStream signedOut = open(out, eContentType, encapsulate, dataOutputStream); - if (content != null) - { - content.write(signedOut); - } - signedOut.close(); - } - // RFC3852, section 5.1: // IF ((certificates is present) AND // (any certificates with a type of other are present)) OR @@ -915,7 +340,7 @@ public class CMSSignedDataStreamGenerator { SignerInfoGenerator s = (SignerInfoGenerator)it.next(); - if (s.getGeneratedVersion().getValue().intValue() == 3) + if (s.getGeneratedVersion() == 3) { return true; } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedGenerator.java index 84369e7..9fe6779 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedGenerator.java @@ -1,12 +1,5 @@ package org.bouncycastle.cms; -import java.io.IOException; -import java.security.PrivateKey; -import java.security.SecureRandom; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; -import java.security.interfaces.DSAPrivateKey; -import java.security.interfaces.RSAPrivateKey; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; @@ -17,11 +10,7 @@ import java.util.Set; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Set; -import org.bouncycastle.asn1.DERSet; import org.bouncycastle.asn1.DERTaggedObject; -import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.cms.OtherRevocationInfoFormat; import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; @@ -30,16 +19,12 @@ import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.AttributeCertificate; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.bouncycastle.cert.X509CRLHolder; import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.jce.interfaces.GOST3410PrivateKey; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.Store; -import org.bouncycastle.x509.X509AttributeCertificate; -import org.bouncycastle.x509.X509Store; public class CMSSignedGenerator { @@ -98,62 +83,11 @@ public class CMSSignedGenerator protected List signerGens = new ArrayList(); protected Map digests = new HashMap(); - protected final SecureRandom rand; - /** * base constructor */ protected CMSSignedGenerator() { - this(new SecureRandom()); - } - - /** - * constructor allowing specific source of randomness - * @param rand instance of SecureRandom to use - */ - protected CMSSignedGenerator( - SecureRandom rand) - { - this.rand = rand; - } - - protected String getEncOID( - PrivateKey key, - String digestOID) - { - String encOID = null; - - if (key instanceof RSAPrivateKey || "RSA".equalsIgnoreCase(key.getAlgorithm())) - { - encOID = ENCRYPTION_RSA; - } - else if (key instanceof DSAPrivateKey || "DSA".equalsIgnoreCase(key.getAlgorithm())) - { - encOID = ENCRYPTION_DSA; - if (!digestOID.equals(DIGEST_SHA1)) - { - throw new IllegalArgumentException("can't mix DSA with anything but SHA1"); - } - } - else if ("ECDSA".equalsIgnoreCase(key.getAlgorithm()) || "EC".equalsIgnoreCase(key.getAlgorithm())) - { - encOID = (String)EC_ALGORITHMS.get(digestOID); - if (encOID == null) - { - throw new IllegalArgumentException("can't mix ECDSA with anything but SHA family digests"); - } - } - else if (key instanceof GOST3410PrivateKey || "GOST3410".equalsIgnoreCase(key.getAlgorithm())) - { - encOID = ENCRYPTION_GOST3410; - } - else if ("ECGOST3410".equalsIgnoreCase(key.getAlgorithm())) - { - encOID = ENCRYPTION_ECGOST3410; - } - - return encOID; } protected Map getBaseParameters(ASN1ObjectIdentifier contentType, AlgorithmIdentifier digAlgId, byte[] hash) @@ -165,36 +99,6 @@ public class CMSSignedGenerator return param; } - protected ASN1Set getAttributeSet( - AttributeTable attr) - { - if (attr != null) - { - return new DERSet(attr.toASN1EncodableVector()); - } - - return null; - } - - /** - * add the certificates and CRLs contained in the given CertStore - * to the pool that will be included in the encoded signature block. - * <p> - * Note: this assumes the CertStore will support null in the get - * methods. - * @param certStore CertStore containing the public key certificates and CRLs - * @throws java.security.cert.CertStoreException if an issue occurs processing the CertStore - * @throws CMSException if an issue occurse transforming data from the CertStore into the message - * @deprecated use addCertificates and addCRLs - */ - public void addCertificatesAndCRLs( - CertStore certStore) - throws CertStoreException, CMSException - { - certs.addAll(CMSUtils.getCertificatesFromStore(certStore)); - crls.addAll(CMSUtils.getCRLsFromStore(certStore)); - } - /** * Add a certificate to the certificate set to be included with the generated SignedData message. * @@ -297,40 +201,7 @@ public class CMSSignedGenerator } /** - * Add the attribute certificates contained in the passed in store to the - * generator. - * - * @param store a store of Version 2 attribute certificates - * @throws CMSException if an error occurse processing the store. - * @deprecated use basic Store method - */ - public void addAttributeCertificates( - X509Store store) - throws CMSException - { - try - { - for (Iterator it = store.getMatches(null).iterator(); it.hasNext();) - { - X509AttributeCertificate attrCert = (X509AttributeCertificate)it.next(); - - certs.add(new DERTaggedObject(false, 2, - AttributeCertificate.getInstance(ASN1Primitive.fromByteArray(attrCert.getEncoded())))); - } - } - catch (IllegalArgumentException e) - { - throw new CMSException("error processing attribute certs", e); - } - catch (IOException e) - { - throw new CMSException("error processing attribute certs", e); - } - } - - - /** - * Add a store of precalculated signers to the generator. + * Add a store of pre-calculated signers to the generator. * * @param signerStore store of signers */ @@ -345,6 +216,11 @@ public class CMSSignedGenerator } } + /** + * Add a generator for a particular signer to this CMS SignedData generator. + * + * @param infoGen the generator representing the particular signer. + */ public void addSignerInfoGenerator(SignerInfoGenerator infoGen) { signerGens.add(infoGen); diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedHelper.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedHelper.java index ce20884..2f98e69 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedHelper.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSSignedHelper.java @@ -1,14 +1,8 @@ package org.bouncycastle.cms; -import java.io.IOException; -import java.security.Provider; -import java.security.cert.CRLException; -import java.security.cert.CertificateException; import java.util.ArrayList; -import java.util.Collection; import java.util.Enumeration; import java.util.HashMap; -import java.util.Iterator; import java.util.List; import java.util.Map; @@ -35,14 +29,8 @@ import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.bouncycastle.cert.X509CRLHolder; import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CRLConverter; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.util.CollectionStore; import org.bouncycastle.util.Store; -import org.bouncycastle.x509.NoSuchStoreException; -import org.bouncycastle.x509.X509CollectionStoreParameters; -import org.bouncycastle.x509.X509Store; -import org.bouncycastle.x509.X509V2AttributeCertificate; class CMSSignedHelper { @@ -125,23 +113,7 @@ class CMSSignedHelper digestAliases.put("SHA384", new String[] { "SHA-384" }); digestAliases.put("SHA512", new String[] { "SHA-512" }); } - - /** - * Return the digest algorithm using one of the standard JCA string - * representations rather than the algorithm identifier (if possible). - */ - String getDigestAlgName( - String digestAlgOID) - { - String algName = (String)digestAlgs.get(digestAlgOID); - - if (algName != null) - { - return algName; - } - return digestAlgOID; - } /** * Return the digest encryption algorithm using one of the standard @@ -161,95 +133,6 @@ class CMSSignedHelper return encryptionAlgOID; } - X509Store createAttributeStore( - String type, - Provider provider, - Store certStore) - throws NoSuchStoreException, CMSException - { - try - { - Collection certHldrs = certStore.getMatches(null); - List certs = new ArrayList(certHldrs.size()); - - for (Iterator it = certHldrs.iterator(); it.hasNext();) - { - certs.add(new X509V2AttributeCertificate(((X509AttributeCertificateHolder)it.next()).getEncoded())); - } - - return X509Store.getInstance( - "AttributeCertificate/" +type, new X509CollectionStoreParameters(certs), provider); - } - catch (IllegalArgumentException e) - { - throw new CMSException("can't setup the X509Store", e); - } - catch (IOException e) - { - throw new CMSException("can't setup the X509Store", e); - } - } - - X509Store createCertificateStore( - String type, - Provider provider, - Store certStore) - throws NoSuchStoreException, CMSException - { - try - { - JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(provider); - Collection certHldrs = certStore.getMatches(null); - List certs = new ArrayList(certHldrs.size()); - - for (Iterator it = certHldrs.iterator(); it.hasNext();) - { - certs.add(converter.getCertificate((X509CertificateHolder)it.next())); - } - - return X509Store.getInstance( - "Certificate/" +type, new X509CollectionStoreParameters(certs), provider); - } - catch (IllegalArgumentException e) - { - throw new CMSException("can't setup the X509Store", e); - } - catch (CertificateException e) - { - throw new CMSException("can't setup the X509Store", e); - } - } - - X509Store createCRLsStore( - String type, - Provider provider, - Store crlStore) - throws NoSuchStoreException, CMSException - { - try - { - JcaX509CRLConverter converter = new JcaX509CRLConverter().setProvider(provider); - Collection crlHldrs = crlStore.getMatches(null); - List crls = new ArrayList(crlHldrs.size()); - - for (Iterator it = crlHldrs.iterator(); it.hasNext();) - { - crls.add(converter.getCRL((X509CRLHolder)it.next())); - } - - return X509Store.getInstance( - "CRL/" +type, new X509CollectionStoreParameters(crls), provider); - } - catch (IllegalArgumentException e) - { - throw new CMSException("can't setup the X509Store", e); - } - catch (CRLException e) - { - throw new CMSException("can't setup the X509Store", e); - } - } - AlgorithmIdentifier fixAlgID(AlgorithmIdentifier algId) { if (algId.getParameters() == null) diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/CMSUtils.java b/bcpkix/src/main/java/org/bouncycastle/cms/CMSUtils.java index 743ab8e..dc9c2ee 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/CMSUtils.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/CMSUtils.java @@ -3,15 +3,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.Security; -import java.security.cert.CRLException; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Iterator; @@ -21,7 +12,6 @@ import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.BEROctetStringGenerator; import org.bouncycastle.asn1.BERSet; @@ -29,13 +19,9 @@ import org.bouncycastle.asn1.DERSet; import org.bouncycastle.asn1.DERTaggedObject; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.cms.ContentInfo; -import org.bouncycastle.asn1.cms.IssuerAndSerialNumber; import org.bouncycastle.asn1.cms.OtherRevocationInfoFormat; import org.bouncycastle.asn1.ocsp.OCSPResponse; import org.bouncycastle.asn1.ocsp.OCSPResponseStatus; -import org.bouncycastle.asn1.x509.Certificate; -import org.bouncycastle.asn1.x509.CertificateList; -import org.bouncycastle.asn1.x509.TBSCertificate; import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.bouncycastle.cert.X509CRLHolder; import org.bouncycastle.cert.X509CertificateHolder; @@ -63,36 +49,6 @@ class CMSUtils return readContentInfo(new ASN1InputStream(input)); } - static List getCertificatesFromStore(CertStore certStore) - throws CertStoreException, CMSException - { - List certs = new ArrayList(); - - try - { - for (Iterator it = certStore.getCertificates(null).iterator(); it.hasNext();) - { - X509Certificate c = (X509Certificate)it.next(); - - certs.add(Certificate.getInstance(ASN1Primitive.fromByteArray(c.getEncoded()))); - } - - return certs; - } - catch (IllegalArgumentException e) - { - throw new CMSException("error processing certs", e); - } - catch (IOException e) - { - throw new CMSException("error processing certs", e); - } - catch (CertificateEncodingException e) - { - throw new CMSException("error encoding certs", e); - } - } - static List getCertificatesFromStore(Store certStore) throws CMSException { @@ -137,35 +93,6 @@ class CMSUtils } } - static List getCRLsFromStore(CertStore certStore) - throws CertStoreException, CMSException - { - List crls = new ArrayList(); - - try - { - for (Iterator it = certStore.getCRLs(null).iterator(); it.hasNext();) - { - X509CRL c = (X509CRL)it.next(); - - crls.add(CertificateList.getInstance(ASN1Primitive.fromByteArray(c.getEncoded()))); - } - - return crls; - } - catch (IllegalArgumentException e) - { - throw new CMSException("error processing crls", e); - } - catch (IOException e) - { - throw new CMSException("error processing crls", e); - } - catch (CRLException e) - { - throw new CMSException("error encoding crls", e); - } - } static List getCRLsFromStore(Store crlStore) throws CMSException @@ -250,27 +177,6 @@ class CMSUtils return octGen.getOctetOutputStream(); } - static TBSCertificate getTBSCertificateStructure( - X509Certificate cert) - { - try - { - return TBSCertificate.getInstance( - ASN1Primitive.fromByteArray(cert.getTBSCertificate())); - } - catch (Exception e) - { - throw new IllegalArgumentException( - "can't extract TBS structure from this cert"); - } - } - - static IssuerAndSerialNumber getIssuerAndSerialNumber(X509Certificate cert) - { - TBSCertificate tbsCert = getTBSCertificateStructure(cert); - return new IssuerAndSerialNumber(tbsCert.getIssuer(), tbsCert.getSerialNumber().getValue()); - } - private static ContentInfo readContentInfo( ASN1InputStream in) throws CMSException @@ -308,24 +214,6 @@ class CMSUtils return Streams.readAllLimited(in, limit); } - public static Provider getProvider(String providerName) - throws NoSuchProviderException - { - if (providerName != null) - { - Provider prov = Security.getProvider(providerName); - - if (prov != null) - { - return prov; - } - - throw new NoSuchProviderException("provider " + providerName + " not found."); - } - - return null; - } - static InputStream attachDigestsToInputStream(Collection digests, InputStream s) { InputStream result = s; diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/DefaultSignedAttributeTableGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/DefaultSignedAttributeTableGenerator.java index 8ba3686..837edd8 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/DefaultSignedAttributeTableGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/DefaultSignedAttributeTableGenerator.java @@ -1,6 +1,7 @@ package org.bouncycastle.cms; import java.util.Date; +import java.util.Enumeration; import java.util.Hashtable; import java.util.Map; @@ -59,7 +60,7 @@ public class DefaultSignedAttributeTableGenerator protected Hashtable createStandardAttributeTable( Map parameters) { - Hashtable std = (Hashtable)table.clone(); + Hashtable std = copyHashTable(table); if (!std.containsKey(CMSAttributes.contentType)) { @@ -103,4 +104,18 @@ public class DefaultSignedAttributeTableGenerator { return new AttributeTable(createStandardAttributeTable(parameters)); } + + private static Hashtable copyHashTable(Hashtable paramsMap) + { + Hashtable newTable = new Hashtable(); + + Enumeration keys = paramsMap.keys(); + while (keys.hasMoreElements()) + { + Object key = keys.nextElement(); + newTable.put(key, paramsMap.get(key)); + } + + return newTable; + } } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/KEKRecipientInformation.java b/bcpkix/src/main/java/org/bouncycastle/cms/KEKRecipientInformation.java index 4e1b8cd..62c6529 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/KEKRecipientInformation.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/KEKRecipientInformation.java @@ -1,18 +1,10 @@ package org.bouncycastle.cms; import java.io.IOException; -import java.security.Key; -import java.security.NoSuchProviderException; -import java.security.Provider; - -import javax.crypto.SecretKey; import org.bouncycastle.asn1.cms.KEKIdentifier; import org.bouncycastle.asn1.cms.KEKRecipientInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceKEKAuthenticatedRecipient; -import org.bouncycastle.cms.jcajce.JceKEKEnvelopedRecipient; -import org.bouncycastle.cms.jcajce.JceKEKRecipient; /** * the RecipientInfo class for a recipient who has been sent a message @@ -38,52 +30,6 @@ public class KEKRecipientInformation this.rid = new KEKRecipientId(kekId.getKeyIdentifier().getOctets()); } - /** - * decrypt the content and return an input stream. - */ - public CMSTypedStream getContentStream( - Key key, - String prov) - throws CMSException, NoSuchProviderException - { - return getContentStream(key, CMSUtils.getProvider(prov)); - } - - /** - * decrypt the content and return an input stream. - * @deprecated use getContentStream(Recipient) - */ - public CMSTypedStream getContentStream( - Key key, - Provider prov) - throws CMSException - { - try - { - JceKEKRecipient recipient; - - if (secureReadable instanceof CMSEnvelopedHelper.CMSEnvelopedSecureReadable) - { - recipient = new JceKEKEnvelopedRecipient((SecretKey)key); - } - else - { - recipient = new JceKEKAuthenticatedRecipient((SecretKey)key); - } - - if (prov != null) - { - recipient.setProvider(prov); - } - - return getContentStream(recipient); - } - catch (IOException e) - { - throw new CMSException("encoding error: " + e.getMessage(), e); - } - } - protected RecipientOperator getRecipientOperator(Recipient recipient) throws CMSException, IOException { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/KeyAgreeRecipientInformation.java b/bcpkix/src/main/java/org/bouncycastle/cms/KeyAgreeRecipientInformation.java index 51917da..16c26bd 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/KeyAgreeRecipientInformation.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/KeyAgreeRecipientInformation.java @@ -1,10 +1,6 @@ package org.bouncycastle.cms; import java.io.IOException; -import java.security.Key; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Provider; import java.util.List; import org.bouncycastle.asn1.ASN1OctetString; @@ -19,9 +15,6 @@ import org.bouncycastle.asn1.cms.RecipientKeyIdentifier; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.cms.jcajce.JceKeyAgreeAuthenticatedRecipient; -import org.bouncycastle.cms.jcajce.JceKeyAgreeEnvelopedRecipient; -import org.bouncycastle.cms.jcajce.JceKeyAgreeRecipient; /** * the RecipientInfo class for a recipient who has been sent a message @@ -126,57 +119,6 @@ public class KeyAgreeRecipientInformation throw new CMSException("No support for 'originator' as IssuerAndSerialNumber or SubjectKeyIdentifier"); } - /** - * decrypt the content and return it - * @deprecated use getContentStream(Recipient) method - */ - public CMSTypedStream getContentStream( - Key key, - String prov) - throws CMSException, NoSuchProviderException - { - return getContentStream(key, CMSUtils.getProvider(prov)); - } - - /** - * decrypt the content and return it - * @deprecated use getContentStream(Recipient) method - */ - public CMSTypedStream getContentStream( - Key key, - Provider prov) - throws CMSException - { - try - { - JceKeyAgreeRecipient recipient; - - if (secureReadable instanceof CMSEnvelopedHelper.CMSEnvelopedSecureReadable) - { - recipient = new JceKeyAgreeEnvelopedRecipient((PrivateKey)key); - } - else - { - recipient = new JceKeyAgreeAuthenticatedRecipient((PrivateKey)key); - } - - if (prov != null) - { - recipient.setProvider(prov); - if (prov.getName().equalsIgnoreCase("SunJCE")) - { - recipient.setContentProvider((String)null); // need to fall back to generic search - } - } - - return getContentStream(recipient); - } - catch (IOException e) - { - throw new CMSException("encoding error: " + e.getMessage(), e); - } - } - protected RecipientOperator getRecipientOperator(Recipient recipient) throws CMSException, IOException { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/KeyTransRecipientInformation.java b/bcpkix/src/main/java/org/bouncycastle/cms/KeyTransRecipientInformation.java index a1180b4..d59f4b3 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/KeyTransRecipientInformation.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/KeyTransRecipientInformation.java @@ -1,20 +1,10 @@ package org.bouncycastle.cms; -import java.io.IOException; -import java.security.Key; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Provider; - import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.cms.IssuerAndSerialNumber; import org.bouncycastle.asn1.cms.KeyTransRecipientInfo; import org.bouncycastle.asn1.cms.RecipientIdentifier; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceKeyTransAuthenticatedRecipient; -import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient; -import org.bouncycastle.cms.jcajce.JceKeyTransRecipient; - /** * the KeyTransRecipientInformation class for a recipient who has been sent a secret @@ -52,57 +42,6 @@ public class KeyTransRecipientInformation } } - /** - * decrypt the content and return it - * @deprecated use getContentStream(Recipient) method - */ - public CMSTypedStream getContentStream( - Key key, - String prov) - throws CMSException, NoSuchProviderException - { - return getContentStream(key, CMSUtils.getProvider(prov)); - } - - /** - * decrypt the content and return it - * @deprecated use getContentStream(Recipient) method - */ - public CMSTypedStream getContentStream( - Key key, - Provider prov) - throws CMSException - { - try - { - JceKeyTransRecipient recipient; - - if (secureReadable instanceof CMSEnvelopedHelper.CMSEnvelopedSecureReadable) - { - recipient = new JceKeyTransEnvelopedRecipient((PrivateKey)key); - } - else - { - recipient = new JceKeyTransAuthenticatedRecipient((PrivateKey)key); - } - - if (prov != null) - { - recipient.setProvider(prov); - if (prov.getName().equalsIgnoreCase("SunJCE")) - { - recipient.setContentProvider((String)null); // need to fall back to generic search - } - } - - return getContentStream(recipient); - } - catch (IOException e) - { - throw new CMSException("encoding error: " + e.getMessage(), e); - } - } - protected RecipientOperator getRecipientOperator(Recipient recipient) throws CMSException { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/PKCS5Scheme2PBEKey.java b/bcpkix/src/main/java/org/bouncycastle/cms/PKCS5Scheme2PBEKey.java deleted file mode 100644 index b5be483..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/PKCS5Scheme2PBEKey.java +++ /dev/null @@ -1,35 +0,0 @@ -package org.bouncycastle.cms; - -import java.security.AlgorithmParameters; -import java.security.InvalidAlgorithmParameterException; - -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * PKCS5 scheme-2 - password converted to bytes assuming ASCII. - */ -public class PKCS5Scheme2PBEKey - extends CMSPBEKey -{ - public PKCS5Scheme2PBEKey(char[] password, byte[] salt, int iterationCount) - { - super(password, salt, iterationCount); - } - - public PKCS5Scheme2PBEKey(char[] password, AlgorithmParameters pbeParams) - throws InvalidAlgorithmParameterException - { - super(password, getParamSpec(pbeParams)); - } - - byte[] getEncoded(String algorithmOid) - { - PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(); - - gen.init(PBEParametersGenerator.PKCS5PasswordToBytes(this.getPassword()), this.getSalt(), this.getIterationCount()); - - return ((KeyParameter)gen.generateDerivedParameters(CMSEnvelopedHelper.INSTANCE.getKeySize(algorithmOid))).getKey(); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/PKCS5Scheme2UTF8PBEKey.java b/bcpkix/src/main/java/org/bouncycastle/cms/PKCS5Scheme2UTF8PBEKey.java deleted file mode 100644 index 436ba66..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/PKCS5Scheme2UTF8PBEKey.java +++ /dev/null @@ -1,35 +0,0 @@ -package org.bouncycastle.cms; - -import java.security.AlgorithmParameters; -import java.security.InvalidAlgorithmParameterException; - -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; - -/** - * PKCS5 scheme-2 - password converted to bytes using UTF-8. - */ -public class PKCS5Scheme2UTF8PBEKey - extends CMSPBEKey -{ - public PKCS5Scheme2UTF8PBEKey(char[] password, byte[] salt, int iterationCount) - { - super(password, salt, iterationCount); - } - - public PKCS5Scheme2UTF8PBEKey(char[] password, AlgorithmParameters pbeParams) - throws InvalidAlgorithmParameterException - { - super(password, getParamSpec(pbeParams)); - } - - byte[] getEncoded(String algorithmOid) - { - PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(); - - gen.init(PBEParametersGenerator.PKCS5PasswordToUTF8Bytes(this.getPassword()), this.getSalt(), this.getIterationCount()); - - return ((KeyParameter)gen.generateDerivedParameters(CMSEnvelopedHelper.INSTANCE.getKeySize(algorithmOid))).getKey(); - } -}
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/PasswordRecipientInformation.java b/bcpkix/src/main/java/org/bouncycastle/cms/PasswordRecipientInformation.java index 4517ad6..d7639e9 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/PasswordRecipientInformation.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/PasswordRecipientInformation.java @@ -1,10 +1,6 @@ package org.bouncycastle.cms; import java.io.IOException; -import java.security.AlgorithmParameters; -import java.security.Key; -import java.security.NoSuchProviderException; -import java.security.Provider; import java.util.HashMap; import java.util.Map; @@ -12,10 +8,6 @@ import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.cms.PasswordRecipientInfo; import org.bouncycastle.asn1.pkcs.PBKDF2Params; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceAlgorithmIdentifierConverter; -import org.bouncycastle.cms.jcajce.JcePasswordAuthenticatedRecipient; -import org.bouncycastle.cms.jcajce.JcePasswordEnvelopedRecipient; -import org.bouncycastle.cms.jcajce.JcePasswordRecipient; import org.bouncycastle.crypto.PBEParametersGenerator; import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; import org.bouncycastle.crypto.params.KeyParameter; @@ -110,88 +102,6 @@ public class PasswordRecipientInformation return info.getKeyDerivationAlgorithm(); } - /** - * return an AlgorithmParameters object representing the parameters to the - * key derivation algorithm to the recipient. - * - * @return AlgorithmParameters object, null if there aren't any. - * @deprecated use getKeyDerivationAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getKeyDerivationAlgParameters(String provider) - throws NoSuchProviderException - { - return getKeyDerivationAlgParameters(CMSUtils.getProvider(provider)); - } - - /** - * return an AlgorithmParameters object representing the parameters to the - * key derivation algorithm to the recipient. - * - * @return AlgorithmParameters object, null if there aren't any. - * @deprecated use getKeyDerivationAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getKeyDerivationAlgParameters(Provider provider) - { - try - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(info.getKeyDerivationAlgorithm()); - } - catch (Exception e) - { - throw new RuntimeException("exception getting encryption parameters " + e); - } - } - - /** - * decrypt the content and return an input stream. - * @deprecated use getContentStream(Recipient) - */ - public CMSTypedStream getContentStream( - Key key, - String prov) - throws CMSException, NoSuchProviderException - { - return getContentStream(key, CMSUtils.getProvider(prov)); - } - - /** - * decrypt the content and return an input stream. - * @deprecated use getContentStream(Recipient) - */ - public CMSTypedStream getContentStream( - Key key, - Provider prov) - throws CMSException - { - try - { - CMSPBEKey pbeKey = (CMSPBEKey)key; - JcePasswordRecipient recipient; - - if (secureReadable instanceof CMSEnvelopedHelper.CMSEnvelopedSecureReadable) - { - recipient = new JcePasswordEnvelopedRecipient(pbeKey.getPassword()); - } - else - { - recipient = new JcePasswordAuthenticatedRecipient(pbeKey.getPassword()); - } - - recipient.setPasswordConversionScheme((pbeKey instanceof PKCS5Scheme2UTF8PBEKey) ? PasswordRecipient.PKCS5_SCHEME2_UTF8 : PasswordRecipient.PKCS5_SCHEME2); - - if (prov != null) - { - recipient.setProvider(prov); - } - - return getContentStream(recipient); - } - catch (IOException e) - { - throw new CMSException("encoding error: " + e.getMessage(), e); - } - } - protected RecipientOperator getRecipientOperator(Recipient recipient) throws CMSException, IOException { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/RecipientInformation.java b/bcpkix/src/main/java/org/bouncycastle/cms/RecipientInformation.java index 5129881..86f9fa3 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/RecipientInformation.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/RecipientInformation.java @@ -2,15 +2,10 @@ package org.bouncycastle.cms; import java.io.ByteArrayInputStream; import java.io.IOException; -import java.security.AlgorithmParameters; -import java.security.Key; -import java.security.NoSuchProviderException; -import java.security.Provider; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Encoding; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.jcajce.JceAlgorithmIdentifierConverter; import org.bouncycastle.util.io.Streams; public abstract class RecipientInformation @@ -71,7 +66,7 @@ public abstract class RecipientInformation */ public String getKeyEncryptionAlgOID() { - return keyEncAlg.getObjectId().getId(); + return keyEncAlg.getAlgorithm().getId(); } /** @@ -93,68 +88,6 @@ public abstract class RecipientInformation } /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the key this recipient holds. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @throws NoSuchProviderException if the provider cannot be found. - * @deprecated use getKeyEncryptionAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getKeyEncryptionAlgorithmParameters( - String provider) - throws CMSException, NoSuchProviderException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(keyEncAlg); - } - - /** - * Return an AlgorithmParameters object giving the encryption parameters - * used to encrypt the key this recipient holds. - * - * @param provider the provider to generate the parameters for. - * @return the parameters object, null if there is not one. - * @throws CMSException if the algorithm cannot be found, or the parameters can't be parsed. - * @deprecated use getKeyEncryptionAlgorithm and JceAlgorithmIdentifierConverter(). - */ - public AlgorithmParameters getKeyEncryptionAlgorithmParameters( - Provider provider) - throws CMSException - { - return new JceAlgorithmIdentifierConverter().setProvider(provider).getAlgorithmParameters(keyEncAlg); - } - - /** - * @deprecated use getContent(Recipient) - */ - public byte[] getContent( - Key key, - String provider) - throws CMSException, NoSuchProviderException - { - return getContent(key, CMSUtils.getProvider(provider)); - } - - /** - * @deprecated use getContent(Recipient) - */ - public byte[] getContent( - Key key, - Provider provider) - throws CMSException - { - try - { - return CMSUtils.streamToByteArray(getContentStream(key, provider).getContentStream()); - } - catch (IOException e) - { - throw new RuntimeException("unable to parse internal stream: " + e); - } - } - - /** * Return the content digest calculated during the read of the content if one has been generated. This will * only happen if we are dealing with authenticated data and authenticated attributes are present. * @@ -223,24 +156,6 @@ public abstract class RecipientInformation } /** - * decrypt the content and return it - * @deprecated use getContentStream(Recipient) method - */ - public CMSTypedStream getContentStream(Key key, String provider) - throws CMSException, NoSuchProviderException - { - return getContentStream(key, CMSUtils.getProvider(provider)); - } - - /** - * decrypt the content and return it - * @deprecated use getContentStream(Recipient) method - */ - public abstract CMSTypedStream getContentStream(Key key, Provider provider) - throws CMSException; - - - /** * Return a CMSTypedStream representing the content in the EnvelopedData after recovering the content * encryption/MAC key using the passed in Recipient. * diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/SignerInfoGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/SignerInfoGenerator.java index e378629..f264729 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/SignerInfoGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/SignerInfoGenerator.java @@ -7,7 +7,6 @@ import java.util.HashMap; import java.util.Map; import org.bouncycastle.asn1.ASN1Encoding; -import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.DEROctetString; @@ -23,6 +22,7 @@ import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.DigestCalculatorProvider; import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.util.Arrays; import org.bouncycastle.util.io.TeeOutputStream; public class SignerInfoGenerator @@ -126,9 +126,9 @@ public class SignerInfoGenerator return signerIdentifier; } - public ASN1Integer getGeneratedVersion() + public int getGeneratedVersion() { - return new ASN1Integer(signerIdentifier.isTagged() ? 3 : 1); + return signerIdentifier.isTagged() ? 3 : 1; } public boolean hasAssociatedCertificate() @@ -221,7 +221,7 @@ public class SignerInfoGenerator if (unsAttrGen != null) { Map parameters = getBaseParameters(contentType, digestAlg, calculatedDigest); - parameters.put(CMSAttributeTableGenerator.SIGNATURE, sigBytes.clone()); + parameters.put(CMSAttributeTableGenerator.SIGNATURE, Arrays.clone(sigBytes)); AttributeTable unsigned = unsAttrGen.getAttributes(Collections.unmodifiableMap(parameters)); @@ -265,7 +265,7 @@ public class SignerInfoGenerator } param.put(CMSAttributeTableGenerator.DIGEST_ALGORITHM_IDENTIFIER, digAlgId); - param.put(CMSAttributeTableGenerator.DIGEST, hash.clone()); + param.put(CMSAttributeTableGenerator.DIGEST, Arrays.clone(hash)); return param; } @@ -273,7 +273,7 @@ public class SignerInfoGenerator { if (calculatedDigest != null) { - return (byte[])calculatedDigest.clone(); + return Arrays.clone(calculatedDigest); } return null; diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/SignerInformation.java b/bcpkix/src/main/java/org/bouncycastle/cms/SignerInformation.java index bd9703a..7e178d6 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/SignerInformation.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/SignerInformation.java @@ -2,13 +2,6 @@ package org.bouncycastle.cms; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.PublicKey; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Enumeration; import java.util.Iterator; @@ -33,13 +26,10 @@ import org.bouncycastle.asn1.cms.Time; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.DigestInfo; import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder; -import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.operator.ContentVerifier; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.RawContentVerifier; -import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.io.TeeOutputStream; @@ -172,7 +162,7 @@ public class SignerInformation throw new IllegalStateException("method can only be called after verify."); } - return (byte[])resultDigest.clone(); + return Arrays.clone(resultDigest); } /** @@ -232,7 +222,7 @@ public class SignerInformation */ public byte[] getSignature() { - return (byte[])signature.clone(); + return Arrays.clone(signature); } /** @@ -318,42 +308,6 @@ public class SignerInformation return null; } - /** - * @deprecated - */ - private boolean doVerify( - PublicKey key, - Provider sigProvider) - throws CMSException, NoSuchAlgorithmException - { - try - { - SignerInformationVerifier verifier; - - if (sigProvider != null) - { - if (!sigProvider.getName().equalsIgnoreCase("BC")) - { - verifier = new JcaSignerInfoVerifierBuilder(new JcaDigestCalculatorProviderBuilder().build()).setProvider(sigProvider).build(key); - } - else - { - verifier = new JcaSimpleSignerInfoVerifierBuilder().setProvider(sigProvider).build(key); - } - } - else - { - verifier = new JcaSimpleSignerInfoVerifierBuilder().build(key); - } - - return doVerify(verifier); - } - catch (OperatorCreationException e) - { - throw new CMSException("unable to create verifier: " + e.getMessage(), e); - } - } - private boolean doVerify( SignerInformationVerifier verifier) throws CMSException @@ -555,75 +509,6 @@ public class SignerInformation } /** - * verify that the given public key successfully handles and confirms the - * signature associated with this signer. - * @deprecated use verify(ContentVerifierProvider) - */ - public boolean verify( - PublicKey key, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return verify(key, CMSUtils.getProvider(sigProvider)); - } - - /** - * verify that the given public key successfully handles and confirms the - * signature associated with this signer - * @deprecated use verify(ContentVerifierProvider) - */ - public boolean verify( - PublicKey key, - Provider sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - // Optional, but still need to validate if present - getSigningTime(); - - return doVerify(key, sigProvider); - } - - /** - * verify that the given certificate successfully handles and confirms - * the signature associated with this signer and, if a signingTime - * attribute is available, that the certificate was valid at the time the - * signature was generated. - * @deprecated use verify(ContentVerifierProvider) - */ - public boolean verify( - X509Certificate cert, - String sigProvider) - throws NoSuchAlgorithmException, NoSuchProviderException, - CertificateExpiredException, CertificateNotYetValidException, - CMSException - { - return verify(cert, CMSUtils.getProvider(sigProvider)); - } - - /** - * verify that the given certificate successfully handles and confirms - * the signature associated with this signer and, if a signingTime - * attribute is available, that the certificate was valid at the time the - * signature was generated. - * @deprecated use verify(ContentVerifierProvider) - */ - public boolean verify( - X509Certificate cert, - Provider sigProvider) - throws NoSuchAlgorithmException, - CertificateExpiredException, CertificateNotYetValidException, - CMSException - { - Time signingTime = getSigningTime(); - if (signingTime != null) - { - cert.checkValidity(signingTime.getDate()); - } - - return doVerify(cert.getPublicKey(), sigProvider); - } - - /** * Verify that the given verifier can successfully verify the signature on * this SignerInformation object. * @@ -654,17 +539,6 @@ public class SignerInformation } /** - * Return the base ASN.1 CMS structure that this object contains. - * - * @return an object containing a CMS SignerInfo structure. - * @deprecated use toASN1Structure() - */ - public SignerInfo toSignerInfo() - { - return info; - } - - /** * Return the underlying ASN.1 object defining this SignerInformation object. * * @return a SignerInfo. diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java index bd36b73..104b16f 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java @@ -1,14 +1,19 @@ package org.bouncycastle.cms.jcajce; +import java.io.IOException; +import java.security.AlgorithmParameters; import java.security.Provider; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; +import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.cms.IssuerAndSerialNumber; import org.bouncycastle.asn1.x509.Certificate; +import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.TBSCertificateStructure; -import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.jcajce.JcaJceUtils; class CMSUtils { @@ -30,7 +35,7 @@ class CMSUtils static byte[] getSubjectKeyId(X509Certificate cert) { - byte[] ext = cert.getExtensionValue(X509Extension.subjectKeyIdentifier.getId()); + byte[] ext = cert.getExtensionValue(Extension.subjectKeyIdentifier.getId()); if (ext != null) { @@ -66,4 +71,29 @@ class CMSUtils } } + static ASN1Encodable extractParameters(AlgorithmParameters params) + throws CMSException + { + try + { + return JcaJceUtils.extractParameters(params); + } + catch (IOException e) + { + throw new CMSException("cannot extract parameters: " + e.getMessage(), e); + } + } + + static void loadParameters(AlgorithmParameters params, ASN1Encodable sParams) + throws CMSException + { + try + { + JcaJceUtils.loadParameters(params, sParams); + } + catch (IOException e) + { + throw new CMSException("error encoding algorithm parameters.", e); + } + } }
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java index 5f3958f..b081051 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java @@ -1,6 +1,5 @@ package org.bouncycastle.cms.jcajce; -import java.io.IOException; import java.security.AlgorithmParameterGenerator; import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; @@ -32,7 +31,6 @@ import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Null; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.DERNull; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; @@ -41,12 +39,16 @@ import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.cms.CMSAlgorithm; import org.bouncycastle.cms.CMSEnvelopedDataGenerator; import org.bouncycastle.cms.CMSException; +import org.bouncycastle.operator.DefaultSecretKeySizeProvider; import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.SecretKeySizeProvider; import org.bouncycastle.operator.SymmetricKeyUnwrapper; import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; -class EnvelopedDataHelper +public class EnvelopedDataHelper { + protected static final SecretKeySizeProvider KEY_SIZE_PROVIDER = DefaultSecretKeySizeProvider.INSTANCE; + protected static final Map BASE_CIPHER_NAMES = new HashMap(); protected static final Map CIPHER_ALG_NAMES = new HashMap(); protected static final Map MAC_ALG_NAMES = new HashMap(); @@ -64,8 +66,10 @@ class EnvelopedDataHelper BASE_CIPHER_NAMES.put(CMSAlgorithm.CAMELLIA192_CBC, "Camellia"); BASE_CIPHER_NAMES.put(CMSAlgorithm.CAMELLIA256_CBC, "Camellia"); BASE_CIPHER_NAMES.put(CMSAlgorithm.SEED_CBC, "SEED"); + BASE_CIPHER_NAMES.put(PKCSObjectIdentifiers.rc4, "RC4"); CIPHER_ALG_NAMES.put(CMSAlgorithm.DES_CBC, "DES/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.RC2_CBC, "RC2/CBC/PKCS5Padding"); CIPHER_ALG_NAMES.put(CMSAlgorithm.DES_EDE3_CBC, "DESEDE/CBC/PKCS5Padding"); CIPHER_ALG_NAMES.put(CMSAlgorithm.AES128_CBC, "AES/CBC/PKCS5Padding"); CIPHER_ALG_NAMES.put(CMSAlgorithm.AES192_CBC, "AES/CBC/PKCS5Padding"); @@ -76,6 +80,7 @@ class EnvelopedDataHelper CIPHER_ALG_NAMES.put(CMSAlgorithm.CAMELLIA192_CBC, "Camellia/CBC/PKCS5Padding"); CIPHER_ALG_NAMES.put(CMSAlgorithm.CAMELLIA256_CBC, "Camellia/CBC/PKCS5Padding"); CIPHER_ALG_NAMES.put(CMSAlgorithm.SEED_CBC, "SEED/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(PKCSObjectIdentifiers.rc4, "RC4"); MAC_ALG_NAMES.put(CMSAlgorithm.DES_EDE3_CBC, "DESEDEMac"); MAC_ALG_NAMES.put(CMSAlgorithm.AES128_CBC, "AESMac"); @@ -156,7 +161,7 @@ class EnvelopedDataHelper throw new IllegalArgumentException("unknown generic key type"); } - Key getJceKey(ASN1ObjectIdentifier algorithm, GenericKey key) + public Key getJceKey(ASN1ObjectIdentifier algorithm, GenericKey key) { if (key.getRepresentation() instanceof Key) { @@ -171,6 +176,33 @@ class EnvelopedDataHelper throw new IllegalArgumentException("unknown generic key type"); } + public void keySizeCheck(AlgorithmIdentifier keyAlgorithm, Key key) + throws CMSException + { + int expectedKeySize = EnvelopedDataHelper.KEY_SIZE_PROVIDER.getKeySize(keyAlgorithm); + if (expectedKeySize > 0) + { + byte[] keyEnc = null; + + try + { + keyEnc = key.getEncoded(); + } + catch (Exception e) + { + // ignore - we're using a HSM... + } + + if (keyEnc != null) + { + if (keyEnc.length * 8 != expectedKeySize) + { + throw new CMSException("Expected key size for algorithm OID not found in recipient."); + } + } + } + } + Cipher createCipher(ASN1ObjectIdentifier algorithm) throws CMSException { @@ -294,7 +326,7 @@ class EnvelopedDataHelper return helper.createAlgorithmParameterGenerator(algorithm.getId()); } - Cipher createContentCipher(final Key sKey, final AlgorithmIdentifier encryptionAlgID) + public Cipher createContentCipher(final Key sKey, final AlgorithmIdentifier encryptionAlgID) throws CMSException { return (Cipher)execute(new JCECallback() @@ -314,14 +346,7 @@ class EnvelopedDataHelper { AlgorithmParameters params = createAlgorithmParameters(encryptionAlgID.getAlgorithm()); - try - { - params.init(sParams.toASN1Primitive().getEncoded(), "ASN.1"); - } - catch (IOException e) - { - throw new CMSException("error decoding algorithm parameters.", e); - } + CMSUtils.loadParameters(params, sParams); cipher.init(Cipher.DECRYPT_MODE, sKey, params); } @@ -383,14 +408,7 @@ class EnvelopedDataHelper { AlgorithmParameters params = createAlgorithmParameters(macAlgId.getAlgorithm()); - try - { - params.init(sParams.toASN1Primitive().getEncoded(), "ASN.1"); - } - catch (IOException e) - { - throw new CMSException("error decoding algorithm parameters.", e); - } + CMSUtils.loadParameters(params, sParams); mac.init(sKey, params.getParameterSpec(IvParameterSpec.class)); } @@ -491,7 +509,7 @@ class EnvelopedDataHelper { AlgorithmParameterGenerator pGen = createAlgorithmParameterGenerator(encryptionOID); - if (encryptionOID.equals(CMSEnvelopedDataGenerator.RC2_CBC)) + if (encryptionOID.equals(CMSAlgorithm.RC2_CBC)) { byte[] iv = new byte[8]; @@ -525,14 +543,7 @@ class EnvelopedDataHelper ASN1Encodable asn1Params; if (params != null) { - try - { - asn1Params = ASN1Primitive.fromByteArray(params.getEncoded("ASN.1")); - } - catch (IOException e) - { - throw new CMSException("cannot encode parameters: " + e.getMessage(), e); - } + asn1Params = CMSUtils.extractParameters(params); } else { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java index bb9e064..59928f4 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java @@ -1,7 +1,6 @@ package org.bouncycastle.cms.jcajce; -import java.io.IOException; import java.security.AlgorithmParameters; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; @@ -49,7 +48,7 @@ public class JceAlgorithmIdentifierConverter { AlgorithmParameters params = helper.createAlgorithmParameters(algorithmIdentifier.getAlgorithm()); - params.init(parameters.toASN1Primitive().getEncoded(), "ASN.1"); + CMSUtils.loadParameters(params, algorithmIdentifier.getParameters()); return params; } @@ -57,10 +56,6 @@ public class JceAlgorithmIdentifierConverter { throw new CMSException("can't find parameters for algorithm", e); } - catch (IOException e) - { - throw new CMSException("can't parse parameters", e); - } catch (NoSuchProviderException e) { throw new CMSException("can't find provider for algorithm", e); diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java index 89d2c65..93d8b72 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java @@ -5,8 +5,6 @@ import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.Provider; import java.security.SecureRandom; -import java.util.HashMap; -import java.util.Map; import javax.crypto.Cipher; import javax.crypto.CipherOutputStream; @@ -14,40 +12,19 @@ import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cms.CMSAlgorithm; import org.bouncycastle.cms.CMSException; +import org.bouncycastle.operator.DefaultSecretKeySizeProvider; import org.bouncycastle.operator.GenericKey; import org.bouncycastle.operator.OutputEncryptor; +import org.bouncycastle.operator.SecretKeySizeProvider; import org.bouncycastle.operator.jcajce.JceGenericKey; -import org.bouncycastle.util.Integers; public class JceCMSContentEncryptorBuilder { - private static Map keySizes = new HashMap(); + private static final SecretKeySizeProvider KEY_SIZE_PROVIDER = DefaultSecretKeySizeProvider.INSTANCE; - static - { - keySizes.put(CMSAlgorithm.AES128_CBC, Integers.valueOf(128)); - keySizes.put(CMSAlgorithm.AES192_CBC, Integers.valueOf(192)); - keySizes.put(CMSAlgorithm.AES256_CBC, Integers.valueOf(256)); - - keySizes.put(CMSAlgorithm.CAMELLIA128_CBC, Integers.valueOf(128)); - keySizes.put(CMSAlgorithm.CAMELLIA192_CBC, Integers.valueOf(192)); - keySizes.put(CMSAlgorithm.CAMELLIA256_CBC, Integers.valueOf(256)); - } - - private static int getKeySize(ASN1ObjectIdentifier oid) - { - Integer size = (Integer)keySizes.get(oid); - - if (size != null) - { - return size.intValue(); - } - - return -1; - } private final ASN1ObjectIdentifier encryptionOID; private final int keySize; @@ -57,13 +34,30 @@ public class JceCMSContentEncryptorBuilder public JceCMSContentEncryptorBuilder(ASN1ObjectIdentifier encryptionOID) { - this(encryptionOID, getKeySize(encryptionOID)); + this(encryptionOID, KEY_SIZE_PROVIDER.getKeySize(encryptionOID)); } public JceCMSContentEncryptorBuilder(ASN1ObjectIdentifier encryptionOID, int keySize) { this.encryptionOID = encryptionOID; this.keySize = keySize; + + int fixedSize = KEY_SIZE_PROVIDER.getKeySize(encryptionOID); + + if (encryptionOID.equals(PKCSObjectIdentifiers.des_EDE3_CBC)) + { + if (keySize != 168 && keySize != fixedSize) + { + throw new IllegalArgumentException("incorrect keySize for encryptionOID passed to builder."); + } + } + else + { + if (fixedSize > 0 && fixedSize != keySize) + { + throw new IllegalArgumentException("incorrect keySize for encryptionOID passed to builder."); + } + } } public JceCMSContentEncryptorBuilder setProvider(Provider provider) @@ -116,6 +110,10 @@ public class JceCMSContentEncryptorBuilder } else { + if (encryptionOID.equals(PKCSObjectIdentifiers.des_EDE3_CBC) && keySize == 192) + { + keySize = 168; + } keyGen.init(keySize, random); } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java index a01e279..d0e4164 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java @@ -18,6 +18,7 @@ public abstract class JceKEKRecipient protected EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); protected EnvelopedDataHelper contentHelper = helper; + protected boolean validateKeySize = false; public JceKEKRecipient(SecretKey recipientKey) { @@ -78,14 +79,37 @@ public abstract class JceKEKRecipient return this; } - protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier contentEncryptionAlgorithm, byte[] encryptedContentEncryptionKey) + /** + * Set validation of retrieved key sizes against the algorithm parameters for the encrypted key where possible - default is off. + * <p> + * This setting will not have any affect if the encryption algorithm in the recipient does not specify a particular key size, or + * if the unwrapper is a HSM and the byte encoding of the unwrapped secret key is not available. + * </p> + * @param doValidate true if unwrapped key's should be validated against the content encryption algorithm, false otherwise. + * @return this recipient. + */ + public JceKEKRecipient setKeySizeValidation(boolean doValidate) + { + this.validateKeySize = doValidate; + + return this; + } + + protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier encryptedKeyAlgorithm, byte[] encryptedContentEncryptionKey) throws CMSException { SymmetricKeyUnwrapper unwrapper = helper.createSymmetricUnwrapper(keyEncryptionAlgorithm, recipientKey); try { - return helper.getJceKey(contentEncryptionAlgorithm.getAlgorithm(), unwrapper.generateUnwrappedKey(contentEncryptionAlgorithm, encryptedContentEncryptionKey)); + Key key = helper.getJceKey(encryptedKeyAlgorithm.getAlgorithm(), unwrapper.generateUnwrappedKey(encryptedKeyAlgorithm, encryptedContentEncryptionKey)); + + if (validateKeySize) + { + helper.keySizeCheck(encryptedKeyAlgorithm, key); + } + + return key; } catch (OperatorException e) { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java index 788af8d..a457ede 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java @@ -22,6 +22,7 @@ public abstract class JceKeyTransRecipient protected EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); protected EnvelopedDataHelper contentHelper = helper; protected Map extraMappings = new HashMap(); + protected boolean validateKeySize = false; public JceKeyTransRecipient(PrivateKey recipientKey) { @@ -105,6 +106,22 @@ public abstract class JceKeyTransRecipient return this; } + /** + * Set validation of retrieved key sizes against the algorithm parameters for the encrypted key where possible - default is off. + * <p> + * This setting will not have any affect if the encryption algorithm in the recipient does not specify a particular key size, or + * if the unwrapper is a HSM and the byte encoding of the unwrapped secret key is not available. + * </p> + * @param doValidate true if unwrapped key's should be validated against the content encryption algorithm, false otherwise. + * @return this recipient. + */ + public JceKeyTransRecipient setKeySizeValidation(boolean doValidate) + { + this.validateKeySize = doValidate; + + return this; + } + protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier encryptedKeyAlgorithm, byte[] encryptedEncryptionKey) throws CMSException { @@ -122,7 +139,14 @@ public abstract class JceKeyTransRecipient try { - return helper.getJceKey(encryptedKeyAlgorithm.getAlgorithm(), unwrapper.generateUnwrappedKey(encryptedKeyAlgorithm, encryptedEncryptionKey)); + Key key = helper.getJceKey(encryptedKeyAlgorithm.getAlgorithm(), unwrapper.generateUnwrappedKey(encryptedKeyAlgorithm, encryptedEncryptionKey)); + + if (validateKeySize) + { + helper.keySizeCheck(encryptedKeyAlgorithm, key); + } + + return key; } catch (OperatorException e) { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java index 73733c7..60a2ff2 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java @@ -7,6 +7,7 @@ import java.security.cert.X509Certificate; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.cms.IssuerAndSerialNumber; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import org.bouncycastle.cms.KeyTransRecipientInfoGenerator; import org.bouncycastle.operator.jcajce.JceAsymmetricKeyWrapper; @@ -17,7 +18,7 @@ public class JceKeyTransRecipientInfoGenerator public JceKeyTransRecipientInfoGenerator(X509Certificate recipientCert) throws CertificateEncodingException { - super(new IssuerAndSerialNumber(new JcaX509CertificateHolder(recipientCert).toASN1Structure()), new JceAsymmetricKeyWrapper(recipientCert.getPublicKey())); + super(new IssuerAndSerialNumber(new JcaX509CertificateHolder(recipientCert).toASN1Structure()), new JceAsymmetricKeyWrapper(recipientCert)); } public JceKeyTransRecipientInfoGenerator(byte[] subjectKeyIdentifier, PublicKey publicKey) @@ -25,6 +26,30 @@ public class JceKeyTransRecipientInfoGenerator super(subjectKeyIdentifier, new JceAsymmetricKeyWrapper(publicKey)); } + /** + * Create a generator overriding the algorithm type implied by the public key in the certificate passed in. + * + * @param recipientCert certificate carrying the public key. + * @param algorithmIdentifier the identifier and parameters for the encryption algorithm to be used. + */ + public JceKeyTransRecipientInfoGenerator(X509Certificate recipientCert, AlgorithmIdentifier algorithmIdentifier) + throws CertificateEncodingException + { + super(new IssuerAndSerialNumber(new JcaX509CertificateHolder(recipientCert).toASN1Structure()), new JceAsymmetricKeyWrapper(algorithmIdentifier, recipientCert.getPublicKey())); + } + + /** + * Create a generator overriding the algorithm type implied by the public key passed in. + * + * @param subjectKeyIdentifier the subject key identifier value to associate with the public key. + * @param algorithmIdentifier the identifier and parameters for the encryption algorithm to be used. + * @param publicKey the public key to use. + */ + public JceKeyTransRecipientInfoGenerator(byte[] subjectKeyIdentifier, AlgorithmIdentifier algorithmIdentifier, PublicKey publicKey) + { + super(subjectKeyIdentifier, new JceAsymmetricKeyWrapper(algorithmIdentifier, publicKey)); + } + public JceKeyTransRecipientInfoGenerator setProvider(String providerName) { ((JceAsymmetricKeyWrapper)this.wrapper).setProvider(providerName); diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java index 107a0ef..15729a7 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java @@ -15,6 +15,9 @@ public class ZlibExpanderProvider { private final long limit; + /** + * Base constructor. Create an expander which will not limit the size of any objects expanded in the stream. + */ public ZlibExpanderProvider() { this.limit = -1; diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/package.html b/bcpkix/src/main/java/org/bouncycastle/cms/package.html deleted file mode 100644 index 644e862..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -A package for processing RFC 3852 Cryptographic Message Syntax (CMS) objects - also referred to as PKCS#7 (formerly RFC 2630, 3369). -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/AllTests.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/AllTests.java index dc81f5a..9cc2b0e 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/AllTests.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/AllTests.java @@ -18,21 +18,13 @@ public class AllTests { TestSuite suite = new TestSuite("CMS tests"); - suite.addTest(AuthenticatedDataTest.suite()); - suite.addTest(AuthenticatedDataStreamTest.suite()); - suite.addTest(CompressedDataTest.suite()); suite.addTest(NewCompressedDataTest.suite()); - suite.addTest(SignedDataTest.suite()); suite.addTest(NewSignedDataTest.suite()); - suite.addTest(EnvelopedDataTest.suite()); suite.addTest(NewEnvelopedDataTest.suite()); suite.addTest(NewAuthenticatedDataTest.suite()); suite.addTest(NewAuthenticatedDataStreamTest.suite()); - suite.addTest(CompressedDataStreamTest.suite()); suite.addTest(NewCompressedDataStreamTest.suite()); - suite.addTest(SignedDataStreamTest.suite()); suite.addTest(NewSignedDataStreamTest.suite()); - suite.addTest(EnvelopedDataStreamTest.suite()); suite.addTest(NewEnvelopedDataStreamTest.suite()); suite.addTest(MiscDataStreamTest.suite()); diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/AuthenticatedDataStreamTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/AuthenticatedDataStreamTest.java deleted file mode 100644 index fe056e6..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/AuthenticatedDataStreamTest.java +++ /dev/null @@ -1,142 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.io.ByteArrayOutputStream; -import java.io.OutputStream; -import java.security.KeyPair; -import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.Collection; -import java.util.Iterator; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.cms.CMSAuthenticatedDataGenerator; -import org.bouncycastle.cms.CMSAuthenticatedDataParser; -import org.bouncycastle.cms.CMSAuthenticatedDataStreamGenerator; -import org.bouncycastle.cms.RecipientInformation; -import org.bouncycastle.cms.RecipientInformationStore; -import org.bouncycastle.jce.provider.BouncyCastleProvider; - -public class AuthenticatedDataStreamTest - extends TestCase -{ - private static final String BC = BouncyCastleProvider.PROVIDER_NAME; - - private static String _signDN; - private static KeyPair _signKP; - private static X509Certificate _signCert; - - private static String _origDN; - private static KeyPair _origKP; - private static X509Certificate _origCert; - - private static String _reciDN; - private static KeyPair _reciKP; - private static X509Certificate _reciCert; - - private static KeyPair _origEcKP; - private static KeyPair _reciEcKP; - private static X509Certificate _reciEcCert; - - private static boolean _initialised = false; - - public boolean DEBUG = true; - - private static void init() - throws Exception - { - if (!_initialised) - { - _initialised = true; - - _signDN = "O=Bouncy Castle, C=AU"; - _signKP = CMSTestUtil.makeKeyPair(); - _signCert = CMSTestUtil.makeCertificate(_signKP, _signDN, _signKP, _signDN); - - _origDN = "CN=Bob, OU=Sales, O=Bouncy Castle, C=AU"; - _origKP = CMSTestUtil.makeKeyPair(); - _origCert = CMSTestUtil.makeCertificate(_origKP, _origDN, _signKP, _signDN); - - _reciDN = "CN=Doug, OU=Sales, O=Bouncy Castle, C=AU"; - _reciKP = CMSTestUtil.makeKeyPair(); - _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); - - _origEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcCert = CMSTestUtil.makeCertificate(_reciEcKP, _reciDN, _signKP, _signDN); - } - } - - public void setUp() - throws Exception - { - init(); - } - - public AuthenticatedDataStreamTest(String name) - { - super(name); - } - - public static void main(String args[]) - { - junit.textui.TestRunner.run(AuthenticatedDataStreamTest.class); - } - - public static Test suite() - throws Exception - { - init(); - - return new CMSTestSetup(new TestSuite(AuthenticatedDataStreamTest.class)); - } - - public void testKeyTransDESede() - throws Exception - { - tryKeyTrans(CMSAuthenticatedDataGenerator.DES_EDE3_CBC); - } - - private void tryKeyTrans(String macAlg) - throws Exception - { - byte[] data = "Eric H. Echidna".getBytes(); - - CMSAuthenticatedDataStreamGenerator adGen = new CMSAuthenticatedDataStreamGenerator(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - adGen.addKeyTransRecipient(_reciCert); - - OutputStream aOut = adGen.open(bOut, macAlg, BC); - - aOut.write(data); - - aOut.close(); - - CMSAuthenticatedDataParser ad = new CMSAuthenticatedDataParser(bOut.toByteArray()); - - RecipientInformationStore recipients = ad.getRecipientInfos(); - - assertEquals(ad.getMacAlgOID(), macAlg); - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertTrue(Arrays.equals(data, recData)); - assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); - } - } -}
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/AuthenticatedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/AuthenticatedDataTest.java deleted file mode 100644 index 454b369..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/AuthenticatedDataTest.java +++ /dev/null @@ -1,308 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.cert.X509Certificate; -import java.util.Arrays; -import java.util.Collection; -import java.util.Iterator; - -import javax.crypto.SecretKey; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.DERObjectIdentifier; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.cms.CMSAuthenticatedData; -import org.bouncycastle.cms.CMSAuthenticatedDataGenerator; -import org.bouncycastle.cms.CMSException; -import org.bouncycastle.cms.CMSPBEKey; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.cms.PKCS5Scheme2PBEKey; -import org.bouncycastle.cms.PasswordRecipientInformation; -import org.bouncycastle.cms.RecipientInformation; -import org.bouncycastle.cms.RecipientInformationStore; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.util.encoders.Hex; - -public class AuthenticatedDataTest - extends TestCase -{ - private static final String BC = BouncyCastleProvider.PROVIDER_NAME; - - private static String _signDN; - private static KeyPair _signKP; - private static X509Certificate _signCert; - - private static String _origDN; - private static KeyPair _origKP; - private static X509Certificate _origCert; - - private static String _reciDN; - private static KeyPair _reciKP; - private static X509Certificate _reciCert; - - private static KeyPair _origEcKP; - private static KeyPair _reciEcKP; - private static X509Certificate _reciEcCert; - - private static boolean _initialised = false; - - public boolean DEBUG = true; - - private static void init() - throws Exception - { - if (!_initialised) - { - _initialised = true; - - _signDN = "O=Bouncy Castle, C=AU"; - _signKP = CMSTestUtil.makeKeyPair(); - _signCert = CMSTestUtil.makeCertificate(_signKP, _signDN, _signKP, _signDN); - - _origDN = "CN=Bob, OU=Sales, O=Bouncy Castle, C=AU"; - _origKP = CMSTestUtil.makeKeyPair(); - _origCert = CMSTestUtil.makeCertificate(_origKP, _origDN, _signKP, _signDN); - - _reciDN = "CN=Doug, OU=Sales, O=Bouncy Castle, C=AU"; - _reciKP = CMSTestUtil.makeKeyPair(); - _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); - - _origEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcCert = CMSTestUtil.makeCertificate(_reciEcKP, _reciDN, _signKP, _signDN); - } - } - - public void setUp() - throws Exception - { - init(); - } - - public AuthenticatedDataTest(String name) - { - super(name); - } - - public static void main(String args[]) - { - junit.textui.TestRunner.run(AuthenticatedDataTest.class); - } - - public static Test suite() - throws Exception - { - init(); - - return new CMSTestSetup(new TestSuite(AuthenticatedDataTest.class)); - } - - public void testKeyTransDESede() - throws Exception - { - tryKeyTrans(CMSAuthenticatedDataGenerator.DES_EDE3_CBC); - } - - public void testKEKDESede() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeDesede192Key(), new DERObjectIdentifier("1.2.840.113549.1.9.16.3.6")); - } - - public void testPasswordAES256() - throws Exception - { - passwordTest(CMSAuthenticatedDataGenerator.AES256_CBC); - } - - public void testECKeyAgree() - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSAuthenticatedDataGenerator adGen = new CMSAuthenticatedDataGenerator(); - - adGen.addKeyAgreementRecipient(CMSAuthenticatedDataGenerator.ECDH_SHA1KDF, _origEcKP.getPrivate(), _origEcKP.getPublic(), _reciEcCert, CMSAuthenticatedDataGenerator.AES128_WRAP, BC); - - CMSAuthenticatedData ad = adGen.generate( - new CMSProcessableByteArray(data), - CMSAuthenticatedDataGenerator.DES_EDE3_CBC, BC); - - RecipientInformationStore recipients = ad.getRecipientInfos(); - - assertEquals(ad.getMacAlgOID(), - CMSAuthenticatedDataGenerator.DES_EDE3_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(_reciEcKP.getPrivate(), BC); - assertTrue(Arrays.equals(data, recData)); - assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); - } - else - { - fail("no recipient found"); - } - } - - public void testEncoding() - throws Exception - { - byte[] data = "Eric H. Echidna".getBytes(); - - CMSAuthenticatedDataGenerator adGen = new CMSAuthenticatedDataGenerator(); - - adGen.addKeyTransRecipient(_reciCert); - - CMSAuthenticatedData ad = adGen.generate( - new CMSProcessableByteArray(data), - CMSAuthenticatedDataGenerator.DES_EDE3_CBC, BC); - - ad = new CMSAuthenticatedData(ad.getEncoded()); - - RecipientInformationStore recipients = ad.getRecipientInfos(); - - assertEquals(CMSAuthenticatedDataGenerator.DES_EDE3_CBC, ad.getMacAlgOID()); - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertTrue(Arrays.equals(data, recData)); - assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); - } - } - - private void tryKeyTrans(String macAlg) - throws Exception - { - byte[] data = "Eric H. Echidna".getBytes(); - - CMSAuthenticatedDataGenerator adGen = new CMSAuthenticatedDataGenerator(); - - adGen.addKeyTransRecipient(_reciCert); - - CMSAuthenticatedData ad = adGen.generate( - new CMSProcessableByteArray(data), - macAlg, BC); - - RecipientInformationStore recipients = ad.getRecipientInfos(); - - assertEquals(ad.getMacAlgOID(), macAlg); - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertTrue(Arrays.equals(data, recData)); - assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); - } - } - - private void tryKekAlgorithm(SecretKey kek, DERObjectIdentifier algOid) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - byte[] data = "Eric H. Echidna".getBytes(); - - CMSAuthenticatedDataGenerator adGen = new CMSAuthenticatedDataGenerator(); - - byte[] kekId = new byte[] { 1, 2, 3, 4, 5 }; - - adGen.addKEKRecipient(kek, kekId); - - CMSAuthenticatedData ad = adGen.generate( - new CMSProcessableByteArray(data), - CMSAuthenticatedDataGenerator.DES_EDE3_CBC, BC); - - RecipientInformationStore recipients = ad.getRecipientInfos(); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - assertEquals(ad.getMacAlgOID(), CMSAuthenticatedDataGenerator.DES_EDE3_CBC); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), algOid.getId()); - - byte[] recData = recipient.getContent(kek, BC); - - assertTrue(Arrays.equals(data, recData)); - assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); - } - else - { - fail("no recipient found"); - } - } - - private void passwordTest(String algorithm) - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSAuthenticatedDataGenerator adGen = new CMSAuthenticatedDataGenerator(); - - adGen.addPasswordRecipient(new PKCS5Scheme2PBEKey("password".toCharArray(), new byte[20], 5), algorithm); - - CMSAuthenticatedData ad = adGen.generate( - new CMSProcessableByteArray(data), - CMSAuthenticatedDataGenerator.DES_EDE3_CBC, BC); - - RecipientInformationStore recipients = ad.getRecipientInfos(); - - assertEquals(ad.getMacAlgOID(), - CMSAuthenticatedDataGenerator.DES_EDE3_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - PasswordRecipientInformation recipient = (PasswordRecipientInformation)it.next(); - - CMSPBEKey key = new PKCS5Scheme2PBEKey("password".toCharArray(), - recipient.getKeyDerivationAlgParameters(BC)); - - byte[] recData = recipient.getContent(key, BC); - - assertTrue(Arrays.equals(data, recData)); - assertTrue(Arrays.equals(ad.getMac(), recipient.getMac())); - } - else - { - fail("no recipient found"); - } - } -}
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/BcSignedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/BcSignedDataTest.java index 299f68d..1c4ccc0 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/BcSignedDataTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/BcSignedDataTest.java @@ -61,6 +61,7 @@ import org.bouncycastle.crypto.params.AsymmetricKeyParameter; import org.bouncycastle.crypto.util.PrivateKeyFactory; import org.bouncycastle.jcajce.provider.config.ConfigurableProvider; import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.BufferingContentSigner; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; @@ -572,6 +573,46 @@ public class BcSignedDataTest verifySignatures(s, null); } + public void testDetachedVerificationWithBufferingContentSigner() + throws Exception + { + byte[] data = "Hello World!".getBytes(); + List certList = new ArrayList(); + CMSTypedData msg = new CMSProcessableByteArray(data); + + certList.add(_origCert); + certList.add(_signCert); + + Store certs = new JcaCertStore(certList); + + CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); + + DigestCalculatorProvider digProvider = new JcaDigestCalculatorProviderBuilder().setProvider(BC).build(); + JcaSignerInfoGeneratorBuilder signerInfoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder(digProvider); + ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(_origKP.getPrivate()); + ContentSigner md5Signer = new JcaContentSignerBuilder("MD5withRSA").setProvider(BC).build(_origKP.getPrivate()); + + gen.addSignerInfoGenerator(signerInfoGeneratorBuilder.build(new BufferingContentSigner(sha1Signer), _origCert)); + gen.addSignerInfoGenerator(signerInfoGeneratorBuilder.build(new BufferingContentSigner(md5Signer), _origCert)); + + gen.addCertificates(certs); + + CMSSignedData s = gen.generate(msg); + + MessageDigest sha1 = MessageDigest.getInstance("SHA1", BC); + MessageDigest md5 = MessageDigest.getInstance("MD5", BC); + Map hashes = new HashMap(); + byte[] sha1Hash = sha1.digest(data); + byte[] md5Hash = md5.digest(data); + + hashes.put(CMSAlgorithm.SHA1, sha1Hash); + hashes.put(CMSAlgorithm.MD5, md5Hash); + + s = new CMSSignedData(hashes, s.getEncoded()); + + verifySignatures(s, null); + } + public void testSHA1AndMD5WithRSAEncapsulatedRepeated() throws Exception { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/CMSTestUtil.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/CMSTestUtil.java index 4eb9841..3a1517a 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/CMSTestUtil.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/CMSTestUtil.java @@ -20,32 +20,38 @@ import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RSAESOAEPparams; import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.CRLReason; +import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x509.X509Extension; -import org.bouncycastle.asn1.x509.X509Name; +import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.bouncycastle.cert.X509ExtensionUtils; +import org.bouncycastle.cert.X509v1CertificateBuilder; import org.bouncycastle.cert.X509v2CRLBuilder; +import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.jcajce.JcaX509CRLConverter; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.jce.ECGOST3410NamedCurveTable; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.jce.spec.GOST3410ParameterSpec; +import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.util.encoders.Base64; -import org.bouncycastle.x509.X509AttributeCertificate; -import org.bouncycastle.x509.X509StreamParser; -import org.bouncycastle.x509.X509V1CertificateGenerator; -import org.bouncycastle.x509.X509V3CertificateGenerator; -import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; public class CMSTestUtil { public static SecureRandom rand; public static KeyPairGenerator kpg; + public static KeyPairGenerator gostKpg; public static KeyPairGenerator dsaKpg; public static KeyPairGenerator ecGostKpg; @@ -114,7 +120,10 @@ public class CMSTestUtil kpg = KeyPairGenerator.getInstance("RSA", "BC"); kpg.initialize(1024, rand); - + + kpg = KeyPairGenerator.getInstance("RSA", "BC"); + kpg.initialize(1024, rand); + gostKpg = KeyPairGenerator.getInstance("GOST3410", "BC"); GOST3410ParameterSpec gost3410P = new GOST3410ParameterSpec(CryptoProObjectIdentifiers.gostR3410_94_CryptoPro_A.getId()); @@ -189,14 +198,10 @@ public class CMSTestUtil return buf.toString(); } - public static X509AttributeCertificate getAttributeCertificate() + public static X509AttributeCertificateHolder getAttributeCertificate() throws Exception { - X509StreamParser parser = X509StreamParser.getInstance("AttributeCertificate", "BC"); - - parser.init(CMSTestUtil.attrCert); - - return (X509AttributeCertificate)parser.read(); + return new X509AttributeCertificateHolder(CMSTestUtil.attrCert); } public static KeyPair makeKeyPair() @@ -273,60 +278,44 @@ public class CMSTestUtil public static X509Certificate makeCertificate(KeyPair _subKP, String _subDN, KeyPair _issKP, String _issDN) - throws GeneralSecurityException, IOException + throws GeneralSecurityException, IOException, OperatorCreationException { - return makeCertificate(_subKP, _subDN, _issKP, _issDN, false); } - public static X509Certificate makeCACertificate(KeyPair _subKP, + public static X509Certificate makeOaepCertificate(KeyPair _subKP, String _subDN, KeyPair _issKP, String _issDN) - throws GeneralSecurityException, IOException + throws GeneralSecurityException, IOException, OperatorCreationException { + return makeOaepCertificate(_subKP, _subDN, _issKP, _issDN, false); + } + public static X509Certificate makeCACertificate(KeyPair _subKP, + String _subDN, KeyPair _issKP, String _issDN) + throws GeneralSecurityException, IOException, OperatorCreationException + { return makeCertificate(_subKP, _subDN, _issKP, _issDN, true); } public static X509Certificate makeV1Certificate(KeyPair subKP, String _subDN, KeyPair issKP, String _issDN) - throws GeneralSecurityException, IOException + throws GeneralSecurityException, IOException, OperatorCreationException { PublicKey subPub = subKP.getPublic(); PrivateKey issPriv = issKP.getPrivate(); PublicKey issPub = issKP.getPublic(); - X509V1CertificateGenerator v1CertGen = new X509V1CertificateGenerator(); + X509v1CertificateBuilder v1CertGen = new JcaX509v1CertificateBuilder( + new X500Name(_issDN), + allocateSerialNumber(), + new Date(System.currentTimeMillis()), + new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)), + new X500Name(_subDN), + subPub); - v1CertGen.reset(); - v1CertGen.setSerialNumber(allocateSerialNumber()); - v1CertGen.setIssuerDN(new X509Name(_issDN)); - v1CertGen.setNotBefore(new Date(System.currentTimeMillis())); - v1CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100))); - v1CertGen.setSubjectDN(new X509Name(_subDN)); - v1CertGen.setPublicKey(subPub); + JcaContentSignerBuilder contentSignerBuilder = makeContentSignerBuilder(issPub); - if (issPub instanceof RSAPublicKey) - { - v1CertGen.setSignatureAlgorithm("SHA1WithRSA"); - } - else if (issPub.getAlgorithm().equals("DSA")) - { - v1CertGen.setSignatureAlgorithm("SHA1withDSA"); - } - else if (issPub.getAlgorithm().equals("ECDSA")) - { - v1CertGen.setSignatureAlgorithm("SHA1withECDSA"); - } - else if (issPub.getAlgorithm().equals("ECGOST3410")) - { - v1CertGen.setSignatureAlgorithm("GOST3411withECGOST3410"); - } - else - { - v1CertGen.setSignatureAlgorithm("GOST3411WithGOST3410"); - } - - X509Certificate _cert = v1CertGen.generate(issPriv); + X509Certificate _cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(v1CertGen.build(contentSignerBuilder.build(issPriv))); _cert.checkValidity(new Date()); _cert.verify(issPub); @@ -335,78 +324,128 @@ public class CMSTestUtil } public static X509Certificate makeCertificate(KeyPair subKP, String _subDN, KeyPair issKP, String _issDN, boolean _ca) - throws GeneralSecurityException, IOException + throws GeneralSecurityException, IOException, OperatorCreationException { PublicKey subPub = subKP.getPublic(); PrivateKey issPriv = issKP.getPrivate(); PublicKey issPub = issKP.getPublic(); - X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); - - v3CertGen.reset(); - v3CertGen.setSerialNumber(allocateSerialNumber()); - v3CertGen.setIssuerDN(new X509Name(_issDN)); - v3CertGen.setNotBefore(new Date(System.currentTimeMillis())); - v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100))); - v3CertGen.setSubjectDN(new X509Name(_subDN)); - v3CertGen.setPublicKey(subPub); - - if (issPub instanceof RSAPublicKey) - { - v3CertGen.setSignatureAlgorithm("SHA1WithRSA"); - } - else if (issPub.getAlgorithm().equals("DSA")) - { - v3CertGen.setSignatureAlgorithm("SHA1withDSA"); - } - else if (issPub.getAlgorithm().equals("ECDSA")) - { - v3CertGen.setSignatureAlgorithm("SHA1withECDSA"); - } - else if (issPub.getAlgorithm().equals("ECGOST3410")) - { - v3CertGen.setSignatureAlgorithm("GOST3411withECGOST3410"); - } - else - { - v3CertGen.setSignatureAlgorithm("GOST3411WithGOST3410"); - } + X509v3CertificateBuilder v3CertGen = new JcaX509v3CertificateBuilder( + new X500Name(_issDN), + allocateSerialNumber(), + new Date(System.currentTimeMillis()), + new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)), + new X500Name(_subDN), + subPub); + + JcaContentSignerBuilder contentSignerBuilder = makeContentSignerBuilder(issPub); v3CertGen.addExtension( - X509Extension.subjectKeyIdentifier, + Extension.subjectKeyIdentifier, false, createSubjectKeyId(subPub)); v3CertGen.addExtension( - X509Extension.authorityKeyIdentifier, + Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issPub)); v3CertGen.addExtension( - X509Extension.basicConstraints, + Extension.basicConstraints, false, new BasicConstraints(_ca)); - X509Certificate _cert = v3CertGen.generate(issPriv); + X509Certificate _cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(v3CertGen.build(contentSignerBuilder.build(issPriv))); _cert.checkValidity(new Date()); _cert.verify(issPub); return _cert; } - + + public static X509Certificate makeOaepCertificate(KeyPair subKP, String _subDN, KeyPair issKP, String _issDN, boolean _ca) + throws GeneralSecurityException, IOException, OperatorCreationException + { + + SubjectPublicKeyInfo subPub = SubjectPublicKeyInfo.getInstance(subKP.getPublic().getEncoded()); + PrivateKey issPriv = issKP.getPrivate(); + PublicKey issPub = issKP.getPublic(); + + X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder( + new X500Name(_issDN), + allocateSerialNumber(), + new Date(System.currentTimeMillis()), + new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)), + new X500Name(_subDN), + new SubjectPublicKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP, new RSAESOAEPparams()), subPub.parsePublicKey())); + + JcaContentSignerBuilder contentSignerBuilder = makeContentSignerBuilder(issPub); + + v3CertGen.addExtension( + Extension.subjectKeyIdentifier, + false, + createSubjectKeyId(subPub)); + + v3CertGen.addExtension( + Extension.authorityKeyIdentifier, + false, + createAuthorityKeyId(issPub)); + + v3CertGen.addExtension( + Extension.basicConstraints, + false, + new BasicConstraints(_ca)); + + X509Certificate _cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(v3CertGen.build(contentSignerBuilder.build(issPriv))); + + _cert.checkValidity(new Date()); + _cert.verify(issPub); + + return _cert; + } + + private static JcaContentSignerBuilder makeContentSignerBuilder(PublicKey issPub) + { + JcaContentSignerBuilder contentSignerBuilder; + if (issPub instanceof RSAPublicKey) + { + contentSignerBuilder = new JcaContentSignerBuilder("SHA1WithRSA"); + } + else if (issPub.getAlgorithm().equals("DSA")) + { + contentSignerBuilder = new JcaContentSignerBuilder("SHA1withDSA"); + } + else if (issPub.getAlgorithm().equals("ECDSA")) + { + contentSignerBuilder = new JcaContentSignerBuilder("SHA1withECDSA"); + } + else if (issPub.getAlgorithm().equals("ECGOST3410")) + { + contentSignerBuilder = new JcaContentSignerBuilder("GOST3411withECGOST3410"); + } + else + { + contentSignerBuilder = new JcaContentSignerBuilder("GOST3411WithGOST3410"); + } + + contentSignerBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME); + + return contentSignerBuilder; + } + public static X509CRL makeCrl(KeyPair pair) throws Exception { Date now = new Date(); X509v2CRLBuilder crlGen = new X509v2CRLBuilder(new X500Name("CN=Test CA"), now); + JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); crlGen.setNextUpdate(new Date(now.getTime() + 100000)); crlGen.addCRLEntry(BigInteger.ONE, now, CRLReason.privilegeWithdrawn); - crlGen.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic())); + crlGen.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(pair.getPublic())); return new JcaX509CRLConverter().setProvider("BC").getCRL(crlGen.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(pair.getPrivate()))); } @@ -427,6 +466,13 @@ public class CMSTestUtil } static SubjectKeyIdentifier createSubjectKeyId( + SubjectPublicKeyInfo _pubKey) + throws IOException + { + return extUtils.createSubjectKeyIdentifier(_pubKey); + } + + static SubjectKeyIdentifier createSubjectKeyId( PublicKey _pubKey) throws IOException { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/CompressedDataStreamTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/CompressedDataStreamTest.java deleted file mode 100644 index f9e5d62..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/CompressedDataStreamTest.java +++ /dev/null @@ -1,126 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.io.ByteArrayOutputStream; -import java.io.OutputStream; -import java.util.Arrays; -import java.util.Random; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; - -import org.bouncycastle.cms.CMSCompressedDataParser; -import org.bouncycastle.cms.CMSCompressedDataStreamGenerator; -import org.bouncycastle.util.encoders.Base64; - -public class CompressedDataStreamTest - extends TestCase -{ - public CompressedDataStreamTest(String name) - { - super(name); - } - - public void testWorkingData() - throws Exception - { - byte[] compData = Base64.decode( - "MIAGCyqGSIb3DQEJEAEJoIAwgAIBADANBgsqhkiG9w0BCRADCDCABgkqhkiG9w0BBwGggCSABIIC" - + "Hnic7ZRdb9owFIbvK/k/5PqVYPFXGK12YYyboVFASSp1vQtZGiLRACZE49/XHoUW7S/0tXP8Efux" - + "fU5ivWnasml72XFb3gb5druui7ytN803M570nii7C5r8tfwR281hy/p/KSM3+jzH5s3+pbQ90xSb" - + "P3VT3QbLusnt8WPIuN5vN/vaA2+DulnXTXkXvNTr8j8ouZmkCmGI/UW+ZS/C8zP0bz2dz0zwLt+1" - + "UEk2M8mlaxjRMByAhZTj0RGYg4TvogiRASROsZgjpVcJCb1KV6QzQeDJ1XkoQ5Jm+C5PbOHZZGRi" - + "v+ORAcshOGeCcdFJyfgFxdtCdEcmOrbinc/+BBMzRThEYpwl+jEBpciSGWQkI0TSlREmD/eOHb2D" - + "SGLuESm/iKUFt1y4XHBO2a5oq0IKJKWLS9kUZTA7vC5LSxYmgVL46SIWxIfWBQd6AdrnjLmH94UT" - + "vGxVibLqRCtIpp4g2qpdtqK1LiOeolpVK5wVQ5P7+QjZAlrh0cePYTx/gNZuB9Vhndtgujl9T/tg" - + "W9ogK+3rnmg3YWygnTuF5GDS+Q/jIVLnCcYZFc6Kk/+c80wKwZjwdZIqDYWRH68MuBQSXLgXYXj2" - + "3CAaYOBNJMliTl0X7eV5DnoKIFSKYdj3cRpD/cK/JWTHJRe76MUXnfBW8m7Hd5zhQ4ri2NrVF/WL" - + "+kV1/3AGSlJ32bFPd2BsQD8uSzIx6lObkjdz95c0AAAAAAAAAAAAAAAA"); - - byte[] uncompData = Base64.decode( - "Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9FREktWDEyOyBuYW1lPUdyb3VwMi54MTINCkNvbnRl" - + "bnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJpbmFyeQ0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5l" - + "OyBmaWxlbmFtZT1Hcm91cDIueDEyDQoNCklTQSowMCpzc3Nzc3Nzc3NzKjAwKnJycnJycnJycnIqW" - + "loqQ1lDTE9ORSAgICAgICAgKlpaKlBBUlRORVIgICAgICAgICo5NjEwMDcqMjAxMypVKjAwMjAwKj" - + "AwMDAwMDAwMSowKlQqKg1HUypQTypTMVMxUzFTMVMxUzFTMVMqUjFSMVIxUjFSMVIxUjFSKjk2MTA" - + "wNyoyMDEzKjAwMDAwMDAwNCpYKjAwMzA1MA1TVCo4NTAqMDAwMDQwMDAxDUJFRyowMCpCRSoyYSo0" - + "MzMyNDIzNHY1NTIzKjk2MTAwNyoyM3RjNHZ5MjR2MmgzdmgzdmgqWloqSUVMKjA5KlJFKjA5DUNVU" - + "ioxMSpUUk4qNTY1Nio2NSo1NjYqSU1GKjAwNio5NjEwMDcNUkVGKjZBKjQzM3IxYzNyMzRyMzRjMz" - + "MxMnFjdGdjNTQqUmVmZXJlbmNlIE51bWJlcg1QRVIqQUEqSGFucyBHdXR0ZW4qQ1AqMS4zMjIuMzI" - + "zLjQ0NDQqKioqKnJnZzRlZ3Y0dDQNVEFYKjR0Z3RidDR0cjR0cipHTCpnaGdoKioqKioqKioqRypD" - + "DUZPQipUUCpDQSpVU0EqMDIqRE9NKkNDKlJlZ3VsYXIgTG9jYXRpb25zIHBlciBUZXJtcw1DVFAqR" - + "EUqQzA0KjQ1MyoyNTAwMCpEOSpTRUwqMjMyMTQqMjM0MzI0MjM0MjMqRVMqNDIyNDM0MjMNU0FDKk" - + "EqQjAwMCpBRSozNTQ1KjM0NDIzMDANQ1VSKjExKjc2Nyo3NzY3KjY1DVBPMSoxMTEtYWFhKjEwMDA" - + "wMDAqQVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRxNmYzNTM0djQzNTM0NTN2cTNxMzIqKioqKioq" - + "KioqKkExKnl0cmgNUE8xKjExMS1hYWEqMTAwMDAwMCpBUyo5MC4wMCpCRCpBSyoyMzQyMzV2MzUzN" - + "HE2ZjM1MzR2NDM1MzQ1M3ZxM3EzMioqKioqKioqKioqQTEqeXRyaA1QTzEqMTExLWFhYSoxMDAwMD" - + "AwKkFTKjkwLjAwKkJEKkFLKjIzNDIzNXYzNTM0cTZmMzUzNHY0MzUzNDUzdnEzcTMyKioqKioqKio" - + "qKipBMSp5dHJoDVBPMSoxMTEtYWFhKjEwMDAwMDAqQVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRx" - + "NmYzNTM0djQzNTM0NTN2cTNxMzIqKioqKioqKioqKkExKnl0cmgNUE8xKjExMS1hYWEqMTAwMDAwM" - + "CpBUyo5MC4wMCpCRCpBSyoyMzQyMzV2MzUzNHE2ZjM1MzR2NDM1MzQ1M3ZxM3EzMioqKioqKioqKi" - + "oqQTEqeXRyaA1QTzEqMTExLWFhYSoxMDAwMDAwKkFTKjkwLjAwKkJEKkFLKjIzNDIzNXYzNTM0cTZ" - + "mMzUzNHY0MzUzNDUzdnEzcTMyKioqKioqKioqKipBMSp5dHJoDVBPMSoxMTEtYWFhKjEwMDAwMDAq" - + "QVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRxNmYzNTM0djQzNTM0NTN2cTNxMzIqKioqKioqKioqK" - + "kExKnl0cmgNUE8xKjExMS1hYWEqMTAwMDAwMCpBUyo5MC4wMCpCRCpBSyoyMzQyMzV2MzUzNHE2Zj" - + "M1MzR2NDM1MzQ1M3ZxM3EzMioqKioqKioqKioqQTEqeXRyaA1QTzEqMTExLWFhYSoxMDAwMDAwKkF" - + "TKjkwLjAwKkJEKkFLKjIzNDIzNXYzNTM0cTZmMzUzNHY0MzUzNDUzdnEzcTMyKioqKioqKioqKipB" - + "MSp5dHJoDVBPMSoxMTEtYWFhKjEwMDAwMDAqQVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRxNmYzN" - + "TM0djQzNTM0NTN2cTNxMzIqKioqKioqKioqKkExKnl0cmgNQ1RUKjENU0UqMjIqMDAwMDQwMDAxDU" - + "dFKjEqMDAwMDAwMDA0DUlFQSoxKjAwMDAwMDAwMQ0="); - - CMSCompressedDataParser ed = new CMSCompressedDataParser(compData); - - assertEquals(true, Arrays.equals(uncompData, CMSTestUtil.streamToByteArray(ed.getContent().getContentStream()))); - } - - public void testEach() - throws Exception - { - byte[] testData = "Hello world!".getBytes(); - - CMSCompressedDataStreamGenerator gen = new CMSCompressedDataStreamGenerator(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream cOut = gen.open(bOut, CMSCompressedDataStreamGenerator.ZLIB); - - cOut.write(testData); - - cOut.close(); - - CMSCompressedDataParser ed = new CMSCompressedDataParser(bOut.toByteArray()); - - assertEquals(true, Arrays.equals(testData, CMSTestUtil.streamToByteArray(ed.getContent().getContentStream()))); - } - - public void test1000() - throws Exception - { - byte[] testData = new byte[10000]; - Random rand = new Random(); - - rand.setSeed(0); - - for (int i = 0; i != 10; i++) - { - CMSCompressedDataStreamGenerator gen = new CMSCompressedDataStreamGenerator(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream cOut = gen.open(bOut, CMSCompressedDataStreamGenerator.ZLIB); - - rand.nextBytes(testData); - - cOut.write(testData); - - cOut.close(); - - CMSCompressedDataParser ed = new CMSCompressedDataParser(bOut.toByteArray()); - - assertEquals(true, Arrays.equals(testData, CMSTestUtil.streamToByteArray(ed.getContent().getContentStream()))); - } - } - - public static Test suite() - { - return new TestSuite(CompressedDataStreamTest.class); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/CompressedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/CompressedDataTest.java deleted file mode 100644 index 6fd06b3..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/CompressedDataTest.java +++ /dev/null @@ -1,150 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.util.Arrays; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.cms.CMSCompressedData; -import org.bouncycastle.cms.CMSCompressedDataGenerator; -import org.bouncycastle.cms.CMSException; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.util.encoders.Base64; -import org.bouncycastle.util.io.StreamOverflowException; - -public class CompressedDataTest - extends TestCase -{ - private static final byte[] TEST_DATA = "Hello world!".getBytes(); - - /* - * - * INFRASTRUCTURE - * - */ - - public CompressedDataTest(String name) - { - super(name); - } - - public static void main(String args[]) - { - junit.textui.TestRunner.run(CompressedDataTest.class); - } - - public static Test suite() - { - return new CMSTestSetup(new TestSuite(CompressedDataTest.class)); - } - - public void setUp() - { - - } - - public void tearDown() - { - - } - - public void testWorkingData() - throws Exception - { - byte[] compData = Base64 - .decode("MIAGCyqGSIb3DQEJEAEJoIAwgAIBADANBgsqhkiG9w0BCRADCDCABgkqhkiG9w0BBwGggCSABIIC" - + "Hnic7ZRdb9owFIbvK/k/5PqVYPFXGK12YYyboVFASSp1vQtZGiLRACZE49/XHoUW7S/0tXP8Efux" - + "fU5ivWnasml72XFb3gb5druui7ytN803M570nii7C5r8tfwR281hy/p/KSM3+jzH5s3+pbQ90xSb" - + "P3VT3QbLusnt8WPIuN5vN/vaA2+DulnXTXkXvNTr8j8ouZmkCmGI/UW+ZS/C8zP0bz2dz0zwLt+1" - + "UEk2M8mlaxjRMByAhZTj0RGYg4TvogiRASROsZgjpVcJCb1KV6QzQeDJ1XkoQ5Jm+C5PbOHZZGRi" - + "v+ORAcshOGeCcdFJyfgFxdtCdEcmOrbinc/+BBMzRThEYpwl+jEBpciSGWQkI0TSlREmD/eOHb2D" - + "SGLuESm/iKUFt1y4XHBO2a5oq0IKJKWLS9kUZTA7vC5LSxYmgVL46SIWxIfWBQd6AdrnjLmH94UT" - + "vGxVibLqRCtIpp4g2qpdtqK1LiOeolpVK5wVQ5P7+QjZAlrh0cePYTx/gNZuB9Vhndtgujl9T/tg" - + "W9ogK+3rnmg3YWygnTuF5GDS+Q/jIVLnCcYZFc6Kk/+c80wKwZjwdZIqDYWRH68MuBQSXLgXYXj2" - + "3CAaYOBNJMliTl0X7eV5DnoKIFSKYdj3cRpD/cK/JWTHJRe76MUXnfBW8m7Hd5zhQ4ri2NrVF/WL" - + "+kV1/3AGSlJ32bFPd2BsQD8uSzIx6lObkjdz95c0AAAAAAAAAAAAAAAA"); - - byte[] uncompData = Base64 - .decode("Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9FREktWDEyOyBuYW1lPUdyb3VwMi54MTINCkNvbnRl" - + "bnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJpbmFyeQ0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5l" - + "OyBmaWxlbmFtZT1Hcm91cDIueDEyDQoNCklTQSowMCpzc3Nzc3Nzc3NzKjAwKnJycnJycnJycnIqW" - + "loqQ1lDTE9ORSAgICAgICAgKlpaKlBBUlRORVIgICAgICAgICo5NjEwMDcqMjAxMypVKjAwMjAwKj" - + "AwMDAwMDAwMSowKlQqKg1HUypQTypTMVMxUzFTMVMxUzFTMVMqUjFSMVIxUjFSMVIxUjFSKjk2MTA" - + "wNyoyMDEzKjAwMDAwMDAwNCpYKjAwMzA1MA1TVCo4NTAqMDAwMDQwMDAxDUJFRyowMCpCRSoyYSo0" - + "MzMyNDIzNHY1NTIzKjk2MTAwNyoyM3RjNHZ5MjR2MmgzdmgzdmgqWloqSUVMKjA5KlJFKjA5DUNVU" - + "ioxMSpUUk4qNTY1Nio2NSo1NjYqSU1GKjAwNio5NjEwMDcNUkVGKjZBKjQzM3IxYzNyMzRyMzRjMz" - + "MxMnFjdGdjNTQqUmVmZXJlbmNlIE51bWJlcg1QRVIqQUEqSGFucyBHdXR0ZW4qQ1AqMS4zMjIuMzI" - + "zLjQ0NDQqKioqKnJnZzRlZ3Y0dDQNVEFYKjR0Z3RidDR0cjR0cipHTCpnaGdoKioqKioqKioqRypD" - + "DUZPQipUUCpDQSpVU0EqMDIqRE9NKkNDKlJlZ3VsYXIgTG9jYXRpb25zIHBlciBUZXJtcw1DVFAqR" - + "EUqQzA0KjQ1MyoyNTAwMCpEOSpTRUwqMjMyMTQqMjM0MzI0MjM0MjMqRVMqNDIyNDM0MjMNU0FDKk" - + "EqQjAwMCpBRSozNTQ1KjM0NDIzMDANQ1VSKjExKjc2Nyo3NzY3KjY1DVBPMSoxMTEtYWFhKjEwMDA" - + "wMDAqQVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRxNmYzNTM0djQzNTM0NTN2cTNxMzIqKioqKioq" - + "KioqKkExKnl0cmgNUE8xKjExMS1hYWEqMTAwMDAwMCpBUyo5MC4wMCpCRCpBSyoyMzQyMzV2MzUzN" - + "HE2ZjM1MzR2NDM1MzQ1M3ZxM3EzMioqKioqKioqKioqQTEqeXRyaA1QTzEqMTExLWFhYSoxMDAwMD" - + "AwKkFTKjkwLjAwKkJEKkFLKjIzNDIzNXYzNTM0cTZmMzUzNHY0MzUzNDUzdnEzcTMyKioqKioqKio" - + "qKipBMSp5dHJoDVBPMSoxMTEtYWFhKjEwMDAwMDAqQVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRx" - + "NmYzNTM0djQzNTM0NTN2cTNxMzIqKioqKioqKioqKkExKnl0cmgNUE8xKjExMS1hYWEqMTAwMDAwM" - + "CpBUyo5MC4wMCpCRCpBSyoyMzQyMzV2MzUzNHE2ZjM1MzR2NDM1MzQ1M3ZxM3EzMioqKioqKioqKi" - + "oqQTEqeXRyaA1QTzEqMTExLWFhYSoxMDAwMDAwKkFTKjkwLjAwKkJEKkFLKjIzNDIzNXYzNTM0cTZ" - + "mMzUzNHY0MzUzNDUzdnEzcTMyKioqKioqKioqKipBMSp5dHJoDVBPMSoxMTEtYWFhKjEwMDAwMDAq" - + "QVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRxNmYzNTM0djQzNTM0NTN2cTNxMzIqKioqKioqKioqK" - + "kExKnl0cmgNUE8xKjExMS1hYWEqMTAwMDAwMCpBUyo5MC4wMCpCRCpBSyoyMzQyMzV2MzUzNHE2Zj" - + "M1MzR2NDM1MzQ1M3ZxM3EzMioqKioqKioqKioqQTEqeXRyaA1QTzEqMTExLWFhYSoxMDAwMDAwKkF" - + "TKjkwLjAwKkJEKkFLKjIzNDIzNXYzNTM0cTZmMzUzNHY0MzUzNDUzdnEzcTMyKioqKioqKioqKipB" - + "MSp5dHJoDVBPMSoxMTEtYWFhKjEwMDAwMDAqQVMqOTAuMDAqQkQqQUsqMjM0MjM1djM1MzRxNmYzN" - + "TM0djQzNTM0NTN2cTNxMzIqKioqKioqKioqKkExKnl0cmgNQ1RUKjENU0UqMjIqMDAwMDQwMDAxDUdFKjEqMDAwMDAwMDA0DUlFQSoxKjAwMDAwMDAwMQ0="); - - CMSCompressedData ed = new CMSCompressedData(compData); - - assertEquals(true, Arrays.equals(uncompData, ed.getContent())); - } - - public void testEach() - throws Exception - { - CMSCompressedData cd = getStdData(); - - assertEquals(true, Arrays.equals(TEST_DATA, cd.getContent())); - } - - public void testLimitUnder() - throws Exception - { - CMSCompressedData cd = getStdData(); - - try - { - cd.getContent(TEST_DATA.length / 2); - } - catch (CMSException e) - { - assertEquals(true, e.getCause() instanceof StreamOverflowException); - } - } - - public void testLimitOver() - throws Exception - { - CMSCompressedData cd = getStdData(); - - assertEquals(true, Arrays.equals(TEST_DATA, cd.getContent(TEST_DATA.length * 2))); - } - - public void testLimitEqual() - throws Exception - { - CMSCompressedData cd = getStdData(); - - assertEquals(true, Arrays.equals(TEST_DATA, cd.getContent(TEST_DATA.length))); - } - - private CMSCompressedData getStdData() - throws CMSException - { - CMSProcessableByteArray testData = new CMSProcessableByteArray(TEST_DATA); - CMSCompressedDataGenerator gen = new CMSCompressedDataGenerator(); - - return gen.generate(testData, - CMSCompressedDataGenerator.ZLIB); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/EnvelopedDataStreamTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/EnvelopedDataStreamTest.java deleted file mode 100644 index 046db10..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/EnvelopedDataStreamTest.java +++ /dev/null @@ -1,631 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.io.BufferedOutputStream; -import java.io.ByteArrayOutputStream; -import java.io.InputStream; -import java.io.OutputStream; -import java.security.Key; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.Security; -import java.security.cert.X509Certificate; -import java.security.spec.PKCS8EncodedKeySpec; -import java.util.Arrays; -import java.util.Collection; -import java.util.Iterator; - -import javax.crypto.SecretKey; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.DEROutputStream; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.cms.CMSEnvelopedDataGenerator; -import org.bouncycastle.cms.CMSEnvelopedDataParser; -import org.bouncycastle.cms.CMSEnvelopedDataStreamGenerator; -import org.bouncycastle.cms.CMSTypedStream; -import org.bouncycastle.cms.KEKRecipientId; -import org.bouncycastle.cms.RecipientId; -import org.bouncycastle.cms.RecipientInformation; -import org.bouncycastle.cms.RecipientInformationStore; -import org.bouncycastle.cms.jcajce.JceKeyAgreeRecipientId; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.util.encoders.Base64; -import org.bouncycastle.util.encoders.Hex; - -public class EnvelopedDataStreamTest - extends TestCase -{ - private static final String BC = BouncyCastleProvider.PROVIDER_NAME; - - private static final int BUFFER_SIZE = 4000; - private static String _signDN; - private static KeyPair _signKP; - private static X509Certificate _signCert; - - private static String _origDN; - private static KeyPair _origKP; - private static X509Certificate _origCert; - - private static String _reciDN; - private static KeyPair _reciKP; - private static X509Certificate _reciCert; - - private static KeyPair _origEcKP; - private static KeyPair _reciEcKP; - private static X509Certificate _reciEcCert; - - private static boolean _initialised = false; - - public EnvelopedDataStreamTest() - { - } - - private static void init() - throws Exception - { - if (!_initialised) - { - _initialised = true; - - _signDN = "O=Bouncy Castle, C=AU"; - _signKP = CMSTestUtil.makeKeyPair(); - _signCert = CMSTestUtil.makeCertificate(_signKP, _signDN, _signKP, _signDN); - - _origDN = "CN=Bob, OU=Sales, O=Bouncy Castle, C=AU"; - _origKP = CMSTestUtil.makeKeyPair(); - _origCert = CMSTestUtil.makeCertificate(_origKP, _origDN, _signKP, _signDN); - - _reciDN = "CN=Doug, OU=Sales, O=Bouncy Castle, C=AU"; - _reciKP = CMSTestUtil.makeKeyPair(); - _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); - - _origEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcCert = CMSTestUtil.makeCertificate(_reciEcKP, _reciDN, _signKP, _signDN); - } - } - - public void setUp() - throws Exception - { - init(); - } - - public void testWorkingData() - throws Exception - { - byte[] keyData = Base64.decode( - "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKrAz/SQKrcQ" + - "nj9IxHIfKDbuXsMqUpI06s2gps6fp7RDNvtUDDMOciWGFhD45YSy8GO0mPx3" + - "Nkc7vKBqX4TLcqLUz7kXGOHGOwiPZoNF+9jBMPNROe/B0My0PkWg9tuq+nxN" + - "64oD47+JvDwrpNOS5wsYavXeAW8Anv9ZzHLU7KwZAgMBAAECgYA/fqdVt+5K" + - "WKGfwr1Z+oAHvSf7xtchiw/tGtosZ24DOCNP3fcTXUHQ9kVqVkNyzt9ZFCT3" + - "bJUAdBQ2SpfuV4DusVeQZVzcROKeA09nPkxBpTefWbSDQGhb+eZq9L8JDRSW" + - "HyYqs+MBoUpLw7GKtZiJkZyY6CsYkAnQ+uYVWq/TIQJBAP5zafO4HUV/w4KD" + - "VJi+ua+GYF1Sg1t/dYL1kXO9GP1p75YAmtm6LdnOCas7wj70/G1YlPGkOP0V" + - "GFzeG5KAmAUCQQCryvKU9nwWA+kypcQT9Yr1P4vGS0APYoBThnZq7jEPc5Cm" + - "ZI82yseSxSeea0+8KQbZ5mvh1p3qImDLEH/iNSQFAkAghS+tboKPN10NeSt+" + - "uiGRRWNbiggv0YJ7Uldcq3ZeLQPp7/naiekCRUsHD4Qr97OrZf7jQ1HlRqTu" + - "eZScjMLhAkBNUMZCQnhwFAyEzdPkQ7LpU1MdyEopYmRssuxijZao5JLqQAGw" + - "YCzXokGFa7hz72b09F4DQurJL/WuDlvvu4jdAkEAxwT9lylvfSfEQw4/qQgZ" + - "MFB26gqB6Gqs1pHIZCzdliKx5BO3VDeUGfXMI8yOkbXoWbYx5xPid/+N8R//" + - "+sxLBw=="); - - byte[] envData = Base64.decode( - "MIAGCSqGSIb3DQEHA6CAMIACAQAxgcQwgcECAQAwKjAlMRYwFAYDVQQKEw1C" + - "b3VuY3kgQ2FzdGxlMQswCQYDVQQGEwJBVQIBHjANBgkqhkiG9w0BAQEFAASB" + - "gDmnaDZ0vDJNlaUSYyEXsgbaUH+itNTjCOgv77QTX2ImXj+kTctM19PQF2I1" + - "0/NL0fjakvCgBTHKmk13a7jqB6cX3bysenHNrglHsgNGgeXQ7ggAq5fV/JQQ" + - "T7rSxEtuwpbuHQnoVUZahOHVKy/a0uLr9iIh1A3y+yZTZaG505ZJMIAGCSqG" + - "SIb3DQEHATAdBglghkgBZQMEAQIEENmkYNbDXiZxJWtq82qIRZKggAQgkOGr" + - "1JcTsADStez1eY4+rO4DtyBIyUYQ3pilnbirfPkAAAAAAAAAAAAA"); - - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(envData); - - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.AES128_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyData); - KeyFactory keyFact = KeyFactory.getInstance("RSA", BC); - Key priKey = keyFact.generatePrivate(keySpec); - byte[] data = Hex.decode("57616c6c6157616c6c6157617368696e67746f6e"); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - CMSTypedStream recData = recipient.getContentStream(priKey, BC); - - assertEquals(true, Arrays.equals(data, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - } - } - - private void verifyData( - ByteArrayOutputStream encodedStream, - String expectedOid, - byte[] expectedData) - throws Exception - { - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(encodedStream.toByteArray()); - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), expectedOid); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - CMSTypedStream recData = recipient.getContentStream(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(expectedData, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - } - } - - public void testKeyTransAES128BufferedStream() - throws Exception - { - byte[] data = new byte[2000]; - - for (int i = 0; i != 2000; i++) - { - data[i] = (byte)(i & 0xff); - } - - // - // unbuffered - // - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - for (int i = 0; i != 2000; i++) - { - out.write(data[i]); - } - - out.close(); - - verifyData(bOut, CMSEnvelopedDataGenerator.AES128_CBC, data); - - int unbufferedLength = bOut.toByteArray().length; - - // - // Using buffered output - should be == to unbuffered - // - edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - bOut = new ByteArrayOutputStream(); - - out = edGen.open(bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - BufferedOutputStream bfOut = new BufferedOutputStream(out, 300); - - for (int i = 0; i != 2000; i++) - { - bfOut.write(data[i]); - } - - bfOut.close(); - - verifyData(bOut, CMSEnvelopedDataGenerator.AES128_CBC, data); - - assertTrue(bOut.toByteArray().length == unbufferedLength); - } - - public void testKeyTransAES128Buffered() - throws Exception - { - byte[] data = new byte[2000]; - - for (int i = 0; i != 2000; i++) - { - data[i] = (byte)(i & 0xff); - } - - // - // unbuffered - // - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - for (int i = 0; i != 2000; i++) - { - out.write(data[i]); - } - - out.close(); - - verifyData(bOut, CMSEnvelopedDataGenerator.AES128_CBC, data); - - int unbufferedLength = bOut.toByteArray().length; - - // - // buffered - less than default of 1000 - // - edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.setBufferSize(300); - - edGen.addKeyTransRecipient(_reciCert); - - bOut = new ByteArrayOutputStream(); - - out = edGen.open(bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - for (int i = 0; i != 2000; i++) - { - out.write(data[i]); - } - - out.close(); - - verifyData(bOut, CMSEnvelopedDataGenerator.AES128_CBC, data); - - assertTrue(bOut.toByteArray().length > unbufferedLength); - } - - public void testKeyTransAES128Der() - throws Exception - { - byte[] data = new byte[2000]; - - for (int i = 0; i != 2000; i++) - { - data[i] = (byte)(i & 0xff); - } - - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - for (int i = 0; i != 2000; i++) - { - out.write(data[i]); - } - - out.close(); - - // convert to DER - ASN1InputStream aIn = new ASN1InputStream(bOut.toByteArray()); - - bOut.reset(); - - DEROutputStream dOut = new DEROutputStream(bOut); - - dOut.writeObject(aIn.readObject()); - - verifyData(bOut, CMSEnvelopedDataGenerator.AES128_CBC, data); - } - - public void testKeyTransAES128Throughput() - throws Exception - { - byte[] data = new byte[40001]; - - for (int i = 0; i != data.length; i++) - { - data[i] = (byte)(i & 0xff); - } - - // - // buffered - // - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.setBufferSize(BUFFER_SIZE); - - edGen.addKeyTransRecipient(_reciCert); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open(bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - for (int i = 0; i != data.length; i++) - { - out.write(data[i]); - } - - out.close(); - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(bOut.toByteArray()); - RecipientInformationStore recipients = ep.getRecipientInfos(); - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - CMSTypedStream recData = recipient.getContentStream(_reciKP.getPrivate(), BC); - - InputStream dataStream = recData.getContentStream(); - ByteArrayOutputStream dataOut = new ByteArrayOutputStream(); - int len; - byte[] buf = new byte[BUFFER_SIZE]; - int count = 0; - - while (count != 10 && (len = dataStream.read(buf)) > 0) - { - assertEquals(buf.length, len); - - dataOut.write(buf); - count++; - } - - len = dataStream.read(buf); - dataOut.write(buf, 0, len); - - assertEquals(true, Arrays.equals(data, dataOut.toByteArray())); - } - else - { - fail("recipient not found."); - } - } - - public void testKeyTransAES128() - throws Exception - { - byte[] data = "WallaWallaWashington".getBytes(); - - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, CMSEnvelopedDataGenerator.AES128_CBC, BC); - - out.write(data); - - out.close(); - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(bOut.toByteArray()); - - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.AES128_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - CMSTypedStream recData = recipient.getContentStream(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - } - - ep.close(); - } - - public void testKeyTransCAST5SunJCE() - throws Exception - { - if (Security.getProvider("SunJCE") == null) - { - return; - } - - String version = System.getProperty("java.version"); - if (version.startsWith("1.4") || version.startsWith("1.3")) - { - return; - } - - byte[] data = "WallaWallaWashington".getBytes(); - - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, CMSEnvelopedDataGenerator.CAST5_CBC, "SunJCE"); - - out.write(data); - - out.close(); - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(bOut.toByteArray()); - - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.CAST5_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - CMSTypedStream recData = recipient.getContentStream(_reciKP.getPrivate(), "SunJCE"); - - assertEquals(true, Arrays.equals(data, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - } - - ep.close(); - } - - public void testAESKEK() - throws Exception - { - byte[] data = "WallaWallaWashington".getBytes(); - SecretKey kek = CMSTestUtil.makeAES192Key(); - - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - byte[] kekId = new byte[] { 1, 2, 3, 4, 5 }; - - edGen.addKEKRecipient(kek, kekId); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, - CMSEnvelopedDataGenerator.DES_EDE3_CBC, BC); - out.write(data); - - out.close(); - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(bOut.toByteArray()); - - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), "2.16.840.1.101.3.4.1.25"); - - CMSTypedStream recData = recipient.getContentStream(kek, BC); - - assertEquals(true, Arrays.equals(data, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - } - - ep.close(); - } - - public void testTwoAESKEK() - throws Exception - { - byte[] data = "WallaWallaWashington".getBytes(); - SecretKey kek1 = CMSTestUtil.makeAES192Key(); - SecretKey kek2 = CMSTestUtil.makeAES192Key(); - - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - byte[] kekId1 = new byte[] { 1, 2, 3, 4, 5 }; - byte[] kekId2 = new byte[] { 5, 4, 3, 2, 1 }; - - edGen.addKEKRecipient(kek1, kekId1); - edGen.addKEKRecipient(kek2, kekId2); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, - CMSEnvelopedDataGenerator.DES_EDE3_CBC, BC); - out.write(data); - - out.close(); - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(bOut.toByteArray()); - - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); - - RecipientId recSel = new KEKRecipientId(kekId2); - - RecipientInformation recipient = recipients.get(recSel); - - assertEquals(recipient.getKeyEncryptionAlgOID(), "2.16.840.1.101.3.4.1.25"); - - CMSTypedStream recData = recipient.getContentStream(kek2, BC); - - assertEquals(true, Arrays.equals(data, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - - ep.close(); - } - - public void testECKeyAgree() - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedDataStreamGenerator edGen = new CMSEnvelopedDataStreamGenerator(); - - edGen.addKeyAgreementRecipient(CMSEnvelopedDataGenerator.ECDH_SHA1KDF, _origEcKP.getPrivate(), _origEcKP.getPublic(), _reciEcCert, CMSEnvelopedDataGenerator.AES128_WRAP, BC); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream out = edGen.open( - bOut, - CMSEnvelopedDataGenerator.AES128_CBC, BC); - out.write(data); - - out.close(); - - CMSEnvelopedDataParser ep = new CMSEnvelopedDataParser(bOut.toByteArray()); - - RecipientInformationStore recipients = ep.getRecipientInfos(); - - assertEquals(ep.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.AES128_CBC); - - RecipientId recSel = new JceKeyAgreeRecipientId(_reciEcCert); - - RecipientInformation recipient = recipients.get(recSel); - - CMSTypedStream recData = recipient.getContentStream(_reciEcKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, CMSTestUtil.streamToByteArray(recData.getContentStream()))); - - ep.close(); - } - - public void testOriginatorInfo() - throws Exception - { - CMSEnvelopedDataParser env = new CMSEnvelopedDataParser(CMSSampleMessages.originatorMessage); - - env.getRecipientInfos(); - - assertEquals(CMSEnvelopedDataGenerator.DES_EDE3_CBC, env.getEncryptionAlgOID()); - } - - public static Test suite() - throws Exception - { - return new CMSTestSetup(new TestSuite(EnvelopedDataStreamTest.class)); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/EnvelopedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/EnvelopedDataTest.java deleted file mode 100644 index dea5d92..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/EnvelopedDataTest.java +++ /dev/null @@ -1,1002 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.io.IOException; -import java.security.GeneralSecurityException; -import java.security.Key; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Security; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509Certificate; -import java.security.spec.PKCS8EncodedKeySpec; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collection; -import java.util.Iterator; - -import javax.crypto.SecretKey; -import javax.crypto.spec.SecretKeySpec; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.DERObjectIdentifier; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.kisa.KISAObjectIdentifiers; -import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; -import org.bouncycastle.asn1.ntt.NTTObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.cms.CMSEnvelopedData; -import org.bouncycastle.cms.CMSEnvelopedDataGenerator; -import org.bouncycastle.cms.CMSException; -import org.bouncycastle.cms.CMSPBEKey; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.cms.KeyTransRecipientInformation; -import org.bouncycastle.cms.PKCS5Scheme2PBEKey; -import org.bouncycastle.cms.PKCS5Scheme2UTF8PBEKey; -import org.bouncycastle.cms.PasswordRecipientInformation; -import org.bouncycastle.cms.RecipientId; -import org.bouncycastle.cms.RecipientInformation; -import org.bouncycastle.cms.RecipientInformationStore; -import org.bouncycastle.cms.jcajce.JceKeyAgreeRecipientId; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.util.encoders.Base64; -import org.bouncycastle.util.encoders.Hex; - -public class EnvelopedDataTest - extends TestCase -{ - private static final String BC = BouncyCastleProvider.PROVIDER_NAME; - - private static String _signDN; - private static KeyPair _signKP; - private static X509Certificate _signCert; - - private static String _origDN; - private static KeyPair _origKP; - private static X509Certificate _origCert; - - private static String _reciDN; - private static String _reciDN2; - private static KeyPair _reciKP; - private static X509Certificate _reciCert; - - private static KeyPair _origEcKP; - private static KeyPair _reciEcKP; - private static X509Certificate _reciEcCert; - private static KeyPair _reciEcKP2; - private static X509Certificate _reciEcCert2; - - private static boolean _initialised = false; - - private byte[] oldKEK = Base64.decode( - "MIAGCSqGSIb3DQEHA6CAMIACAQIxQaI/MD0CAQQwBwQFAQIDBAUwDQYJYIZIAWUDBAEFBQAEI" - + "Fi2eHTPM4bQSjP4DUeDzJZLpfemW2gF1SPq7ZPHJi1mMIAGCSqGSIb3DQEHATAUBggqhkiG9w" - + "0DBwQImtdGyUdGGt6ggAQYk9X9z01YFBkU7IlS3wmsKpm/zpZClTceAAAAAAAAAAAAAA=="); - - private byte[] ecKeyAgreeMsgAES256 = Base64.decode( - "MIAGCSqGSIb3DQEHA6CAMIACAQIxgcShgcECAQOgQ6FBMAsGByqGSM49AgEF" - + "AAMyAAPdXlSTpub+qqno9hUGkUDl+S3/ABhPziIB5yGU4678tgOgU5CiKG9Z" - + "kfnabIJ3nZYwGgYJK4EFEIZIPwACMA0GCWCGSAFlAwQBLQUAMFswWTAtMCgx" - + "EzARBgNVBAMTCkFkbWluLU1EU0UxETAPBgNVBAoTCDRCQ1QtMklEAgEBBCi/" - + "rJRLbFwEVW6PcLLmojjW9lI/xGD7CfZzXrqXFw8iHaf3hTRau1gYMIAGCSqG" - + "SIb3DQEHATAdBglghkgBZQMEASoEEMtCnKKPwccmyrbgeSIlA3qggAQQDLw8" - + "pNJR97bPpj6baG99bQQQwhEDsoj5Xg1oOxojHVcYzAAAAAAAAAAAAAA="); - - private byte[] ecKeyAgreeMsgAES128 = Base64.decode( - "MIAGCSqGSIb3DQEHA6CAMIACAQIxgbShgbECAQOgQ6FBMAsGByqGSM49AgEF" - + "AAMyAAL01JLEgKvKh5rbxI/hOxs/9WEezMIsAbUaZM4l5tn3CzXAN505nr5d" - + "LhrcurMK+tAwGgYJK4EFEIZIPwACMA0GCWCGSAFlAwQBBQUAMEswSTAtMCgx" - + "EzARBgNVBAMTCkFkbWluLU1EU0UxETAPBgNVBAoTCDRCQ1QtMklEAgEBBBhi" - + "FLjc5g6aqDT3f8LomljOwl1WTrplUT8wgAYJKoZIhvcNAQcBMB0GCWCGSAFl" - + "AwQBAgQQzXjms16Y69S/rB0EbHqRMaCABBAFmc/QdVW6LTKdEy97kaZzBBBa" - + "fQuviUS03NycpojELx0bAAAAAAAAAAAAAA=="); - - private byte[] ecKeyAgreeMsgDESEDE = Base64.decode( - "MIAGCSqGSIb3DQEHA6CAMIACAQIxgcahgcMCAQOgQ6FBMAsGByqGSM49AgEF" - + "AAMyAALIici6Nx1WN5f0ThH2A8ht9ovm0thpC5JK54t73E1RDzCifePaoQo0" - + "xd6sUqoyGaYwHAYJK4EFEIZIPwACMA8GCyqGSIb3DQEJEAMGBQAwWzBZMC0w" - + "KDETMBEGA1UEAxMKQWRtaW4tTURTRTERMA8GA1UEChMINEJDVC0ySUQCAQEE" - + "KJuqZQ1NB1vXrKPOnb4TCpYOsdm6GscWdwAAZlm2EHMp444j0s55J9wwgAYJ" - + "KoZIhvcNAQcBMBQGCCqGSIb3DQMHBAjwnsDMsafCrKCABBjyPvqFOVMKxxut" - + "VfTx4fQlNGJN8S2ATRgECMcTQ/dsmeViAAAAAAAAAAAAAA=="); - - private byte[] ecMQVKeyAgreeMsgAES128 = Base64.decode( - "MIAGCSqGSIb3DQEHA6CAMIACAQIxgf2hgfoCAQOgQ6FBMAsGByqGSM49AgEF" - + "AAMyAAPDKU+0H58tsjpoYmYCInMr/FayvCCkupebgsnpaGEB7qS9vzcNVUj6" - + "mrnmiC2grpmhRwRFMEMwQTALBgcqhkjOPQIBBQADMgACZpD13z9c7DzRWx6S" - + "0xdbq3S+EJ7vWO+YcHVjTD8NcQDcZcWASW899l1PkL936zsuMBoGCSuBBRCG" - + "SD8AEDANBglghkgBZQMEAQUFADBLMEkwLTAoMRMwEQYDVQQDEwpBZG1pbi1N" - + "RFNFMREwDwYDVQQKEwg0QkNULTJJRAIBAQQYFq58L71nyMK/70w3nc6zkkRy" - + "RL7DHmpZMIAGCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEDzRUpreBsZXWHBe" - + "onxOtSmggAQQ7csAZXwT1lHUqoazoy8bhAQQq+9Zjj8iGdOWgyebbfj67QAA" - + "AAAAAAAAAAA="); - - - private byte[] ecKeyAgreeKey = Base64.decode( - "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDC8vp7xVTbKSgYVU5Wc" - + "hGkWbzaj+yUFETIWP1Dt7+WSpq3ikSPdl7PpHPqnPVZfoIWhZANiAgSYHTgxf+Dd" - + "Tt84dUvuSKkFy3RhjxJmjwIscK6zbEUzKhcPQG2GHzXhWK5x1kov0I74XpGhVkya" - + "ElH5K6SaOXiXAzcyNGggTOk4+ZFnz5Xl0pBje3zKxPhYu0SnCw7Pcqw="); - - private byte[] bobPrivRsaEncrypt = Base64.decode( - "MIIChQIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKnhZ5g/OdVf" - + "8qCTQV6meYmFyDVdmpFb+x0B2hlwJhcPvaUi0DWFbXqYZhRBXM+3twg7CcmR" - + "uBlpN235ZR572akzJKN/O7uvRgGGNjQyywcDWVL8hYsxBLjMGAgUSOZPHPtd" - + "YMTgXB9T039T2GkB8QX4enDRvoPGXzjPHCyqaqfrAgMBAAECgYBnzUhMmg2P" - + "mMIbZf8ig5xt8KYGHbztpwOIlPIcaw+LNd4Ogngwy+e6alatd8brUXlweQqg" - + "9P5F4Kmy9Bnah5jWMIR05PxZbMHGd9ypkdB8MKCixQheIXFD/A0HPfD6bRSe" - + "TmPwF1h5HEuYHD09sBvf+iU7o8AsmAX2EAnYh9sDGQJBANDDIsbeopkYdo+N" - + "vKZ11mY/1I1FUox29XLE6/BGmvE+XKpVC5va3Wtt+Pw7PAhDk7Vb/s7q/WiE" - + "I2Kv8zHCueUCQQDQUfweIrdb7bWOAcjXq/JY1PeClPNTqBlFy2bKKBlf4hAr" - + "84/sajB0+E0R9KfEILVHIdxJAfkKICnwJAiEYH2PAkA0umTJSChXdNdVUN5q" - + "SO8bKlocSHseIVnDYDubl6nA7xhmqU5iUjiEzuUJiEiUacUgFJlaV/4jbOSn" - + "I3vQgLeFAkEAni+zN5r7CwZdV+EJBqRd2ZCWBgVfJAZAcpw6iIWchw+dYhKI" - + "FmioNRobQ+g4wJhprwMKSDIETukPj3d9NDAlBwJAVxhn1grStavCunrnVNqc" - + "BU+B1O8BiR4yPWnLMcRSyFRVJQA7HCp8JlDV6abXd8vPFfXuC9WN7rOvTKF8" - + "Y0ZB9qANMAsGA1UdDzEEAwIAEA=="); - - private byte[] rfc4134ex5_1 = Base64.decode( - "MIIBHgYJKoZIhvcNAQcDoIIBDzCCAQsCAQAxgcAwgb0CAQAwJjASMRAwDgYD" - + "VQQDEwdDYXJsUlNBAhBGNGvHgABWvBHTbi7NXXHQMA0GCSqGSIb3DQEBAQUA" - + "BIGAC3EN5nGIiJi2lsGPcP2iJ97a4e8kbKQz36zg6Z2i0yx6zYC4mZ7mX7FB" - + "s3IWg+f6KgCLx3M1eCbWx8+MDFbbpXadCDgO8/nUkUNYeNxJtuzubGgzoyEd" - + "8Ch4H/dd9gdzTd+taTEgS0ipdSJuNnkVY4/M652jKKHRLFf02hosdR8wQwYJ" - + "KoZIhvcNAQcBMBQGCCqGSIb3DQMHBAgtaMXpRwZRNYAgDsiSf8Z9P43LrY4O" - + "xUk660cu1lXeCSFOSOpOJ7FuVyU="); - - private byte[] rfc4134ex5_2 = Base64.decode( - "MIIBZQYJKoZIhvcNAQcDoIIBVjCCAVICAQIxggEAMIG9AgEAMCYwEjEQMA4G" - + "A1UEAxMHQ2FybFJTQQIQRjRrx4AAVrwR024uzV1x0DANBgkqhkiG9w0BAQEF" - + "AASBgJQmQojGi7Z4IP+CVypBmNFoCDoEp87khtgyff2N4SmqD3RxPx+8hbLQ" - + "t9i3YcMwcap+aiOkyqjMalT03VUC0XBOGv+HYI3HBZm/aFzxoq+YOXAWs5xl" - + "GerZwTOc9j6AYlK4qXvnztR5SQ8TBjlzytm4V7zg+TGrnGVNQBNw47Ewoj4C" - + "AQQwDQQLTWFpbExpc3RSQzIwEAYLKoZIhvcNAQkQAwcCAToEGHcUr5MSJ/g9" - + "HnJVHsQ6X56VcwYb+OfojTBJBgkqhkiG9w0BBwEwGgYIKoZIhvcNAwIwDgIC" - + "AKAECJwE0hkuKlWhgCBeKNXhojuej3org9Lt7n+wWxOhnky5V50vSpoYRfRR" - + "yw=="); - - public EnvelopedDataTest() - { - } - - private static void init() - throws Exception - { - if (!_initialised) - { - _initialised = true; - - _signDN = "O=Bouncy Castle, C=AU"; - _signKP = CMSTestUtil.makeKeyPair(); - _signCert = CMSTestUtil.makeCertificate(_signKP, _signDN, _signKP, _signDN); - - _origDN = "CN=Bob, OU=Sales, O=Bouncy Castle, C=AU"; - _origKP = CMSTestUtil.makeKeyPair(); - _origCert = CMSTestUtil.makeCertificate(_origKP, _origDN, _signKP, _signDN); - - _reciDN = "CN=Doug, OU=Sales, O=Bouncy Castle, C=AU"; - _reciDN2 = "CN=Fred, OU=Sales, O=Bouncy Castle, C=AU"; - _reciKP = CMSTestUtil.makeKeyPair(); - _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); - - _origEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcKP = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcCert = CMSTestUtil.makeCertificate(_reciEcKP, _reciDN, _signKP, _signDN); - _reciEcKP2 = CMSTestUtil.makeEcDsaKeyPair(); - _reciEcCert2 = CMSTestUtil.makeCertificate(_reciEcKP2, _reciDN2, _signKP, _signDN); - } - } - - public static void main( - String args[]) - throws Exception - { - junit.textui.TestRunner.run(EnvelopedDataTest.suite()); - } - - public static Test suite() - throws Exception - { - init(); - - return new CMSTestSetup(new TestSuite(EnvelopedDataTest.class)); - } - - public void testKeyTrans() - throws Exception - { - byte[] data = "WallaWallaWashington".getBytes(); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.DES_EDE3_CBC, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - } - - public void testKeyTransCAST5SunJCE() - throws Exception - { - if (Security.getProvider("SunJCE") == null) - { - return; - } - - String version = System.getProperty("java.version"); - if (version.startsWith("1.4") || version.startsWith("1.3")) - { - return; - } - - byte[] data = "WallaWallaWashington".getBytes(); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.CAST5_CBC, "SunJCE"); - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.CAST5_CBC); - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), "SunJCE"); - - assertEquals(true, Arrays.equals(data, recData)); - } - } - - public void testKeyTransRC4() - throws Exception - { - byte[] data = "WallaWallaBouncyCastle".getBytes(); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - "1.2.840.113549.3.4", BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), "1.2.840.113549.3.4"); - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - } - - public void testKeyTrans128RC4() - throws Exception - { - byte[] data = "WallaWallaBouncyCastle".getBytes(); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - "1.2.840.113549.3.4", 128, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), "1.2.840.113549.3.4"); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - public void testKeyTransODES() - throws Exception - { - byte[] data = "WallaWallaBouncyCastle".getBytes(); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - "1.3.14.3.2.7", BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), "1.3.14.3.2.7"); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - public void testKeyTransSmallAES() - throws Exception - { - byte[] data = new byte[] { 0, 1, 2, 3 }; - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.AES128_CBC, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), - CMSEnvelopedDataGenerator.AES128_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - public void testKeyTransCAST5() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.CAST5_CBC, new DERObjectIdentifier(CMSEnvelopedDataGenerator.CAST5_CBC), ASN1Sequence.class); - } - - public void testKeyTransAES128() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.AES128_CBC, NISTObjectIdentifiers.id_aes128_CBC, DEROctetString.class); - } - - public void testKeyTransAES192() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.AES192_CBC, NISTObjectIdentifiers.id_aes192_CBC, DEROctetString.class); - } - - public void testKeyTransAES256() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.AES256_CBC, NISTObjectIdentifiers.id_aes256_CBC, DEROctetString.class); - } - - public void testKeyTransSEED() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.SEED_CBC, KISAObjectIdentifiers.id_seedCBC, DEROctetString.class); - } - - public void testKeyTransCamellia128() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.CAMELLIA128_CBC, NTTObjectIdentifiers.id_camellia128_cbc, DEROctetString.class); - } - - public void testKeyTransCamellia192() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.CAMELLIA192_CBC, NTTObjectIdentifiers.id_camellia192_cbc, DEROctetString.class); - } - - public void testKeyTransCamellia256() - throws Exception - { - tryKeyTrans(CMSEnvelopedDataGenerator.CAMELLIA256_CBC, NTTObjectIdentifiers.id_camellia256_cbc, DEROctetString.class); - } - - private void tryKeyTrans(String generatorOID, DERObjectIdentifier checkOID, Class asn1Params) - throws Exception - { - byte[] data = "WallaWallaWashington".getBytes(); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyTransRecipient(_reciCert); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - generatorOID, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(checkOID.getId(), ed.getEncryptionAlgOID()); - - if (asn1Params != null) - { - ASN1InputStream aIn = new ASN1InputStream(ed.getEncryptionAlgParams()); - - assertTrue(asn1Params.isAssignableFrom(aIn.readObject().getClass())); - } - - Collection c = recipients.getRecipients(); - - assertEquals(1, c.size()); - - Iterator it = c.iterator(); - - if (!it.hasNext()) - { - fail("no recipients found"); - } - - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - - byte[] recData = recipient.getContent(_reciKP.getPrivate(), BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - } - - public void testErrorneousKEK() - throws Exception - { - byte[] data = "WallaWallaWashington".getBytes(); - SecretKey kek = new SecretKeySpec(new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 }, "AES"); - - CMSEnvelopedData ed = new CMSEnvelopedData(oldKEK); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(recipient.getKeyEncryptionAlgOID(), NISTObjectIdentifiers.id_aes128_wrap.getId()); - - byte[] recData = recipient.getContent(kek, BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - public void testDESKEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeDesede192Key(), new DERObjectIdentifier("1.2.840.113549.1.9.16.3.6")); - } - public void testRC2128KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeRC2128Key(), new DERObjectIdentifier("1.2.840.113549.1.9.16.3.7")); - } - - public void testAES128KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeAESKey(128), NISTObjectIdentifiers.id_aes128_wrap); - } - - public void testAES192KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeAESKey(192), NISTObjectIdentifiers.id_aes192_wrap); - } - - public void testAES256KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeAESKey(256), NISTObjectIdentifiers.id_aes256_wrap); - } - - public void testSEED128KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeSEEDKey(), KISAObjectIdentifiers.id_npki_app_cmsSeed_wrap); - } - - public void testCamellia128KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeCamelliaKey(128), NTTObjectIdentifiers.id_camellia128_wrap); - } - - public void testCamellia192KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeCamelliaKey(192), NTTObjectIdentifiers.id_camellia192_wrap); - } - - public void testCamellia256KEK() - throws Exception - { - tryKekAlgorithm(CMSTestUtil.makeCamelliaKey(256), NTTObjectIdentifiers.id_camellia256_wrap); - } - - private void tryKekAlgorithm(SecretKey kek, DERObjectIdentifier algOid) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - byte[] data = "WallaWallaWashington".getBytes(); - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - byte[] kekId = new byte[] { 1, 2, 3, 4, 5 }; - - edGen.addKEKRecipient(kek, kekId); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.DES_EDE3_CBC, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals(algOid.getId(), recipient.getKeyEncryptionAlgOID()); - - byte[] recData = recipient.getContent(kek, BC); - - assertTrue(Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - public void testECKeyAgree() - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyAgreementRecipient(CMSEnvelopedDataGenerator.ECDH_SHA1KDF, - _origEcKP.getPrivate(), _origEcKP.getPublic(), - _reciEcCert, CMSEnvelopedDataGenerator.AES128_WRAP, BC); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.AES128_CBC, BC); - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.AES128_CBC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - confirmDataReceived(recipients, data, _reciEcCert, _reciEcKP.getPrivate(), BC); - confirmNumberRecipients(recipients, 1); - } - - public void testECMQVKeyAgree() - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addKeyAgreementRecipient(CMSEnvelopedDataGenerator.ECMQV_SHA1KDF, - _origEcKP.getPrivate(), _origEcKP.getPublic(), - _reciEcCert, CMSEnvelopedDataGenerator.AES128_WRAP, BC); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.AES128_CBC, BC); - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.AES128_CBC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - confirmDataReceived(recipients, data, _reciEcCert, _reciEcKP.getPrivate(), BC); - confirmNumberRecipients(recipients, 1); - } - - public void testECMQVKeyAgreeMultiple() - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - ArrayList recipientCerts = new ArrayList(); - recipientCerts.add(_reciEcCert); - recipientCerts.add(_reciEcCert2); - - edGen.addKeyAgreementRecipients(CMSEnvelopedDataGenerator.ECMQV_SHA1KDF, - _origEcKP.getPrivate(), _origEcKP.getPublic(), - recipientCerts, CMSEnvelopedDataGenerator.AES128_WRAP, BC); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.AES128_CBC, BC); - - assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.AES128_CBC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - confirmDataReceived(recipients, data, _reciEcCert, _reciEcKP.getPrivate(), BC); - confirmDataReceived(recipients, data, _reciEcCert2, _reciEcKP2.getPrivate(), BC); - confirmNumberRecipients(recipients, 2); - } - - private static void confirmDataReceived(RecipientInformationStore recipients, - byte[] expectedData, X509Certificate reciCert, PrivateKey reciPrivKey, String provider) - throws CMSException, NoSuchProviderException, CertificateEncodingException, IOException - { - RecipientId rid = new JceKeyAgreeRecipientId(reciCert); - - RecipientInformation recipient = recipients.get(rid); - assertNotNull(recipient); - - byte[] actualData = recipient.getContent(reciPrivKey, provider); - assertEquals(true, Arrays.equals(expectedData, actualData)); - } - - private static void confirmNumberRecipients(RecipientInformationStore recipients, int count) - { - assertEquals(count, recipients.getRecipients().size()); - } - - public void testECKeyAgreeVectors() - throws Exception - { - PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(ecKeyAgreeKey); - KeyFactory fact = KeyFactory.getInstance("ECDH", BC); - PrivateKey privKey = fact.generatePrivate(privSpec); - - verifyECKeyAgreeVectors(privKey, "2.16.840.1.101.3.4.1.42", ecKeyAgreeMsgAES256); - verifyECKeyAgreeVectors(privKey, "2.16.840.1.101.3.4.1.2", ecKeyAgreeMsgAES128); - verifyECKeyAgreeVectors(privKey, "1.2.840.113549.3.7", ecKeyAgreeMsgDESEDE); - } - - public void testECMQVKeyAgreeVectors() - throws Exception - { - PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(ecKeyAgreeKey); - KeyFactory fact = KeyFactory.getInstance("ECDH", BC); - PrivateKey privKey = fact.generatePrivate(privSpec); - - verifyECMQVKeyAgreeVectors(privKey, "2.16.840.1.101.3.4.1.2", ecMQVKeyAgreeMsgAES128); - } - - public void testPasswordAES256() - throws Exception - { - passwordTest(CMSEnvelopedDataGenerator.AES256_CBC); - passwordUTF8Test(CMSEnvelopedDataGenerator.AES256_CBC); - } - - public void testPasswordDESEDE() - throws Exception - { - passwordTest(CMSEnvelopedDataGenerator.DES_EDE3_CBC); - passwordUTF8Test(CMSEnvelopedDataGenerator.DES_EDE3_CBC); - } - - public void testRFC4134ex5_1() - throws Exception - { - byte[] data = Hex.decode("5468697320697320736f6d652073616d706c6520636f6e74656e742e"); - - KeyFactory kFact = KeyFactory.getInstance("RSA", BC); - Key key = kFact.generatePrivate(new PKCS8EncodedKeySpec(bobPrivRsaEncrypt)); - - CMSEnvelopedData ed = new CMSEnvelopedData(rfc4134ex5_1); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals("1.2.840.113549.3.7", ed.getEncryptionAlgOID()); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(key, BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - public void testRFC4134ex5_2() - throws Exception - { - byte[] data = Hex.decode("5468697320697320736f6d652073616d706c6520636f6e74656e742e"); - - KeyFactory kFact = KeyFactory.getInstance("RSA", BC); - Key key = kFact.generatePrivate(new PKCS8EncodedKeySpec(bobPrivRsaEncrypt)); - - CMSEnvelopedData ed = new CMSEnvelopedData(rfc4134ex5_2); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals("1.2.840.113549.3.2", ed.getEncryptionAlgOID()); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - while (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - byte[] recData; - - if (recipient instanceof KeyTransRecipientInformation) - { - recData = recipient.getContent(key, BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - } - } - else - { - fail("no recipient found"); - } - } - - public void testOriginatorInfo() - throws Exception - { - CMSEnvelopedData env = new CMSEnvelopedData(CMSSampleMessages.originatorMessage); - - RecipientInformationStore recipients = env.getRecipientInfos(); - - assertEquals(CMSEnvelopedDataGenerator.DES_EDE3_CBC, env.getEncryptionAlgOID()); - - } - - private void passwordTest(String algorithm) - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addPasswordRecipient(new PKCS5Scheme2PBEKey("password".toCharArray(), new byte[20], 5), algorithm); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.AES128_CBC, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), - CMSEnvelopedDataGenerator.AES128_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - PasswordRecipientInformation recipient = (PasswordRecipientInformation)it.next(); - - CMSPBEKey key = new PKCS5Scheme2PBEKey("password".toCharArray(), - recipient.getKeyDerivationAlgParameters(BC)); - - byte[] recData = recipient.getContent(key, BC); - - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - - // - // try algorithm parameters constructor - // - it = c.iterator(); - - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(new PKCS5Scheme2PBEKey("password".toCharArray(), ((PasswordRecipientInformation)recipient).getKeyDerivationAlgParameters(BC)), BC); - assertEquals(true, Arrays.equals(data, recData)); - } - - private void passwordUTF8Test(String algorithm) - throws Exception - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - - edGen.addPasswordRecipient(new PKCS5Scheme2UTF8PBEKey("abc\u5639\u563b".toCharArray(), new byte[20], 5), algorithm); - - CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - CMSEnvelopedDataGenerator.AES128_CBC, BC); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - assertEquals(ed.getEncryptionAlgOID(), - CMSEnvelopedDataGenerator.AES128_CBC); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(new PKCS5Scheme2UTF8PBEKey("abc\u5639\u563b".toCharArray(), new byte[20], 5), BC); - assertEquals(true, Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - - // - // try algorithm parameters constructor - // - it = c.iterator(); - - RecipientInformation recipient = (RecipientInformation)it.next(); - - byte[] recData = recipient.getContent(new PKCS5Scheme2UTF8PBEKey("abc\u5639\u563b".toCharArray(), ((PasswordRecipientInformation)recipient).getKeyDerivationAlgParameters(BC)), BC); - assertEquals(true, Arrays.equals(data, recData)); - } - - private void verifyECKeyAgreeVectors(PrivateKey privKey, String wrapAlg, byte[] message) - throws CMSException, GeneralSecurityException - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedData ed = new CMSEnvelopedData(message); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - assertEquals(wrapAlg, ed.getEncryptionAlgOID()); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals("1.3.133.16.840.63.0.2", recipient.getKeyEncryptionAlgOID()); - - byte[] recData = recipient.getContent(privKey, BC); - - assertTrue(Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } - - private void verifyECMQVKeyAgreeVectors(PrivateKey privKey, String wrapAlg, byte[] message) - throws CMSException, GeneralSecurityException - { - byte[] data = Hex.decode("504b492d4320434d5320456e76656c6f706564446174612053616d706c65"); - - CMSEnvelopedData ed = new CMSEnvelopedData(message); - - RecipientInformationStore recipients = ed.getRecipientInfos(); - - Collection c = recipients.getRecipients(); - Iterator it = c.iterator(); - - assertEquals(wrapAlg, ed.getEncryptionAlgOID()); - - if (it.hasNext()) - { - RecipientInformation recipient = (RecipientInformation)it.next(); - - assertEquals("1.3.133.16.840.63.0.16", recipient.getKeyEncryptionAlgOID()); - - byte[] recData = recipient.getContent(privKey, BC); - - assertTrue(Arrays.equals(data, recData)); - } - else - { - fail("no recipient found"); - } - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/MiscDataStreamTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/MiscDataStreamTest.java index 7efaec7..4a86cac 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/MiscDataStreamTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/MiscDataStreamTest.java @@ -5,8 +5,6 @@ import java.io.ByteArrayOutputStream; import java.io.OutputStream; import java.security.KeyPair; import java.security.MessageDigest; -import java.security.cert.CertStore; -import java.security.cert.CollectionCertStoreParameters; import java.security.cert.X509CRL; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -17,6 +15,9 @@ import java.util.List; import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaCRLStore; +import org.bouncycastle.cert.jcajce.JcaCertStore; import org.bouncycastle.cms.CMSCompressedDataStreamGenerator; import org.bouncycastle.cms.CMSDigestedData; import org.bouncycastle.cms.CMSSignedDataParser; @@ -24,10 +25,16 @@ import org.bouncycastle.cms.CMSSignedDataStreamGenerator; import org.bouncycastle.cms.CMSTypedStream; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; +import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder; import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter; +import org.bouncycastle.cms.jcajce.ZlibCompressor; import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; import org.bouncycastle.util.Arrays; +import org.bouncycastle.util.Store; import org.bouncycastle.util.encoders.Base64; public class MiscDataStreamTest @@ -74,6 +81,20 @@ public class MiscDataStreamTest private static final JcaX509CertSelectorConverter selectorConverter = new JcaX509CertSelectorConverter(); + private static final DigestCalculatorProvider digCalcProv; + + static + { + try + { + digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); + } + catch (OperatorCreationException e) + { + throw new IllegalStateException("can't create default provider!!!"); + } + } + public MiscDataStreamTest(String name) { super(name); @@ -109,7 +130,7 @@ public class MiscDataStreamTest private void verifySignatures(CMSSignedDataParser sp, byte[] contentDigest) throws Exception { - CertStore certStore = sp.getCertificatesAndCRLs("Collection", BC); + Store certStore = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); @@ -118,24 +139,18 @@ public class MiscDataStreamTest while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certStore.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); + X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); - assertEquals(true, signer.verify(cert, BC)); + assertEquals(true, signer.verify(new JcaSignerInfoVerifierBuilder(digCalcProv).setProvider(BC).build(cert))); if (contentDigest != null) { assertTrue(MessageDigest.isEqual(contentDigest, signer.getContentDigest())); } } - - Collection certColl = certStore.getCertificates(null); - Collection crlColl = certStore.getCRLs(null); - - assertEquals(certColl.size(), sp.getCertificates("Collection", BC).getMatches(null).size()); - assertEquals(crlColl.size(), sp.getCRLs("Collection", BC).getMatches(null).size()); } private void verifySignatures(CMSSignedDataParser sp) @@ -148,7 +163,7 @@ public class MiscDataStreamTest throws Exception { CMSSignedDataParser sp; - sp = new CMSSignedDataParser(bOut.toByteArray()); + sp = new CMSSignedDataParser(digCalcProv, bOut.toByteArray()); sp.getSignedContent().drain(); @@ -160,14 +175,14 @@ public class MiscDataStreamTest private void checkSigParseable(byte[] sig) throws Exception { - CMSSignedDataParser sp = new CMSSignedDataParser(sig); + CMSSignedDataParser sp = new CMSSignedDataParser(digCalcProv, sig); sp.getVersion(); CMSTypedStream sc = sp.getSignedContent(); if (sc != null) { sc.drain(); } - sp.getCertificatesAndCRLs("Collection", BC); + sp.getCertificates(); sp.getSignerInfos(); sp.close(); } @@ -176,28 +191,27 @@ public class MiscDataStreamTest throws Exception { List certList = new ArrayList(); + List crlList = new ArrayList(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); certList.add(_origCert); certList.add(_signCert); - certList.add(_signCrl); - certList.add(_origCrl); - - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); + crlList.add(_signCrl); + crlList.add(_origCrl); CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); + gen.addSignerInfoGenerator(new JcaSimpleSignerInfoGeneratorBuilder().setProvider(BC).build("SHA1withRSA", _origKP.getPrivate(), _origCert)); - gen.addCertificatesAndCRLs(certsAndCrls); + gen.addCertificates(new JcaCertStore(certList)); + gen.addCRLs(new JcaCRLStore(crlList)); OutputStream sigOut = gen.open(bOut); CMSCompressedDataStreamGenerator cGen = new CMSCompressedDataStreamGenerator(); - OutputStream cOut = cGen.open(sigOut, CMSCompressedDataStreamGenerator.ZLIB); + OutputStream cOut = cGen.open(sigOut, new ZlibCompressor()); cOut.write(TEST_MESSAGE.getBytes()); @@ -210,13 +224,13 @@ public class MiscDataStreamTest // generate compressed stream ByteArrayOutputStream cDataOut = new ByteArrayOutputStream(); - cOut = cGen.open(cDataOut, CMSCompressedDataStreamGenerator.ZLIB); + cOut = cGen.open(cDataOut, new ZlibCompressor()); cOut.write(TEST_MESSAGE.getBytes()); cOut.close(); - CMSSignedDataParser sp = new CMSSignedDataParser( + CMSSignedDataParser sp = new CMSSignedDataParser(digCalcProv, new CMSTypedStream(new ByteArrayInputStream(cDataOut.toByteArray())), bOut.toByteArray()); sp.getSignedContent().drain(); diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/NewEnvelopedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/NewEnvelopedDataTest.java index c29293a..d95499d 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/NewEnvelopedDataTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/NewEnvelopedDataTest.java @@ -10,6 +10,7 @@ import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; +import java.security.spec.MGF1ParameterSpec; import java.security.spec.PKCS8EncodedKeySpec; import java.util.Arrays; import java.util.Collection; @@ -17,6 +18,8 @@ import java.util.Hashtable; import java.util.Iterator; import javax.crypto.SecretKey; +import javax.crypto.spec.OAEPParameterSpec; +import javax.crypto.spec.PSource; import javax.crypto.spec.SecretKeySpec; import junit.framework.Test; @@ -26,7 +29,6 @@ import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.DERObjectIdentifier; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DERSet; import org.bouncycastle.asn1.DERUTF8String; @@ -36,8 +38,10 @@ import org.bouncycastle.asn1.kisa.KISAObjectIdentifiers; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.ntt.NTTObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RC2CBCParameter; import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.X509Extension; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import org.bouncycastle.cms.CMSAlgorithm; @@ -69,6 +73,7 @@ import org.bouncycastle.cms.jcajce.JcePasswordEnvelopedRecipient; import org.bouncycastle.cms.jcajce.JcePasswordRecipientInfoGenerator; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.OutputEncryptor; +import org.bouncycastle.operator.jcajce.JcaAlgorithmParametersConverter; import org.bouncycastle.util.encoders.Base64; import org.bouncycastle.util.encoders.Hex; @@ -88,7 +93,9 @@ public class NewEnvelopedDataTest private static String _reciDN; private static String _reciDN2; private static KeyPair _reciKP; + private static KeyPair _reciOaepKP; private static X509Certificate _reciCert; + private static X509Certificate _reciCertOaep; private static KeyPair _origEcKP; private static KeyPair _reciEcKP; @@ -185,6 +192,32 @@ public class NewEnvelopedDataTest + "AKAECJwE0hkuKlWhgCBeKNXhojuej3org9Lt7n+wWxOhnky5V50vSpoYRfRR" + "yw=="); + private byte[] tooShort3DES = Base64.decode( + "MIAGCSqGSIb3DQEHA6CAMIACAQAxgcQwgcECAQAwKjAlMRYwFAYDVQQKDA1C" + + "b3VuY3kgQ2FzdGxlMQswCQYDVQQGEwJBVQIBCjANBgkqhkiG9w0BAQEFAASB" + + "gJIM2QN0o6iv8Ux018pVCJ8js+ROV4t6+KoMwLJ4DzRKLU8XCAb9BS+crP+F" + + "ghNTxTpTX8TaxPrO4wV0USgVHu2SvFnxNaWZjBDVIyZI2HR4QkSTqFMhsUB2" + + "6CuZIWBZkhqQ6ruDfvn9UuBWVnfsBD4iryZ1idr713sDeVo5TyvTMIAGCSqG" + + "SIb3DQEHATAUBggqhkiG9w0DBwQIQq9e4+WB3CqggAQIwU4cOlmkWUcAAAAA" + + "AAAAAAAA"); + + private byte[] tooShort3DESKey = Base64.decode( + "MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAODZDCj0nQdV" + + "f0GGeFsPjjvPx1Vem0V6IkJ4SzazGKfddk0pX58ZDCnG+S+OPiXmPDqValiu" + + "9FtNy2/r9rrf/6qtcVQJkfSJv9E5Y7HgI98L/Y9lKxZWsfRqu/SlYO5zx0Dc" + + "2rzDvvZRtrtaq0uuHXWJlbWda2L9S65sv/Le/zvjAgMBAAECgYEAnn+iGMTG" + + "ZMMaH6Cg+t/uTa9cPougPMuplt2hd3+sY7izihUeONK5RkHiqmlE2gaAcnOd" + + "McKysiIWxGC73mPEnsOObPkaFlneVb5CtjTaTMdptuLNEQkwvtKhuW2HnMra" + + "4afEgFZdll3FyRpvW/CDooe4Bppjd4aGn/Sr/o9nOzECQQD4QKLwZssuclji" + + "nD/8gU1CqGMMnGNogTMpHm1269HUOE7r1y3MuapUqSWsVhpuEQ8P/Tko0haJ" + + "jeZn2eWTbZu/AkEA591snui8FMeGvkRgvyMFNvXZWDEjsh+N74XEL1lykTgZ" + + "FQJ+cmThnrdM/8yj1dKkdASYrk5kFJ4PVE6CzDI43QJAFS22eNncJZc9u/9m" + + "eg0x4SjqYk4JMQYsripZXlbZ7Mfs+7O8xYVlYZmYjC5ATPmJlmyc7r2VjKCd" + + "cmilbEFikwJBAMh7yf8BaBdjitubzjeW9VxXaa37F01eQWD5PfBfHFP6uJ1V" + + "AbayCfAtuHN6I7OwJih3DPmyqJC3NrQECs67IjUCQAb4TfVE/2G1s66SGnb4" + + "no34BspoV/i4f0uLhJap84bTHcF/ZRSXCmQOCRGdSvQkXHeNPI5Lus6lOHuU" + + "vUDbQC8="); + public NewEnvelopedDataTest() { } @@ -208,6 +241,7 @@ public class NewEnvelopedDataTest _reciDN2 = "CN=Fred, OU=Sales, O=Bouncy Castle, C=AU"; _reciKP = CMSTestUtil.makeKeyPair(); _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); + _reciCertOaep = CMSTestUtil.makeOaepCertificate(_reciKP, _reciDN, _signKP, _signDN); _origEcKP = CMSTestUtil.makeEcDsaKeyPair(); _reciEcKP = CMSTestUtil.makeEcDsaKeyPair(); @@ -291,7 +325,7 @@ public class NewEnvelopedDataTest CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCert).setProvider(BC)); - edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCert.getExtensionValue(X509Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), _reciCert.getPublicKey()).setProvider(BC)); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCert.getExtensionValue(Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), _reciCert.getPublicKey()).setProvider(BC)); CMSEnvelopedData ed = edGen.generate( new CMSProcessableByteArray(data), @@ -329,6 +363,179 @@ public class NewEnvelopedDataTest assertTrue(collection.iterator().next() instanceof RecipientInformation); } + public void testKeyTransOAEPDefault() + throws Exception + { + byte[] data = "WallaWallaWashington".getBytes(); + + CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); + JcaAlgorithmParametersConverter paramsConverter = new JcaAlgorithmParametersConverter(); + + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCert, paramsConverter.getAlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP, OAEPParameterSpec.DEFAULT)).setProvider(BC)); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCert.getExtensionValue(Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), paramsConverter.getAlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP, OAEPParameterSpec.DEFAULT), _reciCert.getPublicKey()).setProvider(BC)); + + CMSEnvelopedData ed = edGen.generate( + new CMSProcessableByteArray(data), + new JceCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).setProvider(BC).build()); + + RecipientInformationStore recipients = ed.getRecipientInfos(); + + + assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); + + Collection c = recipients.getRecipients(); + + assertEquals(2, c.size()); + + Iterator it = c.iterator(); + + while (it.hasNext()) + { + RecipientInformation recipient = (RecipientInformation)it.next(); + + assertEquals(PKCSObjectIdentifiers.id_RSAES_OAEP, recipient.getKeyEncryptionAlgorithm().getAlgorithm()); + + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)); + + assertEquals(true, Arrays.equals(data, recData)); + } + + RecipientId id = new JceKeyTransRecipientId(_reciCert); + + Collection collection = recipients.getRecipients(id); + if (collection.size() != 2) + { + fail("recipients not matched using general recipient ID."); + } + assertTrue(collection.iterator().next() instanceof RecipientInformation); + } + + public void testKeyTransOAEPSHA1() + throws Exception + { + doTestKeyTransOAEPDefaultNamed("SHA-1"); + } + + public void testKeyTransOAEPSHA224() + throws Exception + { + doTestKeyTransOAEPDefaultNamed("SHA-224"); + } + + public void testKeyTransOAEPSHA256() + throws Exception + { + doTestKeyTransOAEPDefaultNamed("SHA-256"); + } + + public void testKeyTransOAEPSHA1AndSHA256() + throws Exception + { + doTestKeyTransOAEPDefaultNamed("SHA-1", "SHA-256"); + } + + private void doTestKeyTransOAEPDefaultNamed(String digest) + throws Exception + { + doTestKeyTransOAEPDefaultNamed(digest, digest); + } + + private void doTestKeyTransOAEPDefaultNamed(String digest, String mgfDigest) + throws Exception + { + byte[] data = "WallaWallaWashington".getBytes(); + + CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); + JcaAlgorithmParametersConverter paramsConverter = new JcaAlgorithmParametersConverter(); + + OAEPParameterSpec oaepSpec = new OAEPParameterSpec(digest, "MGF1", new MGF1ParameterSpec(mgfDigest), new PSource.PSpecified(new byte[]{1, 2, 3, 4, 5})); + AlgorithmIdentifier oaepAlgId = paramsConverter.getAlgorithmIdentifier(PKCSObjectIdentifiers.id_RSAES_OAEP, oaepSpec); + + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCert, oaepAlgId).setProvider(BC)); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCert.getExtensionValue(Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), oaepAlgId, _reciCert.getPublicKey()).setProvider(BC)); + + CMSEnvelopedData ed = edGen.generate( + new CMSProcessableByteArray(data), + new JceCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).setProvider(BC).build()); + + RecipientInformationStore recipients = ed.getRecipientInfos(); + + + assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); + + Collection c = recipients.getRecipients(); + + assertEquals(2, c.size()); + + Iterator it = c.iterator(); + + while (it.hasNext()) + { + RecipientInformation recipient = (RecipientInformation)it.next(); + + assertEquals(PKCSObjectIdentifiers.id_RSAES_OAEP, recipient.getKeyEncryptionAlgorithm().getAlgorithm()); + + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)); + + assertEquals(true, Arrays.equals(data, recData)); + } + + RecipientId id = new JceKeyTransRecipientId(_reciCert); + + Collection collection = recipients.getRecipients(id); + if (collection.size() != 2) + { + fail("recipients not matched using general recipient ID."); + } + assertTrue(collection.iterator().next() instanceof RecipientInformation); + } + + public void testKeyTransOAEPInCert() + throws Exception + { + byte[] data = "WallaWallaWashington".getBytes(); + + CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); + + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCertOaep).setProvider(BC)); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCertOaep.getExtensionValue(Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), _reciCertOaep.getPublicKey()).setProvider(BC)); + + CMSEnvelopedData ed = edGen.generate( + new CMSProcessableByteArray(data), + new JceCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).setProvider(BC).build()); + + RecipientInformationStore recipients = ed.getRecipientInfos(); + + + assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); + + Collection c = recipients.getRecipients(); + + assertEquals(2, c.size()); + + Iterator it = c.iterator(); + + while (it.hasNext()) + { + RecipientInformation recipient = (RecipientInformation)it.next(); + + assertEquals(PKCSObjectIdentifiers.id_RSAES_OAEP, recipient.getKeyEncryptionAlgorithm().getAlgorithm()); + + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)); + + assertEquals(true, Arrays.equals(data, recData)); + } + + RecipientId id = new JceKeyTransRecipientId(_reciCertOaep); + + Collection collection = recipients.getRecipients(id); + if (collection.size() != 2) + { + fail("recipients not matched using general recipient ID."); + } + assertTrue(collection.iterator().next() instanceof RecipientInformation); + } + public void testKeyTransWithAlgMapping() throws Exception { @@ -385,7 +592,7 @@ public class NewEnvelopedDataTest edGen.setOriginatorInfo(new OriginatorInfoGenerator(origCert).generate()); edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCert).setProvider(BC)); - edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCert.getExtensionValue(X509Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), _reciCert.getPublicKey()).setProvider(BC)); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(ASN1OctetString.getInstance(ASN1OctetString.getInstance(_reciCert.getExtensionValue(Extension.subjectKeyIdentifier.getId())).getOctets()).getOctets(), _reciCert.getPublicKey()).setProvider(BC)); CMSEnvelopedData ed = edGen.generate( new CMSProcessableByteArray(data), @@ -425,6 +632,42 @@ public class NewEnvelopedDataTest assertTrue(collection.iterator().next() instanceof RecipientInformation); } + public void testKeyTransRC2bit40() + throws Exception + { + byte[] data = "WallaWallaBouncyCastle".getBytes(); + + CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); + + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(_reciCert).setProvider(BC)); + + CMSEnvelopedData ed = edGen.generate( + new CMSProcessableByteArray(data), + new JceCMSContentEncryptorBuilder(CMSAlgorithm.RC2_CBC, 40).setProvider(BC).build()); + + RecipientInformationStore recipients = ed.getRecipientInfos(); + + assertEquals(ed.getContentEncryptionAlgorithm().getAlgorithm(), CMSAlgorithm.RC2_CBC); + + RC2CBCParameter rc2P = RC2CBCParameter.getInstance(ed.getContentEncryptionAlgorithm().getParameters()); + assertEquals(160, rc2P.getRC2ParameterVersion().intValue()); + + Collection c = recipients.getRecipients(); + + assertEquals(1, c.size()); + + Iterator it = c.iterator(); + + while (it.hasNext()) + { + RecipientInformation recipient = (RecipientInformation)it.next(); + + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)); + + assertEquals(true, Arrays.equals(data, recData)); + } + } + public void testKeyTransRC4() throws Exception { @@ -594,6 +837,44 @@ public class NewEnvelopedDataTest } } + public void testKeyTransDESEDE3Short() + throws Exception + { + byte[] data = new byte[] { 0, 1, 2, 3 }; + KeyFactory kf = KeyFactory.getInstance("RSA", BC); + PrivateKey kPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(tooShort3DESKey)); + + CMSEnvelopedData ed = new CMSEnvelopedData(tooShort3DES); + + RecipientInformationStore recipients = ed.getRecipientInfos(); + + assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); + + Collection c = recipients.getRecipients(); + Iterator it = c.iterator(); + + if (it.hasNext()) + { + RecipientInformation recipient = (RecipientInformation)it.next(); + try + { + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(kPriv).setKeySizeValidation(true).setProvider(BC)); + fail("invalid 3DES-EDE key not picked up"); + } + catch (CMSException e) + { + assertEquals("Expected key size for algorithm OID not found in recipient.", e.getMessage()); + } + + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(kPriv).setKeySizeValidation(false).setProvider(BC)); + assertEquals(true, Arrays.equals(data, recData)); + } + else + { + fail("no recipient found"); + } + } + public void testKeyTransDESEDE3Light() throws Exception { @@ -609,8 +890,7 @@ public class NewEnvelopedDataTest RecipientInformationStore recipients = ed.getRecipientInfos(); - assertEquals(ed.getEncryptionAlgOID(), - CMSEnvelopedDataGenerator.DES_EDE3_CBC); + assertEquals(ed.getEncryptionAlgOID(), CMSEnvelopedDataGenerator.DES_EDE3_CBC); Collection c = recipients.getRecipients(); Iterator it = c.iterator(); @@ -619,7 +899,7 @@ public class NewEnvelopedDataTest { RecipientInformation recipient = (RecipientInformation)it.next(); - byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)); + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setKeySizeValidation(true).setProvider(BC)); assertEquals(true, Arrays.equals(data, recData)); } else @@ -725,7 +1005,7 @@ public class NewEnvelopedDataTest assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)); + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setKeySizeValidation(true).setProvider(BC)); assertEquals(true, Arrays.equals(data, recData)); } @@ -765,12 +1045,12 @@ public class NewEnvelopedDataTest public void testDESKEK() throws Exception { - tryKekAlgorithm(CMSTestUtil.makeDesede192Key(), new DERObjectIdentifier("1.2.840.113549.1.9.16.3.6")); + tryKekAlgorithm(CMSTestUtil.makeDesede192Key(), new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.3.6")); } public void testRC2128KEK() throws Exception { - tryKekAlgorithm(CMSTestUtil.makeRC2128Key(), new DERObjectIdentifier("1.2.840.113549.1.9.16.3.7")); + tryKekAlgorithm(CMSTestUtil.makeRC2128Key(), new ASN1ObjectIdentifier("1.2.840.113549.1.9.16.3.7")); } public void testAES128KEK() @@ -815,7 +1095,7 @@ public class NewEnvelopedDataTest tryKekAlgorithm(CMSTestUtil.makeCamelliaKey(256), NTTObjectIdentifiers.id_camellia256_wrap); } - private void tryKekAlgorithm(SecretKey kek, DERObjectIdentifier algOid) + private void tryKekAlgorithm(SecretKey kek, ASN1ObjectIdentifier algOid) throws NoSuchAlgorithmException, NoSuchProviderException, CMSException { byte[] data = "WallaWallaWashington".getBytes(); @@ -842,7 +1122,7 @@ public class NewEnvelopedDataTest assertEquals(algOid.getId(), recipient.getKeyEncryptionAlgOID()); - byte[] recData = recipient.getContent(new JceKEKEnvelopedRecipient(kek).setProvider(BC)); + byte[] recData = recipient.getContent(new JceKEKEnvelopedRecipient(kek).setKeySizeValidation(true).setProvider(BC)); assertTrue(Arrays.equals(data, recData)); } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataStreamTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataStreamTest.java index 9d9e645..8a92cae 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataStreamTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataStreamTest.java @@ -33,7 +33,6 @@ import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaCRLStore; import org.bouncycastle.cert.jcajce.JcaCertStore; -import org.bouncycastle.cert.jcajce.JcaX509AttributeCertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CRLHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import org.bouncycastle.cert.ocsp.OCSPResp; @@ -957,7 +956,7 @@ public class NewSignedDataStreamTest gen.addCertificates(certs); - X509AttributeCertificateHolder attrCert = new JcaX509AttributeCertificateHolder(CMSTestUtil.getAttributeCertificate()); + X509AttributeCertificateHolder attrCert = CMSTestUtil.getAttributeCertificate(); Store store = new CollectionStore(Collections.singleton(attrCert)); @@ -1283,6 +1282,25 @@ public class NewSignedDataStreamTest assertEquals(new JcaX509CertificateHolder(_origCert), it.next()); } + public void testCertsOnly() + throws Exception + { + List certList = new ArrayList(); + certList.add(_origCert); + certList.add(_signCert); + + Store certs = new JcaCertStore(certList); + + ByteArrayOutputStream bOut = new ByteArrayOutputStream(); + + CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); + gen.addCertificates(certs); + + gen.open(bOut).close(); + + checkSigParseable(bOut.toByteArray()); + } + public static Test suite() throws Exception { diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataTest.java index 9317b18..7df2c13 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/NewSignedDataTest.java @@ -6,7 +6,6 @@ import java.security.KeyFactory; import java.security.KeyPair; import java.security.MessageDigest; import java.security.Security; -import java.security.cert.CertificateException; import java.security.cert.X509CRL; import java.security.cert.X509Certificate; import java.security.spec.PKCS8EncodedKeySpec; @@ -39,7 +38,6 @@ import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaCRLStore; import org.bouncycastle.cert.jcajce.JcaCertStore; -import org.bouncycastle.cert.jcajce.JcaX509AttributeCertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CRLHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import org.bouncycastle.cert.ocsp.OCSPResp; @@ -57,6 +55,7 @@ import org.bouncycastle.cms.SignerInfoGeneratorBuilder; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; import org.bouncycastle.cms.SignerInformationVerifier; +import org.bouncycastle.cms.SignerInformationVerifierProvider; import org.bouncycastle.cms.bc.BcRSASignerInfoVerifierBuilder; import org.bouncycastle.cms.jcajce.JcaSignerId; import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; @@ -64,7 +63,6 @@ import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder; import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.crypto.params.AsymmetricKeyParameter; import org.bouncycastle.crypto.util.PrivateKeyFactory; -import org.bouncycastle.cms.SignerInformationVerifierProvider; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; @@ -1663,7 +1661,7 @@ public class NewSignedDataTest gen.addCertificates(certs); - X509AttributeCertificateHolder attrCert = new JcaX509AttributeCertificateHolder(CMSTestUtil.getAttributeCertificate()); + X509AttributeCertificateHolder attrCert = CMSTestUtil.getAttributeCertificate(); List attrList = new ArrayList(); attrList.add(new X509AttributeCertificateHolder(attrCert.getEncoded())); diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/NullProviderTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/NullProviderTest.java index 4cfc498..a97b21c 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/NullProviderTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/NullProviderTest.java @@ -12,11 +12,8 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; -import java.security.Provider; import java.security.PublicKey; import java.security.SecureRandom; -import java.security.cert.CertStore; -import java.security.cert.CollectionCertStoreParameters; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; @@ -29,23 +26,35 @@ import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.X509Name; +import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSEnvelopedData; import org.bouncycastle.cms.CMSEnvelopedDataGenerator; -import org.bouncycastle.cms.CMSProcessable; import org.bouncycastle.cms.CMSProcessableByteArray; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.CMSSignedDataGenerator; import org.bouncycastle.cms.CMSSignedDataParser; import org.bouncycastle.cms.CMSSignedDataStreamGenerator; +import org.bouncycastle.cms.CMSTypedData; import org.bouncycastle.cms.CMSTypedStream; import org.bouncycastle.cms.RecipientInformation; import org.bouncycastle.cms.RecipientInformationStore; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; +import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter; +import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder; +import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient; +import org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Store; import org.bouncycastle.x509.X509V3CertificateGenerator; public class NullProviderTest @@ -75,27 +84,26 @@ public class NullProviderTest throws Exception { List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray(TEST_MESSAGE.getBytes()); + CMSTypedData msg = new CMSProcessableByteArray(TEST_MESSAGE.getBytes()); - certList.add(keyCert); + certList.add(new X509CertificateHolder(keyCert.getEncoded())); - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList)); + DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - gen.addSigner(keyPair.getPrivate(), keyCert, CMSSignedDataGenerator.DIGEST_SHA1); + gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(digCalcProv).build(new JcaContentSignerBuilder("SHA1withRSA").build(keyPair.getPrivate()), keyCert)); - gen.addCertificatesAndCRLs(certsAndCrls); + gen.addCertificates(new CollectionStore(certList)); - CMSSignedData s = gen.generate(msg, true, (Provider)null); + CMSSignedData s = gen.generate(msg, true); ByteArrayInputStream bIn = new ByteArrayInputStream(s.getEncoded()); ASN1InputStream aIn = new ASN1InputStream(bIn); s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - certsAndCrls = s.getCertificatesAndCRLs("Collection", (String)null); // make sure String works as well + Store certsAndCrls = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); @@ -103,13 +111,12 @@ public class NullProviderTest while (it.hasNext()) { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + SignerInformation signer = (SignerInformation)it.next(); + Collection certCollection = certsAndCrls.getMatches(signer.getSID()); + Iterator certIt = certCollection.iterator(); + X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, (Provider)null)); + assertEquals(true, signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))); } } @@ -119,16 +126,15 @@ public class NullProviderTest List certList = new ArrayList(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - certList.add(keyCert); + certList.add(new X509CertificateHolder(keyCert.getEncoded())); - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList)); + DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - gen.addSigner(keyPair.getPrivate(), keyCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, (String)null); + gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(digCalcProv).build(new JcaContentSignerBuilder("SHA1withRSA").build(keyPair.getPrivate()), keyCert)); - gen.addCertificatesAndCRLs(certsAndCrls); + gen.addCertificates(new CollectionStore(certList)); OutputStream sigOut = gen.open(bOut); @@ -136,7 +142,7 @@ public class NullProviderTest sigOut.close(); - CMSSignedDataParser sp = new CMSSignedDataParser( + CMSSignedDataParser sp = new CMSSignedDataParser(digCalcProv, new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), bOut.toByteArray()); sp.getSignedContent().drain(); @@ -147,7 +153,7 @@ public class NullProviderTest MessageDigest md = MessageDigest.getInstance("SHA1"); byte[] contentDigest = md.digest(TEST_MESSAGE.getBytes()); - CertStore certStore = sp.getCertificatesAndCRLs("Collection", (String)null); + Store certStore = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); @@ -156,12 +162,12 @@ public class NullProviderTest while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certStore.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); + X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); - assertEquals(true, signer.verify(cert, (Provider)null)); + assertEquals(true, signer.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert))); if (contentDigest != null) { @@ -201,15 +207,14 @@ public class NullProviderTest CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - edGen.addKeyTransRecipient(keyCert); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(keyCert)); CMSEnvelopedData ed = edGen.generate( - new CMSProcessableByteArray(data), - algorithm, (String)null); + new CMSProcessableByteArray(data), + new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(algorithm)).build()); RecipientInformationStore recipients = ed.getRecipientInfos(); - assertEquals(ed.getEncryptionAlgOID(), algorithm); Collection c = recipients.getRecipients(); @@ -224,7 +229,7 @@ public class NullProviderTest assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - byte[] recData = recipient.getContent(keyPair.getPrivate(), (String)null); + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(keyPair.getPrivate())); assertEquals(true, Arrays.equals(data, recData)); } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/Rfc4134Test.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/Rfc4134Test.java index f36b7b7..2f59702 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/Rfc4134Test.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/Rfc4134Test.java @@ -10,7 +10,6 @@ import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Security; -import java.security.cert.CertStore; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.security.interfaces.DSAParams; @@ -33,6 +32,8 @@ import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.cms.CMSAttributes; import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cms.CMSEnvelopedData; import org.bouncycastle.cms.CMSEnvelopedDataGenerator; import org.bouncycastle.cms.CMSEnvelopedDataParser; @@ -45,8 +46,14 @@ import org.bouncycastle.cms.RecipientInformation; import org.bouncycastle.cms.RecipientInformationStore; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; +import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder; import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter; +import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient; import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; +import org.bouncycastle.util.Store; import org.bouncycastle.util.encoders.Hex; import org.bouncycastle.util.io.Streams; @@ -60,6 +67,19 @@ public class Rfc4134Test private static byte[] sha1 = Hex.decode("406aec085279ba6e16022d9e0629c0229687dd48"); private static final JcaX509CertSelectorConverter selectorConverter = new JcaX509CertSelectorConverter(); + private static final DigestCalculatorProvider digCalcProv; + + static + { + try + { + digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); + } + catch (OperatorCreationException e) + { + throw new IllegalStateException("can't create default provider!!!"); + } + } public Rfc4134Test(String name) { @@ -87,7 +107,7 @@ public class Rfc4134Test verifySignatures(signedData); - CMSSignedDataParser parser = new CMSSignedDataParser(data); + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, data); verifySignatures(parser); } @@ -100,7 +120,7 @@ public class Rfc4134Test verifySignatures(signedData); - CMSSignedDataParser parser = new CMSSignedDataParser(data); + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, data); verifySignatures(parser); } @@ -113,7 +133,7 @@ public class Rfc4134Test verifySignatures(signedData, sha1); - CMSSignedDataParser parser = new CMSSignedDataParser( + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, new CMSTypedStream(new ByteArrayInputStream(exContent)), data); @@ -131,7 +151,7 @@ public class Rfc4134Test verifySignerInfo4_4(getFirstSignerInfo(signedData.getSignerInfos()), counterSigCert); - CMSSignedDataParser parser = new CMSSignedDataParser(data); + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, data); verifySignatures(parser); @@ -146,7 +166,7 @@ public class Rfc4134Test verifySignatures(signedData); - CMSSignedDataParser parser = new CMSSignedDataParser(data); + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, data); verifySignatures(parser); } @@ -159,7 +179,7 @@ public class Rfc4134Test verifySignatures(signedData); - CMSSignedDataParser parser = new CMSSignedDataParser(data); + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, data); verifySignatures(parser); } @@ -172,7 +192,7 @@ public class Rfc4134Test verifySignatures(signedData); - CMSSignedDataParser parser = new CMSSignedDataParser(data); + CMSSignedDataParser parser = new CMSSignedDataParser(digCalcProv, data); verifySignatures(parser); } @@ -260,7 +280,7 @@ public class Rfc4134Test { assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - byte[] recData = recipient.getContent(privKey, BC); + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(privKey).setProvider(BC)); assertEquals(true, Arrays.equals(exContent, recData)); } @@ -286,7 +306,7 @@ public class Rfc4134Test CertificateFactory certFact = CertificateFactory.getInstance("X.509", BC); X509Certificate cert = (X509Certificate)certFact.generateCertificate(new ByteArrayInputStream(certificate)); - assertTrue(csi.verify(cert, BC)); + assertTrue(csi.verify(new JcaSignerInfoVerifierBuilder(digCalcProv).setProvider(BC).build(cert))); } private void verifyContentHint(SignerInformation signInfo) @@ -308,7 +328,7 @@ public class Rfc4134Test private void verifySignatures(CMSSignedData s, byte[] contentDigest) throws Exception { - CertStore certStore = s.getCertificatesAndCRLs("Collection", BC); + Store certStore = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); @@ -317,10 +337,10 @@ public class Rfc4134Test while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certStore.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); + X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); verifySigner(signer, cert); @@ -329,12 +349,6 @@ public class Rfc4134Test assertTrue(MessageDigest.isEqual(contentDigest, signer.getContentDigest())); } } - - Collection certColl = certStore.getCertificates(null); - Collection crlColl = certStore.getCRLs(null); - - assertEquals(certColl.size(), s.getCertificates("Collection", BC).getMatches(null).size()); - assertEquals(crlColl.size(), s.getCRLs("Collection", BC).getMatches(null).size()); } private void verifySignatures(CMSSignedData s) @@ -352,7 +366,7 @@ public class Rfc4134Test sc.drain(); } - CertStore certs = sp.getCertificatesAndCRLs("Collection", BC); + Store certs = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); @@ -361,34 +375,35 @@ public class Rfc4134Test while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certs.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + Collection certCollection = certs.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); + X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); verifySigner(signer, cert); } } - private void verifySigner(SignerInformation signer, X509Certificate cert) + private void verifySigner(SignerInformation signer, X509CertificateHolder certHolder) throws Exception { + X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder); if (cert.getPublicKey() instanceof DSAPublicKey) { DSAPublicKey key = (DSAPublicKey)cert.getPublicKey(); if (key.getParams() == null) { - assertEquals(true, signer.verify(getInheritedKey(key), BC)); + assertEquals(true, signer.verify(new JcaSignerInfoVerifierBuilder(digCalcProv).setProvider(BC).build(getInheritedKey(key)))); } else { - assertEquals(true, signer.verify(cert, BC)); + assertEquals(true, signer.verify(new JcaSignerInfoVerifierBuilder(digCalcProv).setProvider(BC).build(cert))); } } else { - assertEquals(true, signer.verify(cert, BC)); + assertEquals(true, signer.verify(new JcaSignerInfoVerifierBuilder(digCalcProv).setProvider(BC).build(cert))); } } diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/SignedDataStreamTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/SignedDataStreamTest.java deleted file mode 100644 index 39b50da..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/SignedDataStreamTest.java +++ /dev/null @@ -1,1158 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.io.BufferedOutputStream; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.OutputStream; -import java.security.InvalidKeyException; -import java.security.KeyPair; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertStore; -import java.security.cert.CollectionCertStoreParameters; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.Hashtable; -import java.util.Iterator; -import java.util.List; -import java.util.Map; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.DERSet; -import org.bouncycastle.asn1.cms.Attribute; -import org.bouncycastle.asn1.cms.AttributeTable; -import org.bouncycastle.asn1.cms.CMSAttributes; -import org.bouncycastle.cms.CMSAttributeTableGenerator; -import org.bouncycastle.cms.CMSProcessable; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.cms.CMSSignedData; -import org.bouncycastle.cms.CMSSignedDataGenerator; -import org.bouncycastle.cms.CMSSignedDataParser; -import org.bouncycastle.cms.CMSSignedDataStreamGenerator; -import org.bouncycastle.cms.CMSSignedGenerator; -import org.bouncycastle.cms.CMSTypedStream; -import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator; -import org.bouncycastle.cms.SignerInformation; -import org.bouncycastle.cms.SignerInformationStore; -import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.util.encoders.Base64; -import org.bouncycastle.x509.X509AttributeCertificate; -import org.bouncycastle.x509.X509CollectionStoreParameters; -import org.bouncycastle.x509.X509Store; - -public class SignedDataStreamTest - extends TestCase -{ - private static final String BC = BouncyCastleProvider.PROVIDER_NAME; - - private static final String TEST_MESSAGE = "Hello World!"; - private static String _signDN; - private static KeyPair _signKP; - private static X509Certificate _signCert; - - private static String _origDN; - private static KeyPair _origKP; - private static X509Certificate _origCert; - - private static String _reciDN; - private static KeyPair _reciKP; - private static X509Certificate _reciCert; - - private static KeyPair _origDsaKP; - private static X509Certificate _origDsaCert; - - private static X509CRL _signCrl; - private static X509CRL _origCrl; - - private static boolean _initialised = false; - - private static final JcaX509CertSelectorConverter selectorConverter = new JcaX509CertSelectorConverter(); - - public SignedDataStreamTest(String name) - { - super(name); - } - - private static void init() - throws Exception - { - if (!_initialised) - { - _initialised = true; - - _signDN = "O=Bouncy Castle, C=AU"; - _signKP = CMSTestUtil.makeKeyPair(); - _signCert = CMSTestUtil.makeCertificate(_signKP, _signDN, _signKP, _signDN); - - _origDN = "CN=Bob, OU=Sales, O=Bouncy Castle, C=AU"; - _origKP = CMSTestUtil.makeKeyPair(); - _origCert = CMSTestUtil.makeCertificate(_origKP, _origDN, _signKP, _signDN); - - _origDsaKP = CMSTestUtil.makeDsaKeyPair(); - _origDsaCert = CMSTestUtil.makeCertificate(_origDsaKP, _origDN, _signKP, _signDN); - - _reciDN = "CN=Doug, OU=Sales, O=Bouncy Castle, C=AU"; - _reciKP = CMSTestUtil.makeKeyPair(); - _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); - - _signCrl = CMSTestUtil.makeCrl(_signKP); - _origCrl = CMSTestUtil.makeCrl(_origKP); - } - } - - private void verifySignatures(CMSSignedDataParser sp, byte[] contentDigest) - throws Exception - { - CertStore certStore = sp.getCertificatesAndCRLs("Collection", BC); - SignerInformationStore signers = sp.getSignerInfos(); - - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certStore.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - - if (contentDigest != null) - { - assertTrue(MessageDigest.isEqual(contentDigest, signer.getContentDigest())); - } - } - - Collection certColl = certStore.getCertificates(null); - Collection crlColl = certStore.getCRLs(null); - - assertEquals(certColl.size(), sp.getCertificates("Collection", BC).getMatches(null).size()); - assertEquals(crlColl.size(), sp.getCRLs("Collection", BC).getMatches(null).size()); - } - - private void verifySignatures(CMSSignedDataParser sp) - throws Exception - { - verifySignatures(sp, null); - } - - private void verifyEncodedData(ByteArrayOutputStream bOut) - throws Exception - { - CMSSignedDataParser sp; - sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - - sp.close(); - } - - private void checkSigParseable(byte[] sig) - throws Exception - { - CMSSignedDataParser sp = new CMSSignedDataParser(sig); - sp.getVersion(); - CMSTypedStream sc = sp.getSignedContent(); - if (sc != null) - { - sc.drain(); - } - sp.getCertificatesAndCRLs("Collection", BC); - sp.getSignerInfos(); - sp.close(); - } - - public void testEarlyInvalidKeyException() throws Exception - { - try - { - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - gen.addSigner( _origKP.getPrivate(), _origCert, - "DSA", // DOESN'T MATCH KEY ALG - CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - fail("Expected InvalidKeyException in addSigner"); - } - catch (InvalidKeyException e) - { - // Ignore - } - } - - public void testEarlyNoSuchAlgorithmException() throws Exception - { - try - { - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - gen.addSigner( _origKP.getPrivate(), _origCert, - CMSSignedDataStreamGenerator.DIGEST_SHA1, // BAD OID! - CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - fail("Expected NoSuchAlgorithmException in addSigner"); - } - catch (NoSuchAlgorithmException e) - { - // Ignore - } - } - - public void testSha1EncapsulatedSignature() - throws Exception - { - byte[] encapSigData = Base64.decode( - "MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEH" - + "AaCAJIAEDEhlbGxvIFdvcmxkIQAAAAAAAKCCBGIwggINMIIBdqADAgECAgEF" - + "MA0GCSqGSIb3DQEBBAUAMCUxFjAUBgNVBAoTDUJvdW5jeSBDYXN0bGUxCzAJ" - + "BgNVBAYTAkFVMB4XDTA1MDgwNzA2MjU1OVoXDTA1MTExNTA2MjU1OVowJTEW" - + "MBQGA1UEChMNQm91bmN5IENhc3RsZTELMAkGA1UEBhMCQVUwgZ8wDQYJKoZI" - + "hvcNAQEBBQADgY0AMIGJAoGBAI1fZGgH9wgC3QiK6yluH6DlLDkXkxYYL+Qf" - + "nVRszJVYl0LIxZdpb7WEbVpO8fwtEgFtoDsOdxyqh3dTBv+L7NVD/v46kdPt" - + "xVkSNHRbutJVY8Xn4/TC/CDngqtbpbniMO8n0GiB6vs94gBT20M34j96O2IF" - + "73feNHP+x8PkJ+dNAgMBAAGjTTBLMB0GA1UdDgQWBBQ3XUfEE6+D+t+LIJgK" - + "ESSUE58eyzAfBgNVHSMEGDAWgBQ3XUfEE6+D+t+LIJgKESSUE58eyzAJBgNV" - + "HRMEAjAAMA0GCSqGSIb3DQEBBAUAA4GBAFK3r1stYOeXYJOlOyNGDTWEhZ+a" - + "OYdFeFaS6c+InjotHuFLAy+QsS8PslE48zYNFEqYygGfLhZDLlSnJ/LAUTqF" - + "01vlp+Bgn/JYiJazwi5WiiOTf7Th6eNjHFKXS3hfSGPNPIOjvicAp3ce3ehs" - + "uK0MxgLAaxievzhFfJcGSUMDMIICTTCCAbagAwIBAgIBBzANBgkqhkiG9w0B" - + "AQQFADAlMRYwFAYDVQQKEw1Cb3VuY3kgQ2FzdGxlMQswCQYDVQQGEwJBVTAe" - + "Fw0wNTA4MDcwNjI1NTlaFw0wNTExMTUwNjI1NTlaMGUxGDAWBgNVBAMTD0Vy" - + "aWMgSC4gRWNoaWRuYTEkMCIGCSqGSIb3DQEJARYVZXJpY0Bib3VuY3ljYXN0" - + "bGUub3JnMRYwFAYDVQQKEw1Cb3VuY3kgQ2FzdGxlMQswCQYDVQQGEwJBVTCB" - + "nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAgHCJyfwV6/V3kqSu2SOU2E/K" - + "I+N0XohCMUaxPLLNtNBZ3ijxwaV6JGFz7siTgZD/OGfzir/eZimkt+L1iXQn" - + "OAB+ZChivKvHtX+dFFC7Vq+E4Uy0Ftqc/wrGxE6DHb5BR0hprKH8wlDS8wSP" - + "zxovgk4nH0ffUZOoDSuUgjh3gG8CAwEAAaNNMEswHQYDVR0OBBYEFLfY/4EG" - + "mYrvJa7Cky+K9BJ7YmERMB8GA1UdIwQYMBaAFDddR8QTr4P634sgmAoRJJQT" - + "nx7LMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADgYEADIOmpMd6UHdMjkyc" - + "mIE1yiwfClCsGhCK9FigTg6U1G2FmkBwJIMWBlkeH15uvepsAncsgK+Cn3Zr" - + "dZMb022mwtTJDtcaOM+SNeuCnjdowZ4i71Hf68siPm6sMlZkhz49rA0Yidoo" - + "WuzYOO+dggzwDsMldSsvsDo/ARyCGOulDOAxggEvMIIBKwIBATAqMCUxFjAU" - + "BgNVBAoTDUJvdW5jeSBDYXN0bGUxCzAJBgNVBAYTAkFVAgEHMAkGBSsOAwIa" - + "BQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP" - + "Fw0wNTA4MDcwNjI1NTlaMCMGCSqGSIb3DQEJBDEWBBQu973mCM5UBOl9XwQv" - + "lfifHCMocTANBgkqhkiG9w0BAQEFAASBgGxnBl2qozYKLgZ0ygqSFgWcRGl1" - + "LgNuE587LtO+EKkgoc3aFqEdjXlAyP8K7naRsvWnFrsB6pUpnrgI9Z8ZSKv8" - + "98IlpsSSJ0jBlEb4gzzavwcBpYbr2ryOtDcF+kYmKIpScglyyoLzm+KPXOoT" - + "n7MsJMoKN3Kd2Vzh6s10PFgeAAAAAAAA"); - - CMSSignedDataParser sp = new CMSSignedDataParser(encapSigData); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testSHA1WithRSANoAttributes() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray(TEST_MESSAGE.getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(CMSSignedDataGenerator.DATA, msg, false, BC, false); - - CMSSignedDataParser sp = new CMSSignedDataParser( - new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), s.getEncoded()); - - sp.getSignedContent().drain(); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - - verifySignatures(sp, md.digest(TEST_MESSAGE.getBytes())); - } - - public void testDSANoAttributes() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray(TEST_MESSAGE.getBytes()); - - certList.add(_origDsaCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origDsaKP.getPrivate(), _origDsaCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(CMSSignedDataGenerator.DATA, msg, false, BC, false); - - CMSSignedDataParser sp = new CMSSignedDataParser( - new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), s.getEncoded()); - - sp.getSignedContent().drain(); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - - verifySignatures(sp, md.digest(TEST_MESSAGE.getBytes())); - } - - public void testSHA1WithRSA() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - certList.add(_signCrl); - certList.add(_origCrl); - - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certsAndCrls); - - OutputStream sigOut = gen.open(bOut); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - checkSigParseable(bOut.toByteArray()); - - CMSSignedDataParser sp = new CMSSignedDataParser( - new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), bOut.toByteArray()); - - sp.getSignedContent().drain(); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - - verifySignatures(sp, md.digest(TEST_MESSAGE.getBytes())); - - // - // try using existing signer - // - gen = new CMSSignedDataStreamGenerator(); - - gen.addSigners(sp.getSignerInfos()); - - gen.addCertificatesAndCRLs(sp.getCertificatesAndCRLs("Collection", BC)); - - bOut.reset(); - - sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - verifyEncodedData(bOut); - - // - // look for the CRLs - // - Collection col = certsAndCrls.getCRLs(null); - - assertEquals(2, col.size()); - assertTrue(col.contains(_signCrl)); - assertTrue(col.contains(_origCrl)); - } - - public void testSHA1WithRSANonData() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - certList.add(_signCrl); - certList.add(_origCrl); - - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certsAndCrls); - - OutputStream sigOut = gen.open(bOut, "1.2.3.4", true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - CMSTypedStream stream = sp.getSignedContent(); - - assertEquals(new ASN1ObjectIdentifier("1.2.3.4"), stream.getContentType()); - - stream.drain(); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - - verifySignatures(sp, md.digest(TEST_MESSAGE.getBytes())); - } - - public void testSHA1AndMD5WithRSA() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_MD5, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - checkSigParseable(bOut.toByteArray()); - - CMSSignedDataParser sp = new CMSSignedDataParser( - new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testSHA1WithRSAEncapsulatedBufferedStream() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // - // find unbuffered length - // - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - for (int i = 0; i != 2000; i++) - { - sigOut.write(i & 0xff); - } - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - - int unbufferedLength = bOut.toByteArray().length; - - // - // find buffered length with buffered stream - should be equal - // - bOut = new ByteArrayOutputStream(); - - gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - sigOut = gen.open(bOut, true); - - BufferedOutputStream bfOut = new BufferedOutputStream(sigOut, 300); - - for (int i = 0; i != 2000; i++) - { - bfOut.write(i & 0xff); - } - - bfOut.close(); - - verifyEncodedData(bOut); - - assertTrue(bOut.toByteArray().length == unbufferedLength); - } - - public void testSHA1WithRSAEncapsulatedBuffered() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // - // find unbuffered length - // - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - for (int i = 0; i != 2000; i++) - { - sigOut.write(i & 0xff); - } - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - - int unbufferedLength = bOut.toByteArray().length; - - // - // find buffered length - buffer size less than default - // - bOut = new ByteArrayOutputStream(); - - gen = new CMSSignedDataStreamGenerator(); - - gen.setBufferSize(300); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - sigOut = gen.open(bOut, true); - - for (int i = 0; i != 2000; i++) - { - sigOut.write(i & 0xff); - } - - sigOut.close(); - - verifyEncodedData(bOut); - - assertTrue(bOut.toByteArray().length > unbufferedLength); - } - - public void testSHA1WithRSAEncapsulated() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - - byte[] contentDigest = (byte[])gen.getGeneratedDigests().get(CMSSignedGenerator.DIGEST_SHA1); - - AttributeTable table = ((SignerInformation)sp.getSignerInfos().getSigners().iterator().next()).getSignedAttributes(); - Attribute hash = table.get(CMSAttributes.messageDigest); - - assertTrue(MessageDigest.isEqual(contentDigest, ((ASN1OctetString)hash.getAttrValues().getObjectAt(0)).getOctets())); - - // - // try using existing signer - // - gen = new CMSSignedDataStreamGenerator(); - - gen.addSigners(sp.getSignerInfos()); - - gen.addCertificatesAndCRLs(sp.getCertificatesAndCRLs("Collection", BC)); - - bOut.reset(); - - sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedData sd = new CMSSignedData(new CMSProcessableByteArray(TEST_MESSAGE.getBytes()), bOut.toByteArray()); - - assertEquals(1, sd.getSignerInfos().getSigners().size()); - - verifyEncodedData(bOut); - } - - public void testSHA1WithRSAEncapsulatedSubjectKeyID() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), CMSTestUtil.createSubjectKeyId(_origCert.getPublicKey()).getKeyIdentifier(), CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - - byte[] contentDigest = (byte[])gen.getGeneratedDigests().get(CMSSignedGenerator.DIGEST_SHA1); - - AttributeTable table = ((SignerInformation)sp.getSignerInfos().getSigners().iterator().next()).getSignedAttributes(); - Attribute hash = table.get(CMSAttributes.messageDigest); - - assertTrue(MessageDigest.isEqual(contentDigest, ((ASN1OctetString)hash.getAttrValues().getObjectAt(0)).getOctets())); - - // - // try using existing signer - // - gen = new CMSSignedDataStreamGenerator(); - - gen.addSigners(sp.getSignerInfos()); - - gen.addCertificatesAndCRLs(sp.getCertificatesAndCRLs("Collection", BC)); - - bOut.reset(); - - sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedData sd = new CMSSignedData(new CMSProcessableByteArray(TEST_MESSAGE.getBytes()), bOut.toByteArray()); - - assertEquals(1, sd.getSignerInfos().getSigners().size()); - - verifyEncodedData(bOut); - } - - public void testAttributeGenerators() - throws Exception - { - final ASN1ObjectIdentifier dummyOid1 = new ASN1ObjectIdentifier("1.2.3"); - final ASN1ObjectIdentifier dummyOid2 = new ASN1ObjectIdentifier("1.2.3.4"); - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - CMSAttributeTableGenerator signedGen = new DefaultSignedAttributeTableGenerator() - { - public AttributeTable getAttributes(Map parameters) - { - Hashtable table = createStandardAttributeTable(parameters); - - DEROctetString val = new DEROctetString((byte[])parameters.get(CMSAttributeTableGenerator.DIGEST)); - Attribute attr = new Attribute(dummyOid1, new DERSet(val)); - - table.put(attr.getAttrType(), attr); - - return new AttributeTable(table); - } - }; - - CMSAttributeTableGenerator unsignedGen = new CMSAttributeTableGenerator() - { - public AttributeTable getAttributes(Map parameters) - { - DEROctetString val = new DEROctetString((byte[])parameters.get(CMSAttributeTableGenerator.SIGNATURE)); - Attribute attr = new Attribute(dummyOid2, new DERSet(val)); - - return new AttributeTable(new DERSet(attr)); - } - }; - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, signedGen, unsignedGen, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - - // - // check attributes - // - SignerInformationStore signers = sp.getSignerInfos(); - - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - checkAttribute(signer.getContentDigest(), signer.getSignedAttributes().get(dummyOid1)); - checkAttribute(signer.getSignature(), signer.getUnsignedAttributes().get(dummyOid2)); - } - } - - private void checkAttribute(byte[] expected, Attribute attr) - { - DEROctetString value = (DEROctetString)attr.getAttrValues().getObjectAt(0); - - assertEquals(new DEROctetString(expected), value); - } - - public void testWithAttributeCertificate() - throws Exception - { - List certList = new ArrayList(); - - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - X509AttributeCertificate attrCert = CMSTestUtil.getAttributeCertificate(); - - X509Store store = X509Store.getInstance("AttributeCertificate/Collection", - new X509CollectionStoreParameters(Collections.singleton(attrCert)), BC); - - gen.addAttributeCertificates(store); - - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - - assertEquals(4, sp.getVersion()); - - store = sp.getAttributeCertificates("Collection", BC); - - Collection coll = store.getMatches(null); - - assertEquals(1, coll.size()); - - assertTrue(coll.contains(attrCert)); - } - - public void testSignerStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - byte[] data = TEST_MESSAGE.getBytes(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, false); - - sigOut.write(data); - - sigOut.close(); - - checkSigParseable(bOut.toByteArray()); - - // - // create new Signer - // - ByteArrayInputStream original = new ByteArrayInputStream(bOut.toByteArray()); - - bOut.reset(); - - gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA224, BC); - - gen.addCertificatesAndCRLs(certs); - - sigOut = gen.open(bOut); - - sigOut.write(data); - - sigOut.close(); - - checkSigParseable(bOut.toByteArray()); - - CMSSignedData sd = new CMSSignedData(bOut.toByteArray()); - - // - // replace signer - // - ByteArrayOutputStream newOut = new ByteArrayOutputStream(); - - CMSSignedDataParser.replaceSigners(original, sd.getSignerInfos(), newOut); - - sd = new CMSSignedData(new CMSProcessableByteArray(data), newOut.toByteArray()); - SignerInformation signer = (SignerInformation)sd.getSignerInfos().getSigners().iterator().next(); - - assertEquals(signer.getDigestAlgOID(), CMSSignedDataStreamGenerator.DIGEST_SHA224); - - CMSSignedDataParser sp = new CMSSignedDataParser(new CMSTypedStream(new ByteArrayInputStream(data)), newOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testEncapsulatedSignerStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - // - // create new Signer - // - ByteArrayInputStream original = new ByteArrayInputStream(bOut.toByteArray()); - - bOut.reset(); - - gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA224, BC); - - gen.addCertificatesAndCRLs(certs); - - sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedData sd = new CMSSignedData(bOut.toByteArray()); - - // - // replace signer - // - ByteArrayOutputStream newOut = new ByteArrayOutputStream(); - - CMSSignedDataParser.replaceSigners(original, sd.getSignerInfos(), newOut); - - sd = new CMSSignedData(newOut.toByteArray()); - SignerInformation signer = (SignerInformation)sd.getSignerInfos().getSigners().iterator().next(); - - assertEquals(signer.getDigestAlgOID(), CMSSignedDataStreamGenerator.DIGEST_SHA224); - - CMSSignedDataParser sp = new CMSSignedDataParser(newOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testCertStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - byte[] data = TEST_MESSAGE.getBytes(); - - certList.add(_origDsaCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut); - - sigOut.write(data); - - sigOut.close(); - - checkSigParseable(bOut.toByteArray()); - - // - // create new certstore with the right certificates - // - certList = new ArrayList(); - certList.add(_origCert); - certList.add(_signCert); - - certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // - // replace certs - // - ByteArrayInputStream original = new ByteArrayInputStream(bOut.toByteArray()); - ByteArrayOutputStream newOut = new ByteArrayOutputStream(); - - CMSSignedDataParser.replaceCertificatesAndCRLs(original, certs, newOut); - - CMSSignedDataParser sp = new CMSSignedDataParser(new CMSTypedStream(new ByteArrayInputStream(data)), newOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testEncapsulatedCertStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origDsaCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - // - // create new certstore with the right certificates - // - certList = new ArrayList(); - certList.add(_origCert); - certList.add(_signCert); - - certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // - // replace certs - // - ByteArrayInputStream original = new ByteArrayInputStream(bOut.toByteArray()); - ByteArrayOutputStream newOut = new ByteArrayOutputStream(); - - CMSSignedDataParser.replaceCertificatesAndCRLs(original, certs, newOut); - - CMSSignedDataParser sp = new CMSSignedDataParser(newOut.toByteArray()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testCertOrdering1() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - certs = sp.getCertificatesAndCRLs("Collection", BC); - Iterator it = certs.getCertificates(null).iterator(); - - assertEquals(_origCert, it.next()); - assertEquals(_signCert, it.next()); - } - - public void testCertOrdering2() - throws Exception - { - List certList = new ArrayList(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - certList.add(_signCert); - certList.add(_origCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, BC); - - gen.addCertificatesAndCRLs(certs); - - OutputStream sigOut = gen.open(bOut, true); - - sigOut.write(TEST_MESSAGE.getBytes()); - - sigOut.close(); - - CMSSignedDataParser sp = new CMSSignedDataParser(bOut.toByteArray()); - - sp.getSignedContent().drain(); - certs = sp.getCertificatesAndCRLs("Collection", BC); - Iterator it = certs.getCertificates(null).iterator(); - - assertEquals(_signCert, it.next()); - assertEquals(_origCert, it.next()); - } - - public static Test suite() - throws Exception - { - init(); - - return new CMSTestSetup(new TestSuite(SignedDataStreamTest.class)); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/SignedDataTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/SignedDataTest.java deleted file mode 100644 index 160669b..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/SignedDataTest.java +++ /dev/null @@ -1,1573 +0,0 @@ -package org.bouncycastle.cms.test; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertStore; -import java.security.cert.CollectionCertStoreParameters; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.X509EncodedKeySpec; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Collections; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; - -import junit.framework.Test; -import junit.framework.TestCase; -import junit.framework.TestSuite; -import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1OctetString; -import org.bouncycastle.asn1.DEROctetString; -import org.bouncycastle.asn1.DERSet; -import org.bouncycastle.asn1.cms.Attribute; -import org.bouncycastle.asn1.cms.AttributeTable; -import org.bouncycastle.asn1.cms.CMSAttributes; -import org.bouncycastle.asn1.cms.ContentInfo; -import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.cms.CMSConfig; -import org.bouncycastle.cms.CMSProcessable; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.cms.CMSSignedData; -import org.bouncycastle.cms.CMSSignedDataGenerator; -import org.bouncycastle.cms.CMSSignedDataParser; -import org.bouncycastle.cms.SignerId; -import org.bouncycastle.cms.SignerInformation; -import org.bouncycastle.cms.SignerInformationStore; -import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.util.encoders.Base64; -import org.bouncycastle.util.io.Streams; -import org.bouncycastle.x509.X509AttributeCertificate; -import org.bouncycastle.x509.X509CollectionStoreParameters; -import org.bouncycastle.x509.X509Store; - -public class SignedDataTest - extends TestCase -{ - private static final String BC = BouncyCastleProvider.PROVIDER_NAME; - - boolean DEBUG = true; - - private static String _origDN; - private static KeyPair _origKP; - private static X509Certificate _origCert; - - private static String _signDN; - private static KeyPair _signKP; - private static X509Certificate _signCert; - - private static KeyPair _signGostKP; - private static X509Certificate _signGostCert; - - private static KeyPair _signEcDsaKP; - private static X509Certificate _signEcDsaCert; - - private static KeyPair _signEcGostKP; - private static X509Certificate _signEcGostCert; - - private static KeyPair _signDsaKP; - private static X509Certificate _signDsaCert; - - private static String _reciDN; - private static KeyPair _reciKP; - private static X509Certificate _reciCert; - - private static X509CRL _signCrl; - - private static boolean _initialised = false; - - private byte[] disorderedMessage = Base64.decode( - "SU9fc3RkaW5fdXNlZABfX2xpYmNfc3RhcnRfbWFpbgBnZXRob3N0aWQAX19n" - + "bW9uX3M="); - - private byte[] disorderedSet = Base64.decode( - "MIIYXQYJKoZIhvcNAQcCoIIYTjCCGEoCAQExCzAJBgUrDgMCGgUAMAsGCSqG" - + "SIb3DQEHAaCCFqswggJUMIIBwKADAgECAgMMg6wwCgYGKyQDAwECBQAwbzEL" - + "MAkGA1UEBhMCREUxPTA7BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbI" - + "dXIgVGVsZWtvbW11bmlrYXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwEx" - + "MBEGA1UEAxQKNFItQ0EgMTpQTjAiGA8yMDAwMDMyMjA5NDM1MFoYDzIwMDQw" - + "MTIxMTYwNDUzWjBvMQswCQYDVQQGEwJERTE9MDsGA1UEChQ0UmVndWxpZXJ1" - + "bmdzYmVoyG9yZGUgZsh1ciBUZWxla29tbXVuaWthdGlvbiB1bmQgUG9zdDEh" - + "MAwGBwKCBgEKBxQTATEwEQYDVQQDFAo1Ui1DQSAxOlBOMIGhMA0GCSqGSIb3" - + "DQEBAQUAA4GPADCBiwKBgQCKHkFTJx8GmoqFTxEOxpK9XkC3NZ5dBEKiUv0I" - + "fe3QMqeGMoCUnyJxwW0k2/53duHxtv2yHSZpFKjrjvE/uGwdOMqBMTjMzkFg" - + "19e9JPv061wyADOucOIaNAgha/zFt9XUyrHF21knKCvDNExv2MYIAagkTKaj" - + "LMAw0bu1J0FadQIFAMAAAAEwCgYGKyQDAwECBQADgYEAgFauXpoTLh3Z3pT/" - + "3bhgrxO/2gKGZopWGSWSJPNwq/U3x2EuctOJurj+y2inTcJjespThflpN+7Q" - + "nvsUhXU+jL2MtPlObU0GmLvWbi47cBShJ7KElcZAaxgWMBzdRGqTOdtMv+ev" - + "2t4igGF/q71xf6J2c3pTLWr6P8s6tzLfOCMwggJDMIIBr6ADAgECAgQAuzyu" - + "MAoGBiskAwMBAgUAMG8xCzAJBgNVBAYTAkRFMT0wOwYDVQQKFDRSZWd1bGll" - + "cnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0aW9uIHVuZCBQb3N0" - + "MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjVSLUNBIDE6UE4wIhgPMjAwMTA4" - + "MjAwODA4MjBaGA8yMDA1MDgyMDA4MDgyMFowSzELMAkGA1UEBhMCREUxEjAQ" - + "BgNVBAoUCVNpZ250cnVzdDEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFDQSBT" - + "SUdOVFJVU1QgMTpQTjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAhV12" - + "N2WhlR6f+3CXP57GrBM9la5Vnsu2b92zv5MZqQOPeEsYbZqDCFkYg1bSwsDE" - + "XsGVQqXdQNAGUaapr/EUVVN+hNZ07GcmC1sPeQECgUkxDYjGi4ihbvzxlahj" - + "L4nX+UTzJVBfJwXoIvJ+lMHOSpnOLIuEL3SRhBItvRECxN0CAwEAAaMSMBAw" - + "DgYDVR0PAQH/BAQDAgEGMAoGBiskAwMBAgUAA4GBACDc9Pc6X8sK1cerphiV" - + "LfFv4kpZb9ev4WPy/C6987Qw1SOTElhZAmxaJQBqmDHWlQ63wj1DEqswk7hG" - + "LrvQk/iX6KXIn8e64uit7kx6DHGRKNvNGofPjr1WelGeGW/T2ZJKgmPDjCkf" - + "sIKt2c3gwa2pDn4mmCz/DStUIqcPDbqLMIICVTCCAcGgAwIBAgIEAJ16STAK" - + "BgYrJAMDAQIFADBvMQswCQYDVQQGEwJERTE9MDsGA1UEChQ0UmVndWxpZXJ1" - + "bmdzYmVoyG9yZGUgZsh1ciBUZWxla29tbXVuaWthdGlvbiB1bmQgUG9zdDEh" - + "MAwGBwKCBgEKBxQTATEwEQYDVQQDFAo1Ui1DQSAxOlBOMCIYDzIwMDEwMjAx" - + "MTM0NDI1WhgPMjAwNTAzMjIwODU1NTFaMG8xCzAJBgNVBAYTAkRFMT0wOwYD" - + "VQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5pa2F0" - + "aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjZSLUNhIDE6" - + "UE4wgaEwDQYJKoZIhvcNAQEBBQADgY8AMIGLAoGBAIOiqxUkzVyqnvthihnl" - + "tsE5m1Xn5TZKeR/2MQPStc5hJ+V4yptEtIx+Fn5rOoqT5VEVWhcE35wdbPvg" - + "JyQFn5msmhPQT/6XSGOlrWRoFummXN9lQzAjCj1sgTcmoLCVQ5s5WpCAOXFw" - + "VWu16qndz3sPItn3jJ0F3Kh3w79NglvPAgUAwAAAATAKBgYrJAMDAQIFAAOB" - + "gQBpSRdnDb6AcNVaXSmGo6+kVPIBhot1LzJOGaPyDNpGXxd7LV4tMBF1U7gr" - + "4k1g9BO6YiMWvw9uiTZmn0CfV8+k4fWEuG/nmafRoGIuay2f+ILuT+C0rnp1" - + "4FgMsEhuVNJJAmb12QV0PZII+UneyhAneZuQQzVUkTcVgYxogxdSOzCCAlUw" - + "ggHBoAMCAQICBACdekowCgYGKyQDAwECBQAwbzELMAkGA1UEBhMCREUxPTA7" - + "BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbIdXIgVGVsZWtvbW11bmlr" - + "YXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwExMBEGA1UEAxQKNlItQ2Eg" - + "MTpQTjAiGA8yMDAxMDIwMTEzNDcwN1oYDzIwMDUwMzIyMDg1NTUxWjBvMQsw" - + "CQYDVQQGEwJERTE9MDsGA1UEChQ0UmVndWxpZXJ1bmdzYmVoyG9yZGUgZsh1" - + "ciBUZWxla29tbXVuaWthdGlvbiB1bmQgUG9zdDEhMAwGBwKCBgEKBxQTATEw" - + "EQYDVQQDFAo1Ui1DQSAxOlBOMIGhMA0GCSqGSIb3DQEBAQUAA4GPADCBiwKB" - + "gQCKHkFTJx8GmoqFTxEOxpK9XkC3NZ5dBEKiUv0Ife3QMqeGMoCUnyJxwW0k" - + "2/53duHxtv2yHSZpFKjrjvE/uGwdOMqBMTjMzkFg19e9JPv061wyADOucOIa" - + "NAgha/zFt9XUyrHF21knKCvDNExv2MYIAagkTKajLMAw0bu1J0FadQIFAMAA" - + "AAEwCgYGKyQDAwECBQADgYEAV1yTi+2gyB7sUhn4PXmi/tmBxAfe5oBjDW8m" - + "gxtfudxKGZ6l/FUPNcrSc5oqBYxKWtLmf3XX87LcblYsch617jtNTkMzhx9e" - + "qxiD02ufcrxz2EVt0Akdqiz8mdVeqp3oLcNU/IttpSrcA91CAnoUXtDZYwb/" - + "gdQ4FI9l3+qo/0UwggJVMIIBwaADAgECAgQAxIymMAoGBiskAwMBAgUAMG8x" - + "CzAJBgNVBAYTAkRFMT0wOwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBm" - + "yHVyIFRlbGVrb21tdW5pa2F0aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMB" - + "MTARBgNVBAMUCjZSLUNhIDE6UE4wIhgPMjAwMTEwMTUxMzMxNThaGA8yMDA1" - + "MDYwMTA5NTIxN1owbzELMAkGA1UEBhMCREUxPTA7BgNVBAoUNFJlZ3VsaWVy" - + "dW5nc2JlaMhvcmRlIGbIdXIgVGVsZWtvbW11bmlrYXRpb24gdW5kIFBvc3Qx" - + "ITAMBgcCggYBCgcUEwExMBEGA1UEAxQKN1ItQ0EgMTpQTjCBoTANBgkqhkiG" - + "9w0BAQEFAAOBjwAwgYsCgYEAiokD/j6lEP4FexF356OpU5teUpGGfUKjIrFX" - + "BHc79G0TUzgVxqMoN1PWnWktQvKo8ETaugxLkP9/zfX3aAQzDW4Zki6x6GDq" - + "fy09Agk+RJvhfbbIzRkV4sBBco0n73x7TfG/9NTgVr/96U+I+z/1j30aboM6" - + "9OkLEhjxAr0/GbsCBQDAAAABMAoGBiskAwMBAgUAA4GBAHWRqRixt+EuqHhR" - + "K1kIxKGZL2vZuakYV0R24Gv/0ZR52FE4ECr+I49o8FP1qiGSwnXB0SwjuH2S" - + "iGiSJi+iH/MeY85IHwW1P5e+bOMvEOFhZhQXQixOD7totIoFtdyaj1XGYRef" - + "0f2cPOjNJorXHGV8wuBk+/j++sxbd/Net3FtMIICVTCCAcGgAwIBAgIEAMSM" - + "pzAKBgYrJAMDAQIFADBvMQswCQYDVQQGEwJERTE9MDsGA1UEChQ0UmVndWxp" - + "ZXJ1bmdzYmVoyG9yZGUgZsh1ciBUZWxla29tbXVuaWthdGlvbiB1bmQgUG9z" - + "dDEhMAwGBwKCBgEKBxQTATEwEQYDVQQDFAo3Ui1DQSAxOlBOMCIYDzIwMDEx" - + "MDE1MTMzNDE0WhgPMjAwNTA2MDEwOTUyMTdaMG8xCzAJBgNVBAYTAkRFMT0w" - + "OwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBmyHVyIFRlbGVrb21tdW5p" - + "a2F0aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMBMTARBgNVBAMUCjZSLUNh" - + "IDE6UE4wgaEwDQYJKoZIhvcNAQEBBQADgY8AMIGLAoGBAIOiqxUkzVyqnvth" - + "ihnltsE5m1Xn5TZKeR/2MQPStc5hJ+V4yptEtIx+Fn5rOoqT5VEVWhcE35wd" - + "bPvgJyQFn5msmhPQT/6XSGOlrWRoFummXN9lQzAjCj1sgTcmoLCVQ5s5WpCA" - + "OXFwVWu16qndz3sPItn3jJ0F3Kh3w79NglvPAgUAwAAAATAKBgYrJAMDAQIF" - + "AAOBgQBi5W96UVDoNIRkCncqr1LLG9vF9SGBIkvFpLDIIbcvp+CXhlvsdCJl" - + "0pt2QEPSDl4cmpOet+CxJTdTuMeBNXxhb7Dvualog69w/+K2JbPhZYxuVFZs" - + "Zh5BkPn2FnbNu3YbJhE60aIkikr72J4XZsI5DxpZCGh6xyV/YPRdKSljFjCC" - + "AlQwggHAoAMCAQICAwyDqzAKBgYrJAMDAQIFADBvMQswCQYDVQQGEwJERTE9" - + "MDsGA1UEChQ0UmVndWxpZXJ1bmdzYmVoyG9yZGUgZsh1ciBUZWxla29tbXVu" - + "aWthdGlvbiB1bmQgUG9zdDEhMAwGBwKCBgEKBxQTATEwEQYDVQQDFAo1Ui1D" - + "QSAxOlBOMCIYDzIwMDAwMzIyMDk0MTI3WhgPMjAwNDAxMjExNjA0NTNaMG8x" - + "CzAJBgNVBAYTAkRFMT0wOwYDVQQKFDRSZWd1bGllcnVuZ3NiZWjIb3JkZSBm" - + "yHVyIFRlbGVrb21tdW5pa2F0aW9uIHVuZCBQb3N0MSEwDAYHAoIGAQoHFBMB" - + "MTARBgNVBAMUCjRSLUNBIDE6UE4wgaEwDQYJKoZIhvcNAQEBBQADgY8AMIGL" - + "AoGBAI8x26tmrFJanlm100B7KGlRemCD1R93PwdnG7svRyf5ZxOsdGrDszNg" - + "xg6ouO8ZHQMT3NC2dH8TvO65Js+8bIyTm51azF6clEg0qeWNMKiiXbBXa+ph" - + "hTkGbXiLYvACZ6/MTJMJ1lcrjpRF7BXtYeYMcEF6znD4pxOqrtbf9z5hAgUA" - + "wAAAATAKBgYrJAMDAQIFAAOBgQB99BjSKlGPbMLQAgXlvA9jUsDNhpnVm3a1" - + "YkfxSqS/dbQlYkbOKvCxkPGA9NBxisBM8l1zFynVjJoy++aysRmcnLY/sHaz" - + "23BF2iU7WERy18H3lMBfYB6sXkfYiZtvQZcWaO48m73ZBySuiV3iXpb2wgs/" - + "Cs20iqroAWxwq/W/9jCCAlMwggG/oAMCAQICBDsFZ9UwCgYGKyQDAwECBQAw" - + "bzELMAkGA1UEBhMCREUxITAMBgcCggYBCgcUEwExMBEGA1UEAxQKNFItQ0Eg" - + "MTpQTjE9MDsGA1UEChQ0UmVndWxpZXJ1bmdzYmVoyG9yZGUgZsh1ciBUZWxl" - + "a29tbXVuaWthdGlvbiB1bmQgUG9zdDAiGA8xOTk5MDEyMTE3MzUzNFoYDzIw" - + "MDQwMTIxMTYwMDAyWjBvMQswCQYDVQQGEwJERTE9MDsGA1UEChQ0UmVndWxp" - + "ZXJ1bmdzYmVoyG9yZGUgZsh1ciBUZWxla29tbXVuaWthdGlvbiB1bmQgUG9z" - + "dDEhMAwGBwKCBgEKBxQTATEwEQYDVQQDFAozUi1DQSAxOlBOMIGfMA0GCSqG" - + "SIb3DQEBAQUAA4GNADCBiQKBgI4B557mbKQg/AqWBXNJhaT/6lwV93HUl4U8" - + "u35udLq2+u9phns1WZkdM3gDfEpL002PeLfHr1ID/96dDYf04lAXQfombils" - + "of1C1k32xOvxjlcrDOuPEMxz9/HDAQZA5MjmmYHAIulGI8Qg4Tc7ERRtg/hd" - + "0QX0/zoOeXoDSEOBAgTAAAABMAoGBiskAwMBAgUAA4GBAIyzwfT3keHI/n2P" - + "LrarRJv96mCohmDZNpUQdZTVjGu5VQjVJwk3hpagU0o/t/FkdzAjOdfEw8Ql" - + "3WXhfIbNLv1YafMm2eWSdeYbLcbB5yJ1od+SYyf9+tm7cwfDAcr22jNRBqx8" - + "wkWKtKDjWKkevaSdy99sAI8jebHtWz7jzydKMIID9TCCA16gAwIBAgICbMcw" - + "DQYJKoZIhvcNAQEFBQAwSzELMAkGA1UEBhMCREUxEjAQBgNVBAoUCVNpZ250" - + "cnVzdDEoMAwGBwKCBgEKBxQTATEwGAYDVQQDFBFDQSBTSUdOVFJVU1QgMTpQ" - + "TjAeFw0wNDA3MzAxMzAyNDZaFw0wNzA3MzAxMzAyNDZaMDwxETAPBgNVBAMM" - + "CFlhY29tOlBOMQ4wDAYDVQRBDAVZYWNvbTELMAkGA1UEBhMCREUxCjAIBgNV" - + "BAUTATEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIWzLlYLQApocXIp" - + "pgCCpkkOUVLgcLYKeOd6/bXAnI2dTHQqT2bv7qzfUnYvOqiNgYdF13pOYtKg" - + "XwXMTNFL4ZOI6GoBdNs9TQiZ7KEWnqnr2945HYx7UpgTBclbOK/wGHuCdcwO" - + "x7juZs1ZQPFG0Lv8RoiV9s6HP7POqh1sO0P/AgMBAAGjggH1MIIB8TCBnAYD" - + "VR0jBIGUMIGRgBQcZzNghfnXoXRm8h1+VITC5caNRqFzpHEwbzELMAkGA1UE" - + "BhMCREUxPTA7BgNVBAoUNFJlZ3VsaWVydW5nc2JlaMhvcmRlIGbIdXIgVGVs" - + "ZWtvbW11bmlrYXRpb24gdW5kIFBvc3QxITAMBgcCggYBCgcUEwExMBEGA1UE" - + "AxQKNVItQ0EgMTpQToIEALs8rjAdBgNVHQ4EFgQU2e5KAzkVuKaM9I5heXkz" - + "bcAIuR8wDgYDVR0PAQH/BAQDAgZAMBIGA1UdIAQLMAkwBwYFKyQIAQEwfwYD" - + "VR0fBHgwdjB0oCygKoYobGRhcDovL2Rpci5zaWdudHJ1c3QuZGUvbz1TaWdu" - + "dHJ1c3QsYz1kZaJEpEIwQDEdMBsGA1UEAxMUQ1JMU2lnblNpZ250cnVzdDE6" - + "UE4xEjAQBgNVBAoTCVNpZ250cnVzdDELMAkGA1UEBhMCREUwYgYIKwYBBQUH" - + "AQEEVjBUMFIGCCsGAQUFBzABhkZodHRwOi8vZGlyLnNpZ250cnVzdC5kZS9T" - + "aWdudHJ1c3QvT0NTUC9zZXJ2bGV0L2h0dHBHYXRld2F5LlBvc3RIYW5kbGVy" - + "MBgGCCsGAQUFBwEDBAwwCjAIBgYEAI5GAQEwDgYHAoIGAQoMAAQDAQH/MA0G" - + "CSqGSIb3DQEBBQUAA4GBAHn1m3GcoyD5GBkKUY/OdtD6Sj38LYqYCF+qDbJR" - + "6pqUBjY2wsvXepUppEler+stH8mwpDDSJXrJyuzf7xroDs4dkLl+Rs2x+2tg" - + "BjU+ABkBDMsym2WpwgA8LCdymmXmjdv9tULxY+ec2pjSEzql6nEZNEfrU8nt" - + "ZCSCavgqW4TtMYIBejCCAXYCAQEwUTBLMQswCQYDVQQGEwJERTESMBAGA1UE" - + "ChQJU2lnbnRydXN0MSgwDAYHAoIGAQoHFBMBMTAYBgNVBAMUEUNBIFNJR05U" - + "UlVTVCAxOlBOAgJsxzAJBgUrDgMCGgUAoIGAMBgGCSqGSIb3DQEJAzELBgkq" - + "hkiG9w0BBwEwIwYJKoZIhvcNAQkEMRYEFIYfhPoyfGzkLWWSSLjaHb4HQmaK" - + "MBwGCSqGSIb3DQEJBTEPFw0wNTAzMjQwNzM4MzVaMCEGBSskCAYFMRgWFi92" - + "YXIvZmlsZXMvdG1wXzEvdGVzdDEwDQYJKoZIhvcNAQEFBQAEgYA2IvA8lhVz" - + "VD5e/itUxbFboKxeKnqJ5n/KuO/uBCl1N14+7Z2vtw1sfkIG+bJdp3OY2Cmn" - + "mrQcwsN99Vjal4cXVj8t+DJzFG9tK9dSLvD3q9zT/GQ0kJXfimLVwCa4NaSf" - + "Qsu4xtG0Rav6bCcnzabAkKuNNvKtH8amSRzk870DBg=="); - - public static byte[] xtraCounterSig = Base64.decode( - "MIIR/AYJKoZIhvcNAQcCoIIR7TCCEekCAQExCzAJBgUrDgMCGgUAMBoGCSqG" - + "SIb3DQEHAaANBAtIZWxsbyB3b3JsZKCCDnkwggTPMIIDt6ADAgECAgRDnYD3" - + "MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNVBAYTAklUMRowGAYDVQQKExFJbi5U" - + "ZS5TLkEuIFMucC5BLjEtMCsGA1UEAxMkSW4uVGUuUy5BLiAtIENlcnRpZmlj" - + "YXRpb24gQXV0aG9yaXR5MB4XDTA4MDkxMjExNDMxMloXDTEwMDkxMjExNDMx" - + "MlowgdgxCzAJBgNVBAYTAklUMSIwIAYDVQQKDBlJbnRlc2EgUy5wLkEuLzA1" - + "MjYyODkwMDE0MSowKAYDVQQLDCFCdXNpbmVzcyBDb2xsYWJvcmF0aW9uICYg" - + "U2VjdXJpdHkxHjAcBgNVBAMMFU1BU1NJTUlMSUFOTyBaSUNDQVJESTERMA8G" - + "A1UEBAwIWklDQ0FSREkxFTATBgNVBCoMDE1BU1NJTUlMSUFOTzEcMBoGA1UE" - + "BRMTSVQ6WkNDTVNNNzZIMTRMMjE5WTERMA8GA1UELhMIMDAwMDI1ODUwgaAw" - + "DQYJKoZIhvcNAQEBBQADgY4AMIGKAoGBALeJTjmyFgx1SIP6c2AuB/kuyHo5" - + "j/prKELTALsFDimre/Hxr3wOSet1TdQfFzU8Lu+EJqgfV9cV+cI1yeH1rZs7" - + "lei7L3tX/VR565IywnguX5xwvteASgWZr537Fkws50bvTEMyYOj1Tf3FZvZU" - + "z4n4OD39KI4mfR9i1eEVIxR3AgQAizpNo4IBoTCCAZ0wHQYDVR0RBBYwFIES" - + "emljY2FyZGlAaW50ZXNhLml0MC8GCCsGAQUFBwEDBCMwITAIBgYEAI5GAQEw" - + "CwYGBACORgEDAgEUMAgGBgQAjkYBBDBZBgNVHSAEUjBQME4GBgQAizABATBE" - + "MEIGCCsGAQUFBwIBFjZodHRwOi8vZS10cnVzdGNvbS5pbnRlc2EuaXQvY2Ff" - + "cHViYmxpY2EvQ1BTX0lOVEVTQS5odG0wDgYDVR0PAQH/BAQDAgZAMIGDBgNV" - + "HSMEfDB6gBQZCQOW0bjFWBt+EORuxPagEgkQqKFcpFowWDELMAkGA1UEBhMC" - + "SVQxGjAYBgNVBAoTEUluLlRlLlMuQS4gUy5wLkEuMS0wKwYDVQQDEyRJbi5U" - + "ZS5TLkEuIC0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCBDzRARMwOwYDVR0f" - + "BDQwMjAwoC6gLIYqaHR0cDovL2UtdHJ1c3Rjb20uaW50ZXNhLml0L0NSTC9J" - + "TlRFU0EuY3JsMB0GA1UdDgQWBBTf5ItL8KmQh541Dxt7YxcWI1254TANBgkq" - + "hkiG9w0BAQUFAAOCAQEAgW+uL1CVWQepbC/wfCmR6PN37Sueb4xiKQj2mTD5" - + "UZ5KQjpivy/Hbuf0NrfKNiDEhAvoHSPC31ebGiKuTMFNyZPHfPEUnyYGSxea" - + "2w837aXJFr6utPNQGBRi89kH90sZDlXtOSrZI+AzJJn5QK3F9gjcayU2NZXQ" - + "MJgRwYmFyn2w4jtox+CwXPQ9E5XgxiMZ4WDL03cWVXDLX00EOJwnDDMUNTRI" - + "m9Zv+4SKTNlfFbi9UTBqWBySkDzAelsfB2U61oqc2h1xKmCtkGMmN9iZT+Qz" - + "ZC/vaaT+hLEBFGAH2gwFrYc4/jTBKyBYeU1vsAxsibIoTs1Apgl6MH75qPDL" - + "BzCCBM8wggO3oAMCAQICBEOdgPcwDQYJKoZIhvcNAQEFBQAwWDELMAkGA1UE" - + "BhMCSVQxGjAYBgNVBAoTEUluLlRlLlMuQS4gUy5wLkEuMS0wKwYDVQQDEyRJ" - + "bi5UZS5TLkEuIC0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDgwOTEy" - + "MTE0MzEyWhcNMTAwOTEyMTE0MzEyWjCB2DELMAkGA1UEBhMCSVQxIjAgBgNV" - + "BAoMGUludGVzYSBTLnAuQS4vMDUyNjI4OTAwMTQxKjAoBgNVBAsMIUJ1c2lu" - + "ZXNzIENvbGxhYm9yYXRpb24gJiBTZWN1cml0eTEeMBwGA1UEAwwVTUFTU0lN" - + "SUxJQU5PIFpJQ0NBUkRJMREwDwYDVQQEDAhaSUNDQVJESTEVMBMGA1UEKgwM" - + "TUFTU0lNSUxJQU5PMRwwGgYDVQQFExNJVDpaQ0NNU003NkgxNEwyMTlZMREw" - + "DwYDVQQuEwgwMDAwMjU4NTCBoDANBgkqhkiG9w0BAQEFAAOBjgAwgYoCgYEA" - + "t4lOObIWDHVIg/pzYC4H+S7IejmP+msoQtMAuwUOKat78fGvfA5J63VN1B8X" - + "NTwu74QmqB9X1xX5wjXJ4fWtmzuV6Lsve1f9VHnrkjLCeC5fnHC+14BKBZmv" - + "nfsWTCznRu9MQzJg6PVN/cVm9lTPifg4Pf0ojiZ9H2LV4RUjFHcCBACLOk2j" - + "ggGhMIIBnTAdBgNVHREEFjAUgRJ6aWNjYXJkaUBpbnRlc2EuaXQwLwYIKwYB" - + "BQUHAQMEIzAhMAgGBgQAjkYBATALBgYEAI5GAQMCARQwCAYGBACORgEEMFkG" - + "A1UdIARSMFAwTgYGBACLMAEBMEQwQgYIKwYBBQUHAgEWNmh0dHA6Ly9lLXRy" - + "dXN0Y29tLmludGVzYS5pdC9jYV9wdWJibGljYS9DUFNfSU5URVNBLmh0bTAO" - + "BgNVHQ8BAf8EBAMCBkAwgYMGA1UdIwR8MHqAFBkJA5bRuMVYG34Q5G7E9qAS" - + "CRCooVykWjBYMQswCQYDVQQGEwJJVDEaMBgGA1UEChMRSW4uVGUuUy5BLiBT" - + "LnAuQS4xLTArBgNVBAMTJEluLlRlLlMuQS4gLSBDZXJ0aWZpY2F0aW9uIEF1" - + "dGhvcml0eYIEPNEBEzA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vZS10cnVz" - + "dGNvbS5pbnRlc2EuaXQvQ1JML0lOVEVTQS5jcmwwHQYDVR0OBBYEFN/ki0vw" - + "qZCHnjUPG3tjFxYjXbnhMA0GCSqGSIb3DQEBBQUAA4IBAQCBb64vUJVZB6ls" - + "L/B8KZHo83ftK55vjGIpCPaZMPlRnkpCOmK/L8du5/Q2t8o2IMSEC+gdI8Lf" - + "V5saIq5MwU3Jk8d88RSfJgZLF5rbDzftpckWvq6081AYFGLz2Qf3SxkOVe05" - + "Ktkj4DMkmflArcX2CNxrJTY1ldAwmBHBiYXKfbDiO2jH4LBc9D0TleDGIxnh" - + "YMvTdxZVcMtfTQQ4nCcMMxQ1NEib1m/7hIpM2V8VuL1RMGpYHJKQPMB6Wx8H" - + "ZTrWipzaHXEqYK2QYyY32JlP5DNkL+9ppP6EsQEUYAfaDAWthzj+NMErIFh5" - + "TW+wDGyJsihOzUCmCXowfvmo8MsHMIIEzzCCA7egAwIBAgIEQ52A9zANBgkq" - + "hkiG9w0BAQUFADBYMQswCQYDVQQGEwJJVDEaMBgGA1UEChMRSW4uVGUuUy5B" - + "LiBTLnAuQS4xLTArBgNVBAMTJEluLlRlLlMuQS4gLSBDZXJ0aWZpY2F0aW9u" - + "IEF1dGhvcml0eTAeFw0wODA5MTIxMTQzMTJaFw0xMDA5MTIxMTQzMTJaMIHY" - + "MQswCQYDVQQGEwJJVDEiMCAGA1UECgwZSW50ZXNhIFMucC5BLi8wNTI2Mjg5" - + "MDAxNDEqMCgGA1UECwwhQnVzaW5lc3MgQ29sbGFib3JhdGlvbiAmIFNlY3Vy" - + "aXR5MR4wHAYDVQQDDBVNQVNTSU1JTElBTk8gWklDQ0FSREkxETAPBgNVBAQM" - + "CFpJQ0NBUkRJMRUwEwYDVQQqDAxNQVNTSU1JTElBTk8xHDAaBgNVBAUTE0lU" - + "OlpDQ01TTTc2SDE0TDIxOVkxETAPBgNVBC4TCDAwMDAyNTg1MIGgMA0GCSqG" - + "SIb3DQEBAQUAA4GOADCBigKBgQC3iU45shYMdUiD+nNgLgf5Lsh6OY/6ayhC" - + "0wC7BQ4pq3vx8a98DknrdU3UHxc1PC7vhCaoH1fXFfnCNcnh9a2bO5Xouy97" - + "V/1UeeuSMsJ4Ll+ccL7XgEoFma+d+xZMLOdG70xDMmDo9U39xWb2VM+J+Dg9" - + "/SiOJn0fYtXhFSMUdwIEAIs6TaOCAaEwggGdMB0GA1UdEQQWMBSBEnppY2Nh" - + "cmRpQGludGVzYS5pdDAvBggrBgEFBQcBAwQjMCEwCAYGBACORgEBMAsGBgQA" - + "jkYBAwIBFDAIBgYEAI5GAQQwWQYDVR0gBFIwUDBOBgYEAIswAQEwRDBCBggr" - + "BgEFBQcCARY2aHR0cDovL2UtdHJ1c3Rjb20uaW50ZXNhLml0L2NhX3B1YmJs" - + "aWNhL0NQU19JTlRFU0EuaHRtMA4GA1UdDwEB/wQEAwIGQDCBgwYDVR0jBHww" - + "eoAUGQkDltG4xVgbfhDkbsT2oBIJEKihXKRaMFgxCzAJBgNVBAYTAklUMRow" - + "GAYDVQQKExFJbi5UZS5TLkEuIFMucC5BLjEtMCsGA1UEAxMkSW4uVGUuUy5B" - + "LiAtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggQ80QETMDsGA1UdHwQ0MDIw" - + "MKAuoCyGKmh0dHA6Ly9lLXRydXN0Y29tLmludGVzYS5pdC9DUkwvSU5URVNB" - + "LmNybDAdBgNVHQ4EFgQU3+SLS/CpkIeeNQ8be2MXFiNdueEwDQYJKoZIhvcN" - + "AQEFBQADggEBAIFvri9QlVkHqWwv8Hwpkejzd+0rnm+MYikI9pkw+VGeSkI6" - + "Yr8vx27n9Da3yjYgxIQL6B0jwt9XmxoirkzBTcmTx3zxFJ8mBksXmtsPN+2l" - + "yRa+rrTzUBgUYvPZB/dLGQ5V7Tkq2SPgMySZ+UCtxfYI3GslNjWV0DCYEcGJ" - + "hcp9sOI7aMfgsFz0PROV4MYjGeFgy9N3FlVwy19NBDicJwwzFDU0SJvWb/uE" - + "ikzZXxW4vVEwalgckpA8wHpbHwdlOtaKnNodcSpgrZBjJjfYmU/kM2Qv72mk" - + "/oSxARRgB9oMBa2HOP40wSsgWHlNb7AMbImyKE7NQKYJejB++ajwywcxggM8" - + "MIIDOAIBATBgMFgxCzAJBgNVBAYTAklUMRowGAYDVQQKExFJbi5UZS5TLkEu" - + "IFMucC5BLjEtMCsGA1UEAxMkSW4uVGUuUy5BLiAtIENlcnRpZmljYXRpb24g" - + "QXV0aG9yaXR5AgRDnYD3MAkGBSsOAwIaBQAwDQYJKoZIhvcNAQEBBQAEgYB+" - + "lH2cwLqc91mP8prvgSV+RRzk13dJdZvdoVjgQoFrPhBiZCNIEoHvIhMMA/sM" - + "X6euSRZk7EjD24FasCEGYyd0mJVLEy6TSPmuW+wWz/28w3a6IWXBGrbb/ild" - + "/CJMkPgLPGgOVD1WDwiNKwfasiQSFtySf5DPn3jFevdLeMmEY6GCAjIwggEV" - + "BgkqhkiG9w0BCQYxggEGMIIBAgIBATBgMFgxCzAJBgNVBAYTAklUMRowGAYD" - + "VQQKExFJbi5UZS5TLkEuIFMucC5BLjEtMCsGA1UEAxMkSW4uVGUuUy5BLiAt" - + "IENlcnRpZmljYXRpb24gQXV0aG9yaXR5AgRDnYD3MAkGBSsOAwIaBQAwDQYJ" - + "KoZIhvcNAQEBBQAEgYBHlOULfT5GDigIvxP0qZOy8VbpntmzaPF55VV4buKV" - + "35J+uHp98gXKp0LrHM69V5IRKuyuQzHHFBqsXxsRI9o6KoOfgliD9Xc+BeMg" - + "dKzQhBhBYoFREq8hQM0nSbqDNHYAQyNHMzUA/ZQUO5dlFuH8Dw3iDYAhNtfd" - + "PrlchKJthDCCARUGCSqGSIb3DQEJBjGCAQYwggECAgEBMGAwWDELMAkGA1UE" - + "BhMCSVQxGjAYBgNVBAoTEUluLlRlLlMuQS4gUy5wLkEuMS0wKwYDVQQDEyRJ" - + "bi5UZS5TLkEuIC0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCBEOdgPcwCQYF" - + "Kw4DAhoFADANBgkqhkiG9w0BAQEFAASBgEeU5Qt9PkYOKAi/E/Spk7LxVume" - + "2bNo8XnlVXhu4pXfkn64en3yBcqnQusczr1XkhEq7K5DMccUGqxfGxEj2joq" - + "g5+CWIP1dz4F4yB0rNCEGEFigVESryFAzSdJuoM0dgBDI0czNQD9lBQ7l2UW" - + "4fwPDeINgCE2190+uVyEom2E"); - - byte[] noSignedAttrSample2 = Base64.decode( - "MIIIlAYJKoZIhvcNAQcCoIIIhTCCCIECAQExCzAJBgUrDgMCGgUAMAsGCSqG" - + "SIb3DQEHAaCCB3UwggOtMIIDa6ADAgECAgEzMAsGByqGSM44BAMFADCBkDEL" - + "MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlQYWxvIEFsdG8x" - + "HTAbBgNVBAoTFFN1biBNaWNyb3N5c3RlbXMgSW5jMSMwIQYDVQQLExpKYXZh" - + "IFNvZnR3YXJlIENvZGUgU2lnbmluZzEcMBoGA1UEAxMTSkNFIENvZGUgU2ln" - + "bmluZyBDQTAeFw0wMTA1MjkxNjQ3MTFaFw0wNjA1MjgxNjQ3MTFaMG4xHTAb" - + "BgNVBAoTFFN1biBNaWNyb3N5c3RlbXMgSW5jMSMwIQYDVQQLExpKYXZhIFNv" - + "ZnR3YXJlIENvZGUgU2lnbmluZzEoMCYGA1UEAxMfVGhlIExlZ2lvbiBvZiB0" - + "aGUgQm91bmN5IENhc3RsZTCCAbcwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OB" - + "HXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2" - + "y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUP" - + "BPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvM" - + "spK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9" - + "B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj" - + "rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV" - + "JWQBTDv+z0kqA4GEAAKBgBWry/FCAZ6miyy39+ftsa+h9lxoL+JtV0MJcUyQ" - + "E4VAhpAwWb8vyjba9AwOylYQTktHX5sAkFvjBiU0LOYDbFSTVZSHMRJgfjxB" - + "SHtICjOEvr1BJrrOrdzqdxcOUge5n7El124BCrv91x5Ol8UTwtiO9LrRXF/d" - + "SyK+RT5n1klRo3YwdDARBglghkgBhvhCAQEEBAMCAIcwDgYDVR0PAQH/BAQD" - + "AgHGMB0GA1UdDgQWBBQwMY4NRcco1AO3w1YsokfDLVseEjAPBgNVHRMBAf8E" - + "BTADAQH/MB8GA1UdIwQYMBaAFGXi9IbJ007wkU5Yomr12HhamsGmMAsGByqG" - + "SM44BAMFAAMvADAsAhRmigTu6QV0sTfEkVljgij/hhdVfAIUQZvMxAnIHc30" - + "y/u0C1T5UEG9glUwggPAMIIDfqADAgECAgEQMAsGByqGSM44BAMFADCBkDEL" - + "MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlQYWxvIEFsdG8x" - + "HTAbBgNVBAoTFFN1biBNaWNyb3N5c3RlbXMgSW5jMSMwIQYDVQQLExpKYXZh" - + "IFNvZnR3YXJlIENvZGUgU2lnbmluZzEcMBoGA1UEAxMTSkNFIENvZGUgU2ln" - + "bmluZyBDQTAeFw0wMTA0MjUwNzAwMDBaFw0yMDA0MjUwNzAwMDBaMIGQMQsw" - + "CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEd" - + "MBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxIzAhBgNVBAsTGkphdmEg" - + "U29mdHdhcmUgQ29kZSBTaWduaW5nMRwwGgYDVQQDExNKQ0UgQ29kZSBTaWdu" - + "aW5nIENBMIIBtzCCASwGByqGSM44BAEwggEfAoGBAOuvNwQeylEeaV2w8o/2" - + "tUkfxqSZBdcpv3S3avUZ2B7kG/gKAZqY/3Cr4kpWhmxTs/zhyIGMMfDE87CL" - + "5nAG7PdpaNuDTHIpiSk2F1w7SgegIAIqRpdRHXDICBgLzgxum3b3BePn+9Nh" - + "eeFgmiSNBpWDPFEg4TDPOFeCphpyDc7TAhUAhCVF4bq5qWKreehbMLiJaxv/" - + "e3UCgYEAq8l0e3Tv7kK1alNNO92QBnJokQ8LpCl2LlU71a5NZVx+KjoEpmem" - + "0HGqpde34sFyDaTRqh6SVEwgAAmisAlBGTMAssNcrkL4sYvKfJbYEH83RFuq" - + "zHjI13J2N2tAmahVZvqoAx6LShECactMuCUGHKB30sms0j3pChD6dnC3+9wD" - + "gYQAAoGALQmYXKy4nMeZfu4gGSo0kPnXq6uu3WtylQ1m+O8nj0Sy7ShEx/6v" - + "sKYnbwBnRYJbB6hWVjvSKVFhXmk51y50dxLPGUr1LcjLcmHETm/6R0M/FLv6" - + "vBhmKMLZZot6LS/CYJJLFP5YPiF/aGK+bEhJ+aBLXoWdGRD5FUVRG3HU9wuj" - + "ZjBkMBEGCWCGSAGG+EIBAQQEAwIABzAPBgNVHRMBAf8EBTADAQH/MB8GA1Ud" - + "IwQYMBaAFGXi9IbJ007wkU5Yomr12HhamsGmMB0GA1UdDgQWBBRl4vSGydNO" - + "8JFOWKJq9dh4WprBpjALBgcqhkjOOAQDBQADLwAwLAIUKvfPPJdd+Xi2CNdB" - + "tNkNRUzktJwCFEXNdWkOIfod1rMpsun3Mx0z/fxJMYHoMIHlAgEBMIGWMIGQ" - + "MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0" - + "bzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxIzAhBgNVBAsTGkph" - + "dmEgU29mdHdhcmUgQ29kZSBTaWduaW5nMRwwGgYDVQQDExNKQ0UgQ29kZSBT" - + "aWduaW5nIENBAgEzMAkGBSsOAwIaBQAwCwYHKoZIzjgEAQUABC8wLQIVAIGV" - + "khm+kbV4a/+EP45PHcq0hIViAhR4M9os6IrJnoEDS3Y3l7O6zrSosA=="); - - private JcaX509CertSelectorConverter selectorConverter = new JcaX509CertSelectorConverter(); - - /* - * - * INFRASTRUCTURE - * - */ - - public SignedDataTest(String name) - { - super(name); - } - - public static void main(String args[]) - { - - junit.textui.TestRunner.run(SignedDataTest.class); - } - - public static Test suite() - throws Exception - { - init(); - - return new CMSTestSetup(new TestSuite(SignedDataTest.class)); - } - - private static void init() - throws Exception - { - if (!_initialised) - { - _initialised = true; - - _origDN = "O=Bouncy Castle, C=AU"; - _origKP = CMSTestUtil.makeKeyPair(); - _origCert = CMSTestUtil.makeCertificate(_origKP, _origDN, _origKP, _origDN); - - _signDN = "CN=Bob, OU=Sales, O=Bouncy Castle, C=AU"; - _signKP = CMSTestUtil.makeKeyPair(); - _signCert = CMSTestUtil.makeCertificate(_signKP, _signDN, _origKP, _origDN); - - _signGostKP = CMSTestUtil.makeGostKeyPair(); - _signGostCert = CMSTestUtil.makeCertificate(_signGostKP, _signDN, _origKP, _origDN); - - _signDsaKP = CMSTestUtil.makeDsaKeyPair(); - _signDsaCert = CMSTestUtil.makeCertificate(_signDsaKP, _signDN, _origKP, _origDN); - - _signEcDsaKP = CMSTestUtil.makeEcDsaKeyPair(); - _signEcDsaCert = CMSTestUtil.makeCertificate(_signEcDsaKP, _signDN, _origKP, _origDN); - - _signEcGostKP = CMSTestUtil.makeEcGostKeyPair(); - _signEcGostCert = CMSTestUtil.makeCertificate(_signEcGostKP, _signDN, _origKP, _origDN); - - _reciDN = "CN=Doug, OU=Sales, O=Bouncy Castle, C=AU"; - _reciKP = CMSTestUtil.makeKeyPair(); - _reciCert = CMSTestUtil.makeCertificate(_reciKP, _reciDN, _signKP, _signDN); - - _signCrl = CMSTestUtil.makeCrl(_signKP); - } - } - - private void verifySignatures(CMSSignedData s, byte[] contentDigest) - throws Exception - { - CertStore certStore = s.getCertificatesAndCRLs("Collection", BC); - SignerInformationStore signers = s.getSignerInfos(); - - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certStore.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - - if (contentDigest != null) - { - assertTrue(MessageDigest.isEqual(contentDigest, signer.getContentDigest())); - } - } - - Collection certColl = certStore.getCertificates(null); - Collection crlColl = certStore.getCRLs(null); - - assertEquals(certColl.size(), s.getCertificates("Collection", BC).getMatches(null).size()); - assertEquals(crlColl.size(), s.getCRLs("Collection", BC).getMatches(null).size()); - } - - private void verifySignatures(CMSSignedData s) - throws Exception - { - verifySignatures(s, null); - } - - public void testDetachedVerification() - throws Exception - { - byte[] data = "Hello World!".getBytes(); - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray(data); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_MD5); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(msg, BC); - - MessageDigest sha1 = MessageDigest.getInstance("SHA1", BC); - MessageDigest md5 = MessageDigest.getInstance("MD5", BC); - Map hashes = new HashMap(); - byte[] sha1Hash = sha1.digest(data); - byte[] md5Hash = md5.digest(data); - - hashes.put(CMSSignedDataGenerator.DIGEST_SHA1, sha1Hash); - hashes.put(CMSSignedDataGenerator.DIGEST_MD5, md5Hash); - - s = new CMSSignedData(hashes, s.getEncoded()); - - verifySignatures(s, null); - } - - public void testSHA1AndMD5WithRSAEncapsulatedRepeated() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_MD5); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(msg, true, BC); - - ByteArrayInputStream bIn = new ByteArrayInputStream(s.getEncoded()); - ASN1InputStream aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - certs = s.getCertificatesAndCRLs("Collection", BC); - - SignerInformationStore signers = s.getSignerInfos(); - - assertEquals(2, signers.size()); - - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - SignerId sid = null; - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certs.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - sid = signer.getSID(); - - assertEquals(true, signer.verify(cert, BC)); - - // - // check content digest - // - - byte[] contentDigest = (byte[])gen.getGeneratedDigests().get(signer.getDigestAlgOID()); - - AttributeTable table = signer.getSignedAttributes(); - Attribute hash = table.get(CMSAttributes.messageDigest); - - assertTrue(MessageDigest.isEqual(contentDigest, ((ASN1OctetString)hash.getAttrValues().getObjectAt(0)).getOctets())); - } - - c = signers.getSigners(sid); - - assertEquals(2, c.size()); - - - // - // try using existing signer - // - - gen = new CMSSignedDataGenerator(); - - gen.addSigners(s.getSignerInfos()); - - gen.addCertificatesAndCRLs(s.getCertificatesAndCRLs("Collection", BC)); - - s = gen.generate(msg, true, BC); - - bIn = new ByteArrayInputStream(s.getEncoded()); - aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - certs = s.getCertificatesAndCRLs("Collection", BC); - - signers = s.getSignerInfos(); - c = signers.getSigners(); - it = c.iterator(); - - assertEquals(2, c.size()); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certs.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - - checkSignerStoreReplacement(s, signers); - } - - public void testSHA1WithRSANoAttributes() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello world!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(CMSSignedDataGenerator.DATA, msg, false, BC, false); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - - verifySignatures(s, md.digest("Hello world!".getBytes())); - } - - public void testSHA1WithRSAViaConfig() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello world!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // set some bogus mappings. - CMSConfig.setSigningEncryptionAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption.getId(), "XXXX"); - CMSConfig.setSigningDigestAlgorithmMapping(OIWObjectIdentifiers.idSHA1.getId(), "YYYY"); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s; - - try - { - // try the bogus mappings - s = gen.generate(CMSSignedDataGenerator.DATA, msg, false, BC, false); - } - catch (NoSuchAlgorithmException e) - { - if (!e.getMessage().startsWith("Unknown signature type requested: YYYYWITHXXXX")) - { - throw e; - } - } - finally - { - // reset to the real ones - CMSConfig.setSigningEncryptionAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption.getId(), "RSA"); - CMSConfig.setSigningDigestAlgorithmMapping(OIWObjectIdentifiers.idSHA1.getId(), "SHA1"); - } - - s = gen.generate(CMSSignedDataGenerator.DATA, msg, false, BC, false); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - - verifySignatures(s, md.digest("Hello world!".getBytes())); - } - - public void testSHA1WithRSAAndAttributeTable() - throws Exception - { - MessageDigest md = MessageDigest.getInstance("SHA1", BC); - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello world!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - Attribute attr = new Attribute(CMSAttributes.messageDigest, - new DERSet( - new DEROctetString( - md.digest("Hello world!".getBytes())))); - - ASN1EncodableVector v = new ASN1EncodableVector(); - - v.add(attr); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1, new AttributeTable(v), null); - - gen.addCertificatesAndCRLs(certs); - - - CMSSignedData s = gen.generate(CMSSignedDataGenerator.DATA, null, false, BC); - - // - // the signature is detached, so need to add msg before passing on - // - s = new CMSSignedData(msg, s.getEncoded()); - // - // compute expected content digest - // - - verifySignatures(s, md.digest("Hello world!".getBytes())); - } - - public void testSHA1WithRSAEncapsulated() - throws Exception - { - encapsulatedTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testSHA1WithRSAEncapsulatedSubjectKeyID() - throws Exception - { - subjectKeyIDTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testSHA1WithRSAPSS() - throws Exception - { - rsaPSSTest("SHA1", CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testSHA224WithRSAPSS() - throws Exception - { - rsaPSSTest("SHA224", CMSSignedDataGenerator.DIGEST_SHA224); - } - - public void testSHA256WithRSAPSS() - throws Exception - { - rsaPSSTest("SHA256", CMSSignedDataGenerator.DIGEST_SHA256); - } - - public void testSHA384WithRSAPSS() - throws Exception - { - rsaPSSTest("SHA384", CMSSignedDataGenerator.DIGEST_SHA384); - } - - public void testSHA224WithRSAEncapsulated() - throws Exception - { - encapsulatedTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_SHA224); - } - - public void testSHA256WithRSAEncapsulated() - throws Exception - { - encapsulatedTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_SHA256); - } - - public void testRIPEMD128WithRSAEncapsulated() - throws Exception - { - encapsulatedTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_RIPEMD128); - } - - public void testRIPEMD160WithRSAEncapsulated() - throws Exception - { - encapsulatedTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_RIPEMD160); - } - - public void testRIPEMD256WithRSAEncapsulated() - throws Exception - { - encapsulatedTest(_signKP, _signCert, CMSSignedDataGenerator.DIGEST_RIPEMD256); - } - - public void testECDSAEncapsulated() - throws Exception - { - encapsulatedTest(_signEcDsaKP, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testECDSAEncapsulatedSubjectKeyID() - throws Exception - { - subjectKeyIDTest(_signEcDsaKP, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testECDSASHA224Encapsulated() - throws Exception - { - encapsulatedTest(_signEcDsaKP, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA224); - } - - public void testECDSASHA256Encapsulated() - throws Exception - { - encapsulatedTest(_signEcDsaKP, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA256); - } - - public void testECDSASHA384Encapsulated() - throws Exception - { - encapsulatedTest(_signEcDsaKP, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA384); - } - - public void testECDSASHA512Encapsulated() - throws Exception - { - encapsulatedTest(_signEcDsaKP, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA512); - } - - public void testECDSASHA512EncapsulatedWithKeyFactoryAsEC() - throws Exception - { - X509EncodedKeySpec pubSpec = new X509EncodedKeySpec(_signEcDsaKP.getPublic().getEncoded()); - PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(_signEcDsaKP.getPrivate().getEncoded()); - KeyFactory keyFact = KeyFactory.getInstance("EC", BC); - KeyPair kp = new KeyPair(keyFact.generatePublic(pubSpec), keyFact.generatePrivate(privSpec)); - - encapsulatedTest(kp, _signEcDsaCert, CMSSignedDataGenerator.DIGEST_SHA512); - } - - public void testDSAEncapsulated() - throws Exception - { - encapsulatedTest(_signDsaKP, _signDsaCert, CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testDSAEncapsulatedSubjectKeyID() - throws Exception - { - subjectKeyIDTest(_signDsaKP, _signDsaCert, CMSSignedDataGenerator.DIGEST_SHA1); - } - - public void testGOST3411WithGOST3410Encapsulated() - throws Exception - { - encapsulatedTest(_signGostKP, _signGostCert, CMSSignedDataGenerator.DIGEST_GOST3411); - } - - public void testGOST3411WithECGOST3410Encapsulated() - throws Exception - { - encapsulatedTest(_signEcGostKP, _signEcGostCert, CMSSignedDataGenerator.DIGEST_GOST3411); - } - - public void testSHA1WithRSACounterSignature() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(_signCert); - certList.add(_origCert); - - certList.add(_signCrl); - - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_signKP.getPrivate(), _signCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certsAndCrls); - - CMSSignedData s = gen.generate(msg, true, BC); - SignerInformation origSigner = (SignerInformation)s.getSignerInfos().getSigners().toArray()[0]; - SignerInformationStore counterSigners1 = gen.generateCounterSigners(origSigner, BC); - SignerInformationStore counterSigners2 = gen.generateCounterSigners(origSigner, BC); - - SignerInformation signer1 = SignerInformation.addCounterSigners(origSigner, counterSigners1); - SignerInformation signer2 = SignerInformation.addCounterSigners(signer1, counterSigners2); - - SignerInformationStore cs = signer2.getCounterSignatures(); - Collection csSigners = cs.getSigners(); - assertEquals(2, csSigners.size()); - - Iterator it = csSigners.iterator(); - while (it.hasNext()) - { - SignerInformation cSigner = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(cSigner.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertNull(cSigner.getSignedAttributes().get(PKCSObjectIdentifiers.pkcs_9_at_contentType)); - assertEquals(true, cSigner.verify(cert, BC)); - } - } - - private void rsaPSSTest(String digestName, String digestOID) - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello world!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.ENCRYPTION_RSA_PSS, digestOID); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(CMSSignedDataGenerator.DATA, msg, false, BC, false); - - // - // compute expected content digest - // - MessageDigest md = MessageDigest.getInstance(digestName, BC); - - verifySignatures(s, md.digest("Hello world!".getBytes())); - } - - private void subjectKeyIDTest( - KeyPair signaturePair, - X509Certificate signatureCert, - String digestAlgorithm) - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(signatureCert); - certList.add(_origCert); - - certList.add(_signCrl); - - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(signaturePair.getPrivate(), CMSTestUtil.createSubjectKeyId(signatureCert.getPublicKey()).getKeyIdentifier(), digestAlgorithm); - - gen.addCertificatesAndCRLs(certsAndCrls); - - CMSSignedData s = gen.generate(msg, true, BC); - - assertEquals(3, s.getVersion()); - - ByteArrayInputStream bIn = new ByteArrayInputStream(s.getEncoded()); - ASN1InputStream aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - certsAndCrls = s.getCertificatesAndCRLs("Collection", BC); - - SignerInformationStore signers = s.getSignerInfos(); - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - - // - // check for CRLs - // - Collection crls = certsAndCrls.getCRLs(null); - - assertEquals(1, crls.size()); - - assertTrue(crls.contains(_signCrl)); - - // - // try using existing signer - // - - gen = new CMSSignedDataGenerator(); - - gen.addSigners(s.getSignerInfos()); - - gen.addCertificatesAndCRLs(s.getCertificatesAndCRLs("Collection", BC)); - - s = gen.generate(msg, true, BC); - - bIn = new ByteArrayInputStream(s.getEncoded()); - aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - certsAndCrls = s.getCertificatesAndCRLs("Collection", BC); - - signers = s.getSignerInfos(); - c = signers.getSigners(); - it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - - checkSignerStoreReplacement(s, signers); - } - - private void encapsulatedTest( - KeyPair signaturePair, - X509Certificate signatureCert, - String digestAlgorithm) - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(signatureCert); - certList.add(_origCert); - - certList.add(_signCrl); - - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(signaturePair.getPrivate(), signatureCert, digestAlgorithm); - - gen.addCertificatesAndCRLs(certsAndCrls); - - CMSSignedData s = gen.generate(msg, true, BC); - - ByteArrayInputStream bIn = new ByteArrayInputStream(s.getEncoded()); - ASN1InputStream aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - certsAndCrls = s.getCertificatesAndCRLs("Collection", BC); - - SignerInformationStore signers = s.getSignerInfos(); - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - - // - // check for CRLs - // - Collection crls = certsAndCrls.getCRLs(null); - - assertEquals(1, crls.size()); - - assertTrue(crls.contains(_signCrl)); - - // - // try using existing signer - // - - gen = new CMSSignedDataGenerator(); - - gen.addSigners(s.getSignerInfos()); - - gen.addCertificatesAndCRLs(s.getCertificatesAndCRLs("Collection", BC)); - - s = gen.generate(msg, true, BC); - - bIn = new ByteArrayInputStream(s.getEncoded()); - aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - certsAndCrls = s.getCertificatesAndCRLs("Collection", BC); - - signers = s.getSignerInfos(); - c = signers.getSigners(); - it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - - checkSignerStoreReplacement(s, signers); - } - - // - // signerInformation store replacement test. - // - private void checkSignerStoreReplacement( - CMSSignedData orig, - SignerInformationStore signers) - throws Exception - { - CMSSignedData s = CMSSignedData.replaceSigners(orig, signers); - - CertStore certs = s.getCertificatesAndCRLs("Collection", BC); - - signers = s.getSignerInfos(); - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certs.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - } - - public void testUnsortedAttributes() - throws Exception - { - CMSSignedData s = new CMSSignedData(new CMSProcessableByteArray(disorderedMessage), disorderedSet); - - CertStore certs = s.getCertificatesAndCRLs("Collection", BC); - - SignerInformationStore signers = s.getSignerInfos(); - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certs.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - } - - public void testNullContentWithSigner() - throws Exception - { - List certList = new ArrayList(); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData s = gen.generate(null, false, BC); - - ByteArrayInputStream bIn = new ByteArrayInputStream(s.getEncoded()); - ASN1InputStream aIn = new ASN1InputStream(bIn); - - s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - - verifySignatures(s); - } - - public void testWithAttributeCertificate() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - - certList.add(_signDsaCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - X509AttributeCertificate attrCert = CMSTestUtil.getAttributeCertificate(); - - X509Store store = X509Store.getInstance("AttributeCertificate/Collection", - new X509CollectionStoreParameters(Collections.singleton(attrCert)), BC); - - gen.addAttributeCertificates(store); - - CMSSignedData sd = gen.generate(msg, BC); - - assertEquals(4, sd.getVersion()); - - store = sd.getAttributeCertificates("Collection", BC); - - Collection coll = store.getMatches(null); - - assertEquals(1, coll.size()); - - assertTrue(coll.contains(attrCert)); - - // - // create new certstore - // - certList = new ArrayList(); - certList.add(_origCert); - certList.add(_signCert); - - certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - - // - // replace certs - // - sd = CMSSignedData.replaceCertificatesAndCRLs(sd, certs); - - verifySignatures(sd); - } - - public void testCertStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - - certList.add(_signDsaCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData sd = gen.generate(msg, BC); - - // - // create new certstore - // - certList = new ArrayList(); - certList.add(_origCert); - certList.add(_signCert); - - certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // - // replace certs - // - sd = CMSSignedData.replaceCertificatesAndCRLs(sd, certs); - - verifySignatures(sd); - } - - public void testEncapsulatedCertStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - - certList.add(_signDsaCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData sd = gen.generate(msg, true, BC); - - // - // create new certstore - // - certList = new ArrayList(); - certList.add(_origCert); - certList.add(_signCert); - - certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - // - // replace certs - // - sd = CMSSignedData.replaceCertificatesAndCRLs(sd, certs); - - verifySignatures(sd); - } - - public void testCertOrdering1() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - certList.add(_signDsaCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData sd = gen.generate(msg, true, BC); - - certs = sd.getCertificatesAndCRLs("Collection", BC); - Iterator it = certs.getCertificates(null).iterator(); - - assertEquals(_origCert, it.next()); - assertEquals(_signCert, it.next()); - assertEquals(_signDsaCert, it.next()); - } - - public void testCertOrdering2() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(_signCert); - certList.add(_signDsaCert); - certList.add(_origCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData sd = gen.generate(msg, true, BC); - - certs = sd.getCertificatesAndCRLs("Collection", BC); - Iterator it = certs.getCertificates(null).iterator(); - - assertEquals(_signCert, it.next()); - assertEquals(_signDsaCert, it.next()); - assertEquals(_origCert, it.next()); - } - - public void testSignerStoreReplacement() - throws Exception - { - List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray("Hello World!".getBytes()); - - certList.add(_origCert); - certList.add(_signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), BC); - - CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA1); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData original = gen.generate(msg, true, BC); - - // - // create new Signer - // - gen = new CMSSignedDataGenerator(); - - gen.addSigner(_origKP.getPrivate(), _origCert, CMSSignedDataGenerator.DIGEST_SHA224); - - gen.addCertificatesAndCRLs(certs); - - CMSSignedData newSD = gen.generate(msg, true, BC); - - // - // replace signer - // - CMSSignedData sd = CMSSignedData.replaceSigners(original, newSD.getSignerInfos()); - - SignerInformation signer = (SignerInformation)sd.getSignerInfos().getSigners().iterator().next(); - - assertEquals(CMSSignedDataGenerator.DIGEST_SHA224, signer.getDigestAlgOID()); - - // we use a parser here as it requires the digests to be correct in the digest set, if it - // isn't we'll get a NullPointerException - CMSSignedDataParser sp = new CMSSignedDataParser(sd.getEncoded()); - - sp.getSignedContent().drain(); - - verifySignatures(sp); - } - - public void testEncapsulatedSamples() - throws Exception - { - testSample("PSSSignDataSHA1Enc.sig"); - testSample("PSSSignDataSHA256Enc.sig"); - testSample("PSSSignDataSHA512Enc.sig"); - } - - public void testSamples() - throws Exception - { - testSample("PSSSignData.data", "PSSSignDataSHA1.sig"); - testSample("PSSSignData.data", "PSSSignDataSHA256.sig"); - testSample("PSSSignData.data", "PSSSignDataSHA512.sig"); - } - - public void testCounterSig() - throws Exception - { - CMSSignedData sig = new CMSSignedData(getInput("counterSig.p7m")); - - SignerInformationStore ss = sig.getSignerInfos(); - Collection signers = ss.getSigners(); - - SignerInformationStore cs = ((SignerInformation)signers.iterator().next()).getCounterSignatures(); - Collection csSigners = cs.getSigners(); - assertEquals(1, csSigners.size()); - - Iterator it = csSigners.iterator(); - while (it.hasNext()) - { - SignerInformation cSigner = (SignerInformation)it.next(); - Collection certCollection = sig.getCertificatesAndCRLs("Collection", BC).getCertificates(selectorConverter.getCertSelector(cSigner.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertNull(cSigner.getSignedAttributes().get(PKCSObjectIdentifiers.pkcs_9_at_contentType)); - assertEquals(true, cSigner.verify(cert, BC)); - } - - verifySignatures(sig); - } - - private void testSample(String sigName) - throws Exception - { - CMSSignedData sig = new CMSSignedData(getInput(sigName)); - - verifySignatures(sig); - } - - private void testSample(String messageName, String sigName) - throws Exception - { - CMSSignedData sig = new CMSSignedData(new CMSProcessableByteArray(getInput(messageName)), getInput(sigName)); - - verifySignatures(sig); - } - - private byte[] getInput(String name) - throws IOException - { - return Streams.readAll(getClass().getResourceAsStream(name)); - } - - public void testForMultipleCounterSignatures() - throws Exception - { - CMSSignedData sd = new CMSSignedData(xtraCounterSig); - - for (Iterator sI = sd.getSignerInfos().getSigners().iterator(); sI.hasNext();) - { - SignerInformation sigI = (SignerInformation)sI.next(); - - SignerInformationStore counter = sigI.getCounterSignatures(); - List sigs = new ArrayList(counter.getSigners()); - - assertEquals(2, sigs.size()); - } - } - - private void verifySignatures(CMSSignedDataParser sp) - throws Exception - { - CertStore certs = sp.getCertificatesAndCRLs("Collection", BC); - SignerInformationStore signers = sp.getSignerInfos(); - - Collection c = signers.getSigners(); - Iterator it = c.iterator(); - - while (it.hasNext()) - { - SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certs.getCertificates(selectorConverter.getCertSelector(signer.getSID())); - - Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); - - assertEquals(true, signer.verify(cert, BC)); - } - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/cms/test/SunProviderTest.java b/bcpkix/src/main/java/org/bouncycastle/cms/test/SunProviderTest.java index 9412b99..3ec8c5a 100644 --- a/bcpkix/src/main/java/org/bouncycastle/cms/test/SunProviderTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/cms/test/SunProviderTest.java @@ -14,8 +14,6 @@ import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.SecureRandom; -import java.security.cert.CertStore; -import java.security.cert.CollectionCertStoreParameters; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; @@ -28,23 +26,37 @@ import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.X509Name; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cms.CMSEnvelopedData; import org.bouncycastle.cms.CMSEnvelopedDataGenerator; -import org.bouncycastle.cms.CMSProcessable; import org.bouncycastle.cms.CMSProcessableByteArray; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.CMSSignedDataGenerator; import org.bouncycastle.cms.CMSSignedDataParser; import org.bouncycastle.cms.CMSSignedDataStreamGenerator; +import org.bouncycastle.cms.CMSTypedData; import org.bouncycastle.cms.CMSTypedStream; import org.bouncycastle.cms.RecipientInformation; import org.bouncycastle.cms.RecipientInformationStore; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; +import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; +import org.bouncycastle.cms.jcajce.JcaSignerInfoVerifierBuilder; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.cms.jcajce.JcaX509CertSelectorConverter; +import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder; +import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient; +import org.bouncycastle.cms.jcajce.JceKeyTransRecipientInfoGenerator; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; +import org.bouncycastle.util.CollectionStore; +import org.bouncycastle.util.Store; import org.bouncycastle.x509.X509V3CertificateGenerator; public class SunProviderTest @@ -73,27 +85,26 @@ public class SunProviderTest throws Exception { List certList = new ArrayList(); - CMSProcessable msg = new CMSProcessableByteArray(TEST_MESSAGE.getBytes()); + CMSTypedData msg = new CMSProcessableByteArray(TEST_MESSAGE.getBytes()); - certList.add(keyCert); + certList.add(new X509CertificateHolder(keyCert.getEncoded())); - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), "SUN"); + DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); - gen.addSigner(keyPair.getPrivate(), keyCert, CMSSignedDataGenerator.DIGEST_SHA1); + gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(digCalcProv).build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("SunRsaSign").build(keyPair.getPrivate()), keyCert)); - gen.addCertificatesAndCRLs(certsAndCrls); + gen.addCertificates(new CollectionStore(certList)); - CMSSignedData s = gen.generate(msg, true, "SunRsaSign"); + CMSSignedData s = gen.generate(msg, true); ByteArrayInputStream bIn = new ByteArrayInputStream(s.getEncoded()); ASN1InputStream aIn = new ASN1InputStream(bIn); s = new CMSSignedData(ContentInfo.getInstance(aIn.readObject())); - certsAndCrls = s.getCertificatesAndCRLs("Collection", "SUN"); + Store certsAndCrls = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); @@ -102,12 +113,12 @@ public class SunProviderTest while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certsAndCrls.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + Collection certCollection = certsAndCrls.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); + X509Certificate cert = new JcaX509CertificateConverter().getCertificate((X509CertificateHolder)certIt.next()); - assertEquals(true, signer.verify(cert, "SunRsaSign")); + assertEquals(true, signer.verify(new JcaSignerInfoVerifierBuilder(new JcaDigestCalculatorProviderBuilder().build()).setProvider("SunRsaSign").build(cert))); } } @@ -117,16 +128,15 @@ public class SunProviderTest List certList = new ArrayList(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - certList.add(keyCert); + certList.add(new X509CertificateHolder(keyCert.getEncoded())); - CertStore certsAndCrls = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), "SUN"); + DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().build(); CMSSignedDataStreamGenerator gen = new CMSSignedDataStreamGenerator(); - gen.addSigner(keyPair.getPrivate(), keyCert, CMSSignedDataStreamGenerator.DIGEST_SHA1, "SunRsaSign"); + gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(digCalcProv).build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("SunRsaSign").build(keyPair.getPrivate()), keyCert)); - gen.addCertificatesAndCRLs(certsAndCrls); + gen.addCertificates(new CollectionStore(certList)); OutputStream sigOut = gen.open(bOut); @@ -134,7 +144,7 @@ public class SunProviderTest sigOut.close(); - CMSSignedDataParser sp = new CMSSignedDataParser( + CMSSignedDataParser sp = new CMSSignedDataParser(digCalcProv, new CMSTypedStream(new ByteArrayInputStream(TEST_MESSAGE.getBytes())), bOut.toByteArray()); sp.getSignedContent().drain(); @@ -145,7 +155,7 @@ public class SunProviderTest MessageDigest md = MessageDigest.getInstance("SHA1", "SUN"); byte[] contentDigest = md.digest(TEST_MESSAGE.getBytes()); - CertStore certStore = sp.getCertificatesAndCRLs("Collection", "SUN"); + Store certStore = sp.getCertificates(); SignerInformationStore signers = sp.getSignerInfos(); Collection c = signers.getSigners(); @@ -154,12 +164,12 @@ public class SunProviderTest while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); - Collection certCollection = certStore.getCertificates(selectorConverter.getCertSelector(signer.getSID())); + Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); - X509Certificate cert = (X509Certificate)certIt.next(); + X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); - assertEquals(true, signer.verify(cert, "SunRsaSign")); + assertEquals(true, signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("SunRsaSign").build(new JcaX509CertificateConverter().getCertificate(cert)))); if (contentDigest != null) { @@ -199,11 +209,11 @@ public class SunProviderTest CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator(); - edGen.addKeyTransRecipient(keyCert); + edGen.addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(keyCert).setProvider("SunJCE")); CMSEnvelopedData ed = edGen.generate( new CMSProcessableByteArray(data), - algorithm, "SunJCE"); + new JceCMSContentEncryptorBuilder(new ASN1ObjectIdentifier(algorithm)).setProvider("SunJCE").build()); RecipientInformationStore recipients = ed.getRecipientInfos(); @@ -222,7 +232,7 @@ public class SunProviderTest assertEquals(recipient.getKeyEncryptionAlgOID(), PKCSObjectIdentifiers.rsaEncryption.getId()); - byte[] recData = recipient.getContent(keyPair.getPrivate(), "SunJCE"); + byte[] recData = recipient.getContent(new JceKeyTransEnvelopedRecipient(keyPair.getPrivate()).setProvider("SunJCE")); assertEquals(true, Arrays.equals(data, recData)); } diff --git a/bcpkix/src/main/java/org/bouncycastle/dvcs/package.html b/bcpkix/src/main/java/org/bouncycastle/dvcs/package.html deleted file mode 100644 index aecbd70..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/dvcs/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Classes for dealing "Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols" - RFC 3029. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/eac/package.html b/bcpkix/src/main/java/org/bouncycastle/eac/package.html deleted file mode 100644 index 97c41fa..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/eac/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Base classes Extended Access Control (EAC) Certificates as described in "Technical Guideline, Advanced Security Mechanisms for Machine Readable Travel Documents, Extended Access Control (EAC), Version 1.0.1, BSI 2006". -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/mozilla/package.html b/bcpkix/src/main/java/org/bouncycastle/mozilla/package.html deleted file mode 100644 index dd2203e..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/mozilla/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Support class for mozilla signed public key and challenge. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/PEMReader.java b/bcpkix/src/main/java/org/bouncycastle/openssl/PEMReader.java deleted file mode 100644 index b11ae12..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/PEMReader.java +++ /dev/null @@ -1,1023 +0,0 @@ -package org.bouncycastle.openssl; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.Reader; -import java.security.AlgorithmParameters; -import java.security.Key; -import java.security.KeyFactory; -import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.Provider; -import java.security.PublicKey; -import java.security.Security; -import java.security.cert.CertificateFactory; -import java.security.spec.AlgorithmParameterSpec; -import java.security.spec.DSAPrivateKeySpec; -import java.security.spec.DSAPublicKeySpec; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.KeySpec; -import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.RSAPrivateCrtKeySpec; -import java.security.spec.RSAPublicKeySpec; -import java.security.spec.X509EncodedKeySpec; -import java.util.HashMap; -import java.util.Iterator; -import java.util.List; -import java.util.Map; -import java.util.StringTokenizer; - -import javax.crypto.Cipher; -import javax.crypto.SecretKey; -import javax.crypto.SecretKeyFactory; -import javax.crypto.spec.IvParameterSpec; -import javax.crypto.spec.PBEKeySpec; -import javax.crypto.spec.PBEParameterSpec; -import javax.crypto.spec.RC2ParameterSpec; -import javax.crypto.spec.SecretKeySpec; - -import org.bouncycastle.asn1.ASN1InputStream; -import org.bouncycastle.asn1.ASN1Primitive; -import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.DERInteger; -import org.bouncycastle.asn1.DERObjectIdentifier; -import org.bouncycastle.asn1.cms.ContentInfo; -import org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo; -import org.bouncycastle.asn1.pkcs.EncryptionScheme; -import org.bouncycastle.asn1.pkcs.KeyDerivationFunc; -import org.bouncycastle.asn1.pkcs.PBEParameter; -import org.bouncycastle.asn1.pkcs.PBES2Parameters; -import org.bouncycastle.asn1.pkcs.PBKDF2Params; -import org.bouncycastle.asn1.pkcs.PKCS12PBEParams; -import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.asn1.pkcs.RSAPublicKey; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; -import org.bouncycastle.crypto.PBEParametersGenerator; -import org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator; -import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; -import org.bouncycastle.jce.ECNamedCurveTable; -import org.bouncycastle.jce.PKCS10CertificationRequest; -import org.bouncycastle.util.encoders.Hex; -import org.bouncycastle.util.io.pem.PemHeader; -import org.bouncycastle.util.io.pem.PemObject; -import org.bouncycastle.util.io.pem.PemObjectParser; -import org.bouncycastle.util.io.pem.PemReader; -import org.bouncycastle.x509.X509V2AttributeCertificate; - -/** - * Class for reading OpenSSL PEM encoded streams containing - * X509 certificates, PKCS8 encoded keys and PKCS7 objects. - * <p> - * In the case of PKCS7 objects the reader will return a CMS ContentInfo object. Keys and - * Certificates will be returned using the appropriate java.security type (KeyPair, PublicKey, X509Certificate, - * or X509CRL). In the case of a Certificate Request a PKCS10CertificationRequest will be returned. - * </p> - * - * @deprecated use PEMParser - */ -public class PEMReader - extends PemReader -{ - private final Map parsers = new HashMap(); - - private PasswordFinder pFinder; - - - /** - * Create a new PEMReader - * - * @param reader the Reader - * @deprecated use PEMParser - */ - public PEMReader( - Reader reader) - { - this(reader, null, "BC"); - } - - /** - * Create a new PEMReader with a password finder - * - * @param reader the Reader - * @param pFinder the password finder - * @deprecated use PEMParser - */ - public PEMReader( - Reader reader, - PasswordFinder pFinder) - { - this(reader, pFinder, "BC"); - } - - /** - * Create a new PEMReader with a password finder - * - * @param reader the Reader - * @param pFinder the password finder - * @param provider the cryptography provider to use - * @deprecated use PEMParser - */ - public PEMReader( - Reader reader, - PasswordFinder pFinder, - String provider) - { - this(reader, pFinder, provider, provider); - } - - /** - * Create a new PEMReader with a password finder and differing providers for secret and public key - * operations. - * - * @param reader the Reader - * @param pFinder the password finder - * @param symProvider provider to use for symmetric operations - * @param asymProvider provider to use for asymmetric (public/private key) operations - * @deprecated use PEMParser - */ - public PEMReader( - Reader reader, - PasswordFinder pFinder, - String symProvider, - String asymProvider) - { - super(reader); - - this.pFinder = pFinder; - - parsers.put("CERTIFICATE REQUEST", new PKCS10CertificationRequestParser()); - parsers.put("NEW CERTIFICATE REQUEST", new PKCS10CertificationRequestParser()); - parsers.put("CERTIFICATE", new X509CertificateParser(asymProvider)); - parsers.put("X509 CERTIFICATE", new X509CertificateParser(asymProvider)); - parsers.put("X509 CRL", new X509CRLParser(asymProvider)); - parsers.put("PKCS7", new PKCS7Parser()); - parsers.put("ATTRIBUTE CERTIFICATE", new X509AttributeCertificateParser()); - parsers.put("EC PARAMETERS", new ECNamedCurveSpecParser()); - parsers.put("PUBLIC KEY", new PublicKeyParser(asymProvider)); - parsers.put("RSA PUBLIC KEY", new RSAPublicKeyParser(asymProvider)); - parsers.put("RSA PRIVATE KEY", new RSAKeyPairParser(symProvider, asymProvider)); - parsers.put("DSA PRIVATE KEY", new DSAKeyPairParser(symProvider, asymProvider)); - parsers.put("EC PRIVATE KEY", new ECDSAKeyPairParser(symProvider, asymProvider)); - parsers.put("ENCRYPTED PRIVATE KEY", new EncryptedPrivateKeyParser(symProvider, asymProvider)); - parsers.put("PRIVATE KEY", new PrivateKeyParser(asymProvider)); - } - - public Object readObject() - throws IOException - { - PemObject obj = readPemObject(); - - if (obj != null) - { - String type = obj.getType(); - if (parsers.containsKey(type)) - { - return ((PemObjectParser)parsers.get(type)).parseObject(obj); - } - else - { - throw new IOException("unrecognised object: " + type); - } - } - - return null; - } - - private abstract class KeyPairParser - implements PemObjectParser - { - protected String symProvider; - - public KeyPairParser(String symProvider) - { - this.symProvider = symProvider; - } - - /** - * Read a Key Pair - */ - protected ASN1Sequence readKeyPair( - PemObject obj) - throws IOException - { - boolean isEncrypted = false; - String dekInfo = null; - List headers = obj.getHeaders(); - - for (Iterator it = headers.iterator(); it.hasNext(); ) - { - PemHeader hdr = (PemHeader)it.next(); - - if (hdr.getName().equals("Proc-Type") && hdr.getValue().equals("4,ENCRYPTED")) - { - isEncrypted = true; - } - else if (hdr.getName().equals("DEK-Info")) - { - dekInfo = hdr.getValue(); - } - } - - // - // extract the key - // - byte[] keyBytes = obj.getContent(); - - if (isEncrypted) - { - if (pFinder == null) - { - throw new PasswordException("No password finder specified, but a password is required"); - } - - char[] password = pFinder.getPassword(); - - if (password == null) - { - throw new PasswordException("Password is null, but a password is required"); - } - - StringTokenizer tknz = new StringTokenizer(dekInfo, ","); - String dekAlgName = tknz.nextToken(); - byte[] iv = Hex.decode(tknz.nextToken()); - - keyBytes = crypt(false, symProvider, keyBytes, password, dekAlgName, iv); - } - - try - { - return ASN1Sequence.getInstance(ASN1Primitive.fromByteArray(keyBytes)); - } - catch (IOException e) - { - if (isEncrypted) - { - throw new PEMException("exception decoding - please check password and data.", e); - } - else - { - throw new PEMException(e.getMessage(), e); - } - } - catch (IllegalArgumentException e) - { - if (isEncrypted) - { - throw new PEMException("exception decoding - please check password and data.", e); - } - else - { - throw new PEMException(e.getMessage(), e); - } - } - } - } - - private class DSAKeyPairParser - extends KeyPairParser - { - private String asymProvider; - - public DSAKeyPairParser(String symProvider, String asymProvider) - { - super(symProvider); - - this.asymProvider = asymProvider; - } - - public Object parseObject(PemObject obj) - throws IOException - { - try - { - ASN1Sequence seq = readKeyPair(obj); - - if (seq.size() != 6) - { - throw new PEMException("malformed sequence in DSA private key"); - } - - // DERInteger v = (DERInteger)seq.getObjectAt(0); - DERInteger p = (DERInteger)seq.getObjectAt(1); - DERInteger q = (DERInteger)seq.getObjectAt(2); - DERInteger g = (DERInteger)seq.getObjectAt(3); - DERInteger y = (DERInteger)seq.getObjectAt(4); - DERInteger x = (DERInteger)seq.getObjectAt(5); - - DSAPrivateKeySpec privSpec = new DSAPrivateKeySpec( - x.getValue(), p.getValue(), - q.getValue(), g.getValue()); - DSAPublicKeySpec pubSpec = new DSAPublicKeySpec( - y.getValue(), p.getValue(), - q.getValue(), g.getValue()); - - KeyFactory fact = KeyFactory.getInstance("DSA", asymProvider); - - return new KeyPair( - fact.generatePublic(pubSpec), - fact.generatePrivate(privSpec)); - } - catch (IOException e) - { - throw e; - } - catch (Exception e) - { - throw new PEMException( - "problem creating DSA private key: " + e.toString(), e); - } - } - } - - private class ECDSAKeyPairParser - extends KeyPairParser - { - private String asymProvider; - - public ECDSAKeyPairParser(String symProvider, String asymProvider) - { - super(symProvider); - - this.asymProvider = asymProvider; - } - - public Object parseObject(PemObject obj) - throws IOException - { - try - { - ASN1Sequence seq = readKeyPair(obj); - - org.bouncycastle.asn1.sec.ECPrivateKey pKey = org.bouncycastle.asn1.sec.ECPrivateKey.getInstance(seq); - AlgorithmIdentifier algId = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, pKey.getParameters()); - PrivateKeyInfo privInfo = new PrivateKeyInfo(algId, pKey); - SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo(algId, pKey.getPublicKey().getBytes()); - - PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(privInfo.getEncoded()); - X509EncodedKeySpec pubSpec = new X509EncodedKeySpec(pubInfo.getEncoded()); - - - KeyFactory fact = KeyFactory.getInstance("ECDSA", asymProvider); - - - return new KeyPair( - fact.generatePublic(pubSpec), - fact.generatePrivate(privSpec)); - } - catch (IOException e) - { - throw e; - } - catch (Exception e) - { - throw new PEMException( - "problem creating EC private key: " + e.toString(), e); - } - } - } - - private class RSAKeyPairParser - extends KeyPairParser - { - private String asymProvider; - - public RSAKeyPairParser(String symProvider, String asymProvider) - { - super(symProvider); - - this.asymProvider = asymProvider; - } - - public Object parseObject(PemObject obj) - throws IOException - { - try - { - ASN1Sequence seq = readKeyPair(obj); - - if (seq.size() != 9) - { - throw new PEMException("malformed sequence in RSA private key"); - } - - org.bouncycastle.asn1.pkcs.RSAPrivateKey keyStruct = org.bouncycastle.asn1.pkcs.RSAPrivateKey.getInstance(seq); - - RSAPublicKeySpec pubSpec = new RSAPublicKeySpec( - keyStruct.getModulus(), keyStruct.getPublicExponent()); - RSAPrivateCrtKeySpec privSpec = new RSAPrivateCrtKeySpec( - keyStruct.getModulus(), keyStruct.getPublicExponent(), keyStruct.getPrivateExponent(), - keyStruct.getPrime1(), keyStruct.getPrime2(), - keyStruct.getExponent1(), keyStruct.getExponent2(), - keyStruct.getCoefficient()); - - KeyFactory fact = KeyFactory.getInstance("RSA", asymProvider); - - return new KeyPair( - fact.generatePublic(pubSpec), - fact.generatePrivate(privSpec)); - } - catch (IOException e) - { - throw e; - } - catch (Exception e) - { - throw new PEMException( - "problem creating RSA private key: " + e.toString(), e); - } - } - } - - private class PublicKeyParser - implements PemObjectParser - { - private String provider; - - public PublicKeyParser(String provider) - { - this.provider = provider; - } - - public Object parseObject(PemObject obj) - throws IOException - { - KeySpec keySpec = new X509EncodedKeySpec(obj.getContent()); - String[] algorithms = {"DSA", "RSA"}; - for (int i = 0; i < algorithms.length; i++) - { - try - { - KeyFactory keyFact = KeyFactory.getInstance(algorithms[i], provider); - PublicKey pubKey = keyFact.generatePublic(keySpec); - - return pubKey; - } - catch (NoSuchAlgorithmException e) - { - // ignore - } - catch (InvalidKeySpecException e) - { - // ignore - } - catch (NoSuchProviderException e) - { - throw new RuntimeException("can't find provider " + provider); - } - } - - return null; - } - } - - private class RSAPublicKeyParser - implements PemObjectParser - { - private String provider; - - public RSAPublicKeyParser(String provider) - { - this.provider = provider; - } - - public Object parseObject(PemObject obj) - throws IOException - { - try - { - ASN1InputStream ais = new ASN1InputStream(obj.getContent()); - Object asnObject = ais.readObject(); - ASN1Sequence sequence = (ASN1Sequence)asnObject; - RSAPublicKey rsaPubStructure = RSAPublicKey.getInstance(sequence); - RSAPublicKeySpec keySpec = new RSAPublicKeySpec( - rsaPubStructure.getModulus(), - rsaPubStructure.getPublicExponent()); - - - KeyFactory keyFact = KeyFactory.getInstance("RSA", provider); - - return keyFact.generatePublic(keySpec); - } - catch (IOException e) - { - throw e; - } - catch (NoSuchProviderException e) - { - throw new IOException("can't find provider " + provider); - } - catch (Exception e) - { - throw new PEMException("problem extracting key: " + e.toString(), e); - } - } - } - - private class X509CertificateParser - implements PemObjectParser - { - private String provider; - - public X509CertificateParser(String provider) - { - this.provider = provider; - } - - /** - * Reads in a X509Certificate. - * - * @return the X509Certificate - * @throws IOException if an I/O error occured - */ - public Object parseObject(PemObject obj) - throws IOException - { - ByteArrayInputStream bIn = new ByteArrayInputStream(obj.getContent()); - - try - { - CertificateFactory certFact - = CertificateFactory.getInstance("X.509", provider); - - return certFact.generateCertificate(bIn); - } - catch (Exception e) - { - throw new PEMException("problem parsing cert: " + e.toString(), e); - } - } - } - - private class X509CRLParser - implements PemObjectParser - { - private String provider; - - public X509CRLParser(String provider) - { - this.provider = provider; - } - - /** - * Reads in a X509CRL. - * - * @return the X509Certificate - * @throws IOException if an I/O error occured - */ - public Object parseObject(PemObject obj) - throws IOException - { - ByteArrayInputStream bIn = new ByteArrayInputStream(obj.getContent()); - - try - { - CertificateFactory certFact - = CertificateFactory.getInstance("X.509", provider); - - return certFact.generateCRL(bIn); - } - catch (Exception e) - { - throw new PEMException("problem parsing cert: " + e.toString(), e); - } - } - } - - private class PKCS10CertificationRequestParser - implements PemObjectParser - { - /** - * Reads in a PKCS10 certification request. - * - * @return the certificate request. - * @throws IOException if an I/O error occured - */ - public Object parseObject(PemObject obj) - throws IOException - { - try - { - return new PKCS10CertificationRequest(obj.getContent()); - } - catch (Exception e) - { - throw new PEMException("problem parsing certrequest: " + e.toString(), e); - } - } - } - - private class PKCS7Parser - implements PemObjectParser - { - /** - * Reads in a PKCS7 object. This returns a ContentInfo object suitable for use with the CMS - * API. - * - * @return the X509Certificate - * @throws IOException if an I/O error occured - */ - public Object parseObject(PemObject obj) - throws IOException - { - try - { - ASN1InputStream aIn = new ASN1InputStream(obj.getContent()); - - return ContentInfo.getInstance(aIn.readObject()); - } - catch (Exception e) - { - throw new PEMException("problem parsing PKCS7 object: " + e.toString(), e); - } - } - } - - private class X509AttributeCertificateParser - implements PemObjectParser - { - public Object parseObject(PemObject obj) - throws IOException - { - return new X509V2AttributeCertificate(obj.getContent()); - } - } - - private class ECNamedCurveSpecParser - implements PemObjectParser - { - public Object parseObject(PemObject obj) - throws IOException - { - try - { - DERObjectIdentifier oid = (DERObjectIdentifier)ASN1Primitive.fromByteArray(obj.getContent()); - - Object params = ECNamedCurveTable.getParameterSpec(oid.getId()); - - if (params == null) - { - throw new IOException("object ID not found in EC curve table"); - } - - return params; - } - catch (IOException e) - { - throw e; - } - catch (Exception e) - { - throw new PEMException("exception extracting EC named curve: " + e.toString()); - } - } - } - - private class EncryptedPrivateKeyParser - implements PemObjectParser - { - private String symProvider; - private String asymProvider; - - public EncryptedPrivateKeyParser(String symProvider, String asymProvider) - { - this.symProvider = symProvider; - this.asymProvider = asymProvider; - } - - /** - * Reads in a X509CRL. - * - * @return the X509Certificate - * @throws IOException if an I/O error occured - */ - public Object parseObject(PemObject obj) - throws IOException - { - try - { - EncryptedPrivateKeyInfo info = EncryptedPrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(obj.getContent())); - AlgorithmIdentifier algId = info.getEncryptionAlgorithm(); - - if (pFinder == null) - { - throw new PEMException("no PasswordFinder specified"); - } - - if (PEMUtilities.isPKCS5Scheme2(algId.getAlgorithm())) - { - PBES2Parameters params = PBES2Parameters.getInstance(algId.getParameters()); - KeyDerivationFunc func = params.getKeyDerivationFunc(); - EncryptionScheme scheme = params.getEncryptionScheme(); - PBKDF2Params defParams = (PBKDF2Params)func.getParameters(); - - int iterationCount = defParams.getIterationCount().intValue(); - byte[] salt = defParams.getSalt(); - - String algorithm = scheme.getAlgorithm().getId(); - - SecretKey key = generateSecretKeyForPKCS5Scheme2(algorithm, pFinder.getPassword(), salt, iterationCount); - - Cipher cipher = Cipher.getInstance(algorithm, symProvider); - AlgorithmParameters algParams = AlgorithmParameters.getInstance(algorithm, symProvider); - - algParams.init(scheme.getParameters().toASN1Primitive().getEncoded()); - - cipher.init(Cipher.DECRYPT_MODE, key, algParams); - - PrivateKeyInfo pInfo = PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(cipher.doFinal(info.getEncryptedData()))); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pInfo.getEncoded()); - - KeyFactory keyFact = KeyFactory.getInstance(pInfo.getPrivateKeyAlgorithm().getAlgorithm().getId(), asymProvider); - - return keyFact.generatePrivate(keySpec); - } - else if (PEMUtilities.isPKCS12(algId.getAlgorithm())) - { - PKCS12PBEParams params = PKCS12PBEParams.getInstance(algId.getParameters()); - String algorithm = algId.getAlgorithm().getId(); - PBEKeySpec pbeSpec = new PBEKeySpec(pFinder.getPassword()); - - SecretKeyFactory secKeyFact = SecretKeyFactory.getInstance(algorithm, symProvider); - PBEParameterSpec defParams = new PBEParameterSpec(params.getIV(), params.getIterations().intValue()); - - Cipher cipher = Cipher.getInstance(algorithm, symProvider); - - cipher.init(Cipher.DECRYPT_MODE, secKeyFact.generateSecret(pbeSpec), defParams); - - PrivateKeyInfo pInfo = PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(cipher.doFinal(info.getEncryptedData()))); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pInfo.getEncoded()); - - KeyFactory keyFact = KeyFactory.getInstance(pInfo.getPrivateKeyAlgorithm().getAlgorithm().getId(), asymProvider); - - return keyFact.generatePrivate(keySpec); - } - else if (PEMUtilities.isPKCS5Scheme1(algId.getAlgorithm())) - { - PBEParameter params = PBEParameter.getInstance(algId.getParameters()); - String algorithm = algId.getAlgorithm().getId(); - PBEKeySpec pbeSpec = new PBEKeySpec(pFinder.getPassword()); - - SecretKeyFactory secKeyFact = SecretKeyFactory.getInstance(algorithm, symProvider); - PBEParameterSpec defParams = new PBEParameterSpec(params.getSalt(), params.getIterationCount().intValue()); - - Cipher cipher = Cipher.getInstance(algorithm, symProvider); - - cipher.init(Cipher.DECRYPT_MODE, secKeyFact.generateSecret(pbeSpec), defParams); - - PrivateKeyInfo pInfo = PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(cipher.doFinal(info.getEncryptedData()))); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pInfo.getEncoded()); - - KeyFactory keyFact = KeyFactory.getInstance(pInfo.getPrivateKeyAlgorithm().getAlgorithm().getId(), asymProvider); - - return keyFact.generatePrivate(keySpec); - } - else - { - throw new PEMException("Unknown algorithm: " + algId.getAlgorithm()); - } - } - catch (IOException e) - { - throw e; - } - catch (Exception e) - { - throw new PEMException("problem parsing ENCRYPTED PRIVATE KEY: " + e.toString(), e); - } - } - } - - private class PrivateKeyParser - implements PemObjectParser - { - private String provider; - - public PrivateKeyParser(String provider) - { - this.provider = provider; - } - - public Object parseObject(PemObject obj) - throws IOException - { - try - { - PrivateKeyInfo info = PrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(obj.getContent())); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(obj.getContent()); - - KeyFactory keyFact = KeyFactory.getInstance(info.getPrivateKeyAlgorithm().getAlgorithm().getId(), provider); - - return keyFact.generatePrivate(keySpec); - } - catch (Exception e) - { - throw new PEMException("problem parsing PRIVATE KEY: " + e.toString(), e); - } - } - } - - static byte[] crypt( - boolean encrypt, - String provider, - byte[] bytes, - char[] password, - String dekAlgName, - byte[] iv) - throws IOException - { - Provider prov = null; - if (provider != null) - { - prov = Security.getProvider(provider); - if (prov == null) - { - throw new EncryptionException("cannot find provider: " + provider); - } - } - - return crypt(encrypt, prov, bytes, password, dekAlgName, iv); - } - - static byte[] crypt( - boolean encrypt, - Provider provider, - byte[] bytes, - char[] password, - String dekAlgName, - byte[] iv) - throws IOException - { - AlgorithmParameterSpec paramSpec = new IvParameterSpec(iv); - String alg; - String blockMode = "CBC"; - String padding = "PKCS5Padding"; - Key sKey; - - // Figure out block mode and padding. - if (dekAlgName.endsWith("-CFB")) - { - blockMode = "CFB"; - padding = "NoPadding"; - } - if (dekAlgName.endsWith("-ECB") || - "DES-EDE".equals(dekAlgName) || - "DES-EDE3".equals(dekAlgName)) - { - // ECB is actually the default (though seldom used) when OpenSSL - // uses DES-EDE (des2) or DES-EDE3 (des3). - blockMode = "ECB"; - paramSpec = null; - } - if (dekAlgName.endsWith("-OFB")) - { - blockMode = "OFB"; - padding = "NoPadding"; - } - - - // Figure out algorithm and key size. - if (dekAlgName.startsWith("DES-EDE")) - { - alg = "DESede"; - // "DES-EDE" is actually des2 in OpenSSL-speak! - // "DES-EDE3" is des3. - boolean des2 = !dekAlgName.startsWith("DES-EDE3"); - sKey = getKey(password, alg, 24, iv, des2); - } - else if (dekAlgName.startsWith("DES-")) - { - alg = "DES"; - sKey = getKey(password, alg, 8, iv); - } - else if (dekAlgName.startsWith("BF-")) - { - alg = "Blowfish"; - sKey = getKey(password, alg, 16, iv); - } - else if (dekAlgName.startsWith("RC2-")) - { - alg = "RC2"; - int keyBits = 128; - if (dekAlgName.startsWith("RC2-40-")) - { - keyBits = 40; - } - else if (dekAlgName.startsWith("RC2-64-")) - { - keyBits = 64; - } - sKey = getKey(password, alg, keyBits / 8, iv); - if (paramSpec == null) // ECB block mode - { - paramSpec = new RC2ParameterSpec(keyBits); - } - else - { - paramSpec = new RC2ParameterSpec(keyBits, iv); - } - } - else if (dekAlgName.startsWith("AES-")) - { - alg = "AES"; - byte[] salt = iv; - if (salt.length > 8) - { - salt = new byte[8]; - System.arraycopy(iv, 0, salt, 0, 8); - } - - int keyBits; - if (dekAlgName.startsWith("AES-128-")) - { - keyBits = 128; - } - else if (dekAlgName.startsWith("AES-192-")) - { - keyBits = 192; - } - else if (dekAlgName.startsWith("AES-256-")) - { - keyBits = 256; - } - else - { - throw new EncryptionException("unknown AES encryption with private key"); - } - sKey = getKey(password, "AES", keyBits / 8, salt); - } - else - { - throw new EncryptionException("unknown encryption with private key"); - } - - String transformation = alg + "/" + blockMode + "/" + padding; - - try - { - Cipher c = Cipher.getInstance(transformation, provider); - int mode = encrypt ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE; - - if (paramSpec == null) // ECB block mode - { - c.init(mode, sKey); - } - else - { - c.init(mode, sKey, paramSpec); - } - return c.doFinal(bytes); - } - catch (Exception e) - { - throw new EncryptionException("exception using cipher - please check password and data.", e); - } - } - - private static SecretKey getKey( - char[] password, - String algorithm, - int keyLength, - byte[] salt) - { - return getKey(password, algorithm, keyLength, salt, false); - } - - private static SecretKey getKey( - char[] password, - String algorithm, - int keyLength, - byte[] salt, - boolean des2) - { - OpenSSLPBEParametersGenerator pGen = new OpenSSLPBEParametersGenerator(); - - pGen.init(PBEParametersGenerator.PKCS5PasswordToBytes(password), salt); - - KeyParameter keyParam; - keyParam = (KeyParameter)pGen.generateDerivedParameters(keyLength * 8); - byte[] key = keyParam.getKey(); - if (des2 && key.length >= 24) - { - // For DES2, we must copy first 8 bytes into the last 8 bytes. - System.arraycopy(key, 0, key, 16, 8); - } - return new javax.crypto.spec.SecretKeySpec(key, algorithm); - } - - - public static SecretKey generateSecretKeyForPKCS5Scheme2(String algorithm, char[] password, byte[] salt, int iterationCount) - { - PBEParametersGenerator generator = new PKCS5S2ParametersGenerator(); - - generator.init( - PBEParametersGenerator.PKCS5PasswordToBytes(password), - salt, - iterationCount); - - return new SecretKeySpec(((KeyParameter)generator.generateDerivedParameters(PEMUtilities.getKeySize(algorithm))).getKey(), algorithm); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/PEMWriter.java b/bcpkix/src/main/java/org/bouncycastle/openssl/PEMWriter.java index c9ef265..e46c836 100644 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/PEMWriter.java +++ b/bcpkix/src/main/java/org/bouncycastle/openssl/PEMWriter.java @@ -2,10 +2,8 @@ package org.bouncycastle.openssl; import java.io.IOException; import java.io.Writer; -import java.security.SecureRandom; import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; -import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder; import org.bouncycastle.util.io.pem.PemGenerationException; import org.bouncycastle.util.io.pem.PemObjectGenerator; import org.bouncycastle.util.io.pem.PemWriter; @@ -16,8 +14,6 @@ import org.bouncycastle.util.io.pem.PemWriter; public class PEMWriter extends PemWriter { - private String provider; - /** * Base constructor. * @@ -25,26 +21,12 @@ public class PEMWriter */ public PEMWriter(Writer out) { - this(out, "BC"); - } - - /** - * @deprecated use constructor that just takes out, and writeObject(PEMEncryptor) - * @param out - * @param provider - */ - public PEMWriter( - Writer out, - String provider) - { super(out); - - this.provider = provider; } public void writeObject( - Object obj) - throws IOException + Object obj) + throws IOException { writeObject(obj, null); } @@ -75,17 +57,4 @@ public class PEMWriter { super.writeObject(obj); } - - /** - * @deprecated use writeObject(obj, PEMEncryptor) - */ - public void writeObject( - Object obj, - String algorithm, - char[] password, - SecureRandom random) - throws IOException - { - this.writeObject(obj, new JcePEMEncryptorBuilder(algorithm).setSecureRandom(random).setProvider(provider).build(password)); - } } diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/PKCS8Generator.java b/bcpkix/src/main/java/org/bouncycastle/openssl/PKCS8Generator.java index 448d885..f822cba 100644 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/PKCS8Generator.java +++ b/bcpkix/src/main/java/org/bouncycastle/openssl/PKCS8Generator.java @@ -3,20 +3,12 @@ package org.bouncycastle.openssl; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.Provider; -import java.security.SecureRandom; -import java.security.Security; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; -import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder; -import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.OutputEncryptor; import org.bouncycastle.util.io.pem.PemGenerationException; import org.bouncycastle.util.io.pem.PemObject; @@ -40,56 +32,6 @@ public class PKCS8Generator private PrivateKeyInfo key; private OutputEncryptor outputEncryptor; - private JceOpenSSLPKCS8EncryptorBuilder encryptorBuilder; - - /** - * Constructor for an unencrypted private key PEM object. - * - * @param key private key to be encoded. - * @deprecated use JcaPKCS8Generator - */ - public PKCS8Generator(PrivateKey key) - { - this.key = PrivateKeyInfo.getInstance(key.getEncoded()); - } - - /** - * Constructor for an encrypted private key PEM object. - * - * @param key private key to be encoded - * @param algorithm encryption algorithm to use - * @param provider name of provider to use - * @throws NoSuchProviderException if provider cannot be found - * @throws NoSuchAlgorithmException if algorithm/mode cannot be found - * @deprecated use JcaPKCS8Generator - */ - public PKCS8Generator(PrivateKey key, ASN1ObjectIdentifier algorithm, String provider) - throws NoSuchProviderException, NoSuchAlgorithmException - { - Provider prov = Security.getProvider(provider); - - if (prov == null) - { - throw new NoSuchProviderException("cannot find provider: " + provider); - } - - init(key, algorithm, prov); - } - - /** - * Constructor for an encrypted private key PEM object. - * - * @param key private key to be encoded - * @param algorithm encryption algorithm to use - * @param provider provider to use - * @throws NoSuchAlgorithmException if algorithm/mode cannot be found - * @deprecated use JcaPKCS8Generator - */ - public PKCS8Generator(PrivateKey key, ASN1ObjectIdentifier algorithm, Provider provider) - throws NoSuchAlgorithmException - { - init(key, algorithm, provider); - } /** * Base constructor. @@ -100,60 +42,9 @@ public class PKCS8Generator this.outputEncryptor = outputEncryptor; } - private void init(PrivateKey key, ASN1ObjectIdentifier algorithm, Provider provider) - throws NoSuchAlgorithmException - { - this.key = PrivateKeyInfo.getInstance(key.getEncoded()); - this.encryptorBuilder = new JceOpenSSLPKCS8EncryptorBuilder(algorithm); - - encryptorBuilder.setProvider(provider); - } - - /** - * @deprecated ignored in the updated case. - */ - public PKCS8Generator setSecureRandom(SecureRandom random) - { - encryptorBuilder.setRandom(random); - - return this; - } - - /** - * @deprecated ignored in the updated case. - */ - public PKCS8Generator setPassword(char[] password) - { - encryptorBuilder.setPasssword(password); - - return this; - } - - /** - * @deprecated ignored in the updated case. - */ - public PKCS8Generator setIterationCount(int iterationCount) - { - encryptorBuilder.setIterationCount(iterationCount); - - return this; - } - public PemObject generate() throws PemGenerationException { - try - { - if (encryptorBuilder != null) - { - outputEncryptor = encryptorBuilder.build(); - } - } - catch (OperatorCreationException e) - { - throw new PemGenerationException("unable to create operator: " + e.getMessage(), e); - } - if (outputEncryptor != null) { return generate(key, outputEncryptor); diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/jcajce/JcaPEMKeyConverter.java b/bcpkix/src/main/java/org/bouncycastle/openssl/jcajce/JcaPEMKeyConverter.java index 4d55aa3..d332ca1 100644 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/jcajce/JcaPEMKeyConverter.java +++ b/bcpkix/src/main/java/org/bouncycastle/openssl/jcajce/JcaPEMKeyConverter.java @@ -2,13 +2,20 @@ package org.bouncycastle.openssl.jcajce; import java.security.KeyFactory; import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.Provider; import java.security.PublicKey; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; +import java.util.HashMap; +import java.util.Map; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.jcajce.DefaultJcaJceHelper; @@ -22,6 +29,15 @@ public class JcaPEMKeyConverter { private JcaJceHelper helper = new DefaultJcaJceHelper(); + private static final Map algorithms = new HashMap(); + + static + { + algorithms.put(X9ObjectIdentifiers.id_ecPublicKey, "ECDSA"); + algorithms.put(PKCSObjectIdentifiers.rsaEncryption, "RSA"); + algorithms.put(X9ObjectIdentifiers.id_dsa, "DSA"); + } + public JcaPEMKeyConverter setProvider(Provider provider) { this.helper = new ProviderJcaJceHelper(provider); @@ -41,14 +57,7 @@ public class JcaPEMKeyConverter { try { - String algorithm = keyPair.getPrivateKeyInfo().getPrivateKeyAlgorithm().getAlgorithm().getId(); - - if (X9ObjectIdentifiers.id_ecPublicKey.getId().equals(algorithm)) - { - algorithm = "ECDSA"; - } - - KeyFactory keyFactory = helper.createKeyFactory(algorithm); + KeyFactory keyFactory = getKeyFactory(keyPair.getPrivateKeyInfo().getPrivateKeyAlgorithm()); return new KeyPair(keyFactory.generatePublic(new X509EncodedKeySpec(keyPair.getPublicKeyInfo().getEncoded())), keyFactory.generatePrivate(new PKCS8EncodedKeySpec(keyPair.getPrivateKeyInfo().getEncoded()))); @@ -64,14 +73,7 @@ public class JcaPEMKeyConverter { try { - String algorithm = publicKeyInfo.getAlgorithm().getAlgorithm().getId(); - - if (X9ObjectIdentifiers.id_ecPublicKey.getId().equals(algorithm)) - { - algorithm = "ECDSA"; - } - - KeyFactory keyFactory = helper.createKeyFactory(algorithm); + KeyFactory keyFactory = getKeyFactory(publicKeyInfo.getAlgorithm()); return keyFactory.generatePublic(new X509EncodedKeySpec(publicKeyInfo.getEncoded())); } @@ -86,14 +88,7 @@ public class JcaPEMKeyConverter { try { - String algorithm = privateKeyInfo.getPrivateKeyAlgorithm().getAlgorithm().getId(); - - if (X9ObjectIdentifiers.id_ecPublicKey.getId().equals(algorithm)) - { - algorithm = "ECDSA"; - } - - KeyFactory keyFactory = helper.createKeyFactory(algorithm); + KeyFactory keyFactory = getKeyFactory(privateKeyInfo.getPrivateKeyAlgorithm()); return keyFactory.generatePrivate(new PKCS8EncodedKeySpec(privateKeyInfo.getEncoded())); } @@ -102,4 +97,19 @@ public class JcaPEMKeyConverter throw new PEMException("unable to convert key pair: " + e.getMessage(), e); } } + + private KeyFactory getKeyFactory(AlgorithmIdentifier algId) + throws NoSuchAlgorithmException, NoSuchProviderException + { + ASN1ObjectIdentifier algorithm = algId.getAlgorithm(); + + String algName = (String)algorithms.get(algorithm); + + if (algName == null) + { + algName = algorithm.getId(); + } + + return helper.createKeyFactory(algName); + } } diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/package.html b/bcpkix/src/main/java/org/bouncycastle/openssl/package.html deleted file mode 100644 index 7e60a79..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Classes for dealing with OpenSSL PEM files. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/test/AllTests.java b/bcpkix/src/main/java/org/bouncycastle/openssl/test/AllTests.java index eb1d4da..faae18e 100644 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/test/AllTests.java +++ b/bcpkix/src/main/java/org/bouncycastle/openssl/test/AllTests.java @@ -15,14 +15,18 @@ import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.openssl.PEMReader; +import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.openssl.PEMWriter; import org.bouncycastle.openssl.PKCS8Generator; -import org.bouncycastle.openssl.PasswordFinder; +import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; import org.bouncycastle.openssl.jcajce.JcaPKCS8Generator; +import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder; import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8EncryptorBuilder; import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo; +import org.bouncycastle.pkcs.PKCSException; import org.bouncycastle.util.test.SimpleTestResult; public class @@ -30,12 +34,14 @@ public class extends TestCase { public void testOpenSSL() - { - Security.addProvider(new BouncyCastleProvider()); + { + if (Security.getProvider("BC") == null) + { + Security.addProvider(new BouncyCastleProvider()); + } org.bouncycastle.util.test.Test[] tests = new org.bouncycastle.util.test.Test[] { - new ReaderTest(), new WriterTest(), new ParserTest() }; @@ -54,51 +60,27 @@ public class public void testPKCS8Encrypted() throws Exception { + if (Security.getProvider("BC") == null) + { + Security.addProvider(new BouncyCastleProvider()); + } + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); kpGen.initialize(1024); PrivateKey key = kpGen.generateKeyPair().getPrivate(); - encryptedTest(key, PKCS8Generator.AES_256_CBC); - encryptedTest(key, PKCS8Generator.DES3_CBC); - encryptedTest(key, PKCS8Generator.PBE_SHA1_3DES); encryptedTestNew(key, PKCS8Generator.AES_256_CBC); encryptedTestNew(key, PKCS8Generator.DES3_CBC); encryptedTestNew(key, PKCS8Generator.PBE_SHA1_3DES); } - private void encryptedTest(PrivateKey key, ASN1ObjectIdentifier algorithm) - throws NoSuchProviderException, NoSuchAlgorithmException, IOException - { - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - PEMWriter pWrt = new PEMWriter(new OutputStreamWriter(bOut), "BC"); - PKCS8Generator pkcs8 = new PKCS8Generator(key, algorithm, "BC"); - - pkcs8.setPassword("hello".toCharArray()); - - pWrt.writeObject(pkcs8); - - pWrt.close(); - - PEMReader pRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray())), new PasswordFinder() - { - public char[] getPassword() - { - return "hello".toCharArray(); - } - }); - - PrivateKey rdKey = (PrivateKey)pRd.readObject(); - - assertEquals(key, rdKey); - } - private void encryptedTestNew(PrivateKey key, ASN1ObjectIdentifier algorithm) - throws NoSuchProviderException, NoSuchAlgorithmException, IOException, OperatorCreationException + throws NoSuchProviderException, NoSuchAlgorithmException, IOException, OperatorCreationException, PKCSException { ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - PEMWriter pWrt = new PEMWriter(new OutputStreamWriter(bOut), "BC"); + PEMWriter pWrt = new PEMWriter(new OutputStreamWriter(bOut)); JceOpenSSLPKCS8EncryptorBuilder encryptorBuilder = new JceOpenSSLPKCS8EncryptorBuilder(algorithm); @@ -111,44 +93,12 @@ public class pWrt.close(); - PEMReader pRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray())), new PasswordFinder() - { - public char[] getPassword() - { - return "hello".toCharArray(); - } - }); - - PrivateKey rdKey = (PrivateKey)pRd.readObject(); - - assertEquals(key, rdKey); - } - - public void testPKCS8Plain() - throws Exception - { - KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); + PEMParser pRd = new PEMParser(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray()))); - kpGen.initialize(1024); + PKCS8EncryptedPrivateKeyInfo pInfo = (PKCS8EncryptedPrivateKeyInfo)pRd.readObject(); - PrivateKey key = kpGen.generateKeyPair().getPrivate(); - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - PEMWriter pWrt = new PEMWriter(new OutputStreamWriter(bOut)); - PKCS8Generator pkcs8 = new PKCS8Generator(key); + PrivateKey rdKey = new JcaPEMKeyConverter().setProvider("BC").getPrivateKey(pInfo.decryptPrivateKeyInfo(new JceOpenSSLPKCS8DecryptorProviderBuilder().setProvider("BC").build("hello".toCharArray()))); - pWrt.writeObject(pkcs8); - - pWrt.close(); - - PEMReader pRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray())), new PasswordFinder() - { - public char[] getPassword() - { - return "hello".toCharArray(); - } - }); - - PrivateKey rdKey = (PrivateKey)pRd.readObject(); assertEquals(key, rdKey); } @@ -156,6 +106,11 @@ public class public void testPKCS8PlainNew() throws Exception { + if (Security.getProvider("BC") == null) + { + Security.addProvider(new BouncyCastleProvider()); + } + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); kpGen.initialize(1024); @@ -169,15 +124,11 @@ public class pWrt.close(); - PEMReader pRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray())), new PasswordFinder() - { - public char[] getPassword() - { - return "hello".toCharArray(); - } - }); + PEMParser pRd = new PEMParser(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray()))); + + PrivateKeyInfo kp = (PrivateKeyInfo)pRd.readObject(); - PrivateKey rdKey = (PrivateKey)pRd.readObject(); + PrivateKey rdKey = new JcaPEMKeyConverter().setProvider("BC").getPrivateKey(kp); assertEquals(key, rdKey); } diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/test/ReaderTest.java b/bcpkix/src/main/java/org/bouncycastle/openssl/test/ReaderTest.java deleted file mode 100644 index 23aee08..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/test/ReaderTest.java +++ /dev/null @@ -1,417 +0,0 @@ -package org.bouncycastle.openssl.test; - -import java.io.BufferedReader; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.OutputStreamWriter; -import java.io.Reader; -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.KeyPairGenerator; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.SecureRandom; -import java.security.Security; -import java.security.Signature; -import java.security.cert.X509Certificate; -import java.security.interfaces.DSAPrivateKey; -import java.security.interfaces.RSAPrivateCrtKey; -import java.security.interfaces.RSAPrivateKey; - -import org.bouncycastle.asn1.cms.CMSObjectIdentifiers; -import org.bouncycastle.asn1.cms.ContentInfo; -import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec; -import org.bouncycastle.openssl.PEMReader; -import org.bouncycastle.openssl.PEMWriter; -import org.bouncycastle.openssl.PasswordFinder; -import org.bouncycastle.util.test.SimpleTest; - -/** - * basic class for reading test.pem - the password is "secret" - */ -public class ReaderTest - extends SimpleTest -{ - private static class Password - implements PasswordFinder - { - char[] password; - - Password( - char[] word) - { - this.password = word; - } - - public char[] getPassword() - { - return password; - } - } - - public String getName() - { - return "PEMReaderTest"; - } - - private PEMReader openPEMResource( - String fileName, - PasswordFinder pGet) - { - InputStream res = this.getClass().getResourceAsStream(fileName); - Reader fRd = new BufferedReader(new InputStreamReader(res)); - return new PEMReader(fRd, pGet); - } - - public void performTest() - throws Exception - { - PasswordFinder pGet = new Password("secret".toCharArray()); - PEMReader pemRd = openPEMResource("test.pem", pGet); - Object o; - KeyPair pair; - - while ((o = pemRd.readObject()) != null) - { - if (o instanceof KeyPair) - { - //pair = (KeyPair)o; - - //System.out.println(pair.getPublic()); - //System.out.println(pair.getPrivate()); - } - else - { - //System.out.println(o.toString()); - } - } - - // test bogus lines before begin are ignored. - pemRd = openPEMResource("extratest.pem", pGet); - - while ((o = pemRd.readObject()) != null) - { - if (!(o instanceof X509Certificate)) - { - fail("wrong object found"); - } - } - - // - // pkcs 7 data - // - pemRd = openPEMResource("pkcs7.pem", null); - ContentInfo d = (ContentInfo)pemRd.readObject(); - - if (!d.getContentType().equals(CMSObjectIdentifiers.envelopedData)) - { - fail("failed envelopedData check"); - } - - // - // ECKey - // - pemRd = openPEMResource("eckey.pem", null); - ECNamedCurveParameterSpec spec = (ECNamedCurveParameterSpec)pemRd.readObject(); - - pair = (KeyPair)pemRd.readObject(); - Signature sgr = Signature.getInstance("ECDSA", "BC"); - - sgr.initSign(pair.getPrivate()); - - byte[] message = new byte[] { (byte)'a', (byte)'b', (byte)'c' }; - - sgr.update(message); - - byte[] sigBytes = sgr.sign(); - - sgr.initVerify(pair.getPublic()); - - sgr.update(message); - - if (!sgr.verify(sigBytes)) - { - fail("EC verification failed"); - } - - if (!pair.getPublic().getAlgorithm().equals("ECDSA")) - { - fail("wrong algorithm name on public got: " + pair.getPublic().getAlgorithm()); - } - - if (!pair.getPrivate().getAlgorithm().equals("ECDSA")) - { - fail("wrong algorithm name on private"); - } - - // - // writer/parser test - // - KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC"); - - pair = kpGen.generateKeyPair(); - - keyPairTest("RSA", pair); - - kpGen = KeyPairGenerator.getInstance("DSA", "BC"); - kpGen.initialize(512, new SecureRandom()); - pair = kpGen.generateKeyPair(); - - keyPairTest("DSA", pair); - - // - // PKCS7 - // - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - PEMWriter pWrt = new PEMWriter(new OutputStreamWriter(bOut)); - - pWrt.writeObject(d); - - pWrt.close(); - - pemRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray()))); - d = (ContentInfo)pemRd.readObject(); - - if (!d.getContentType().equals(CMSObjectIdentifiers.envelopedData)) - { - fail("failed envelopedData recode check"); - } - - - // OpenSSL test cases (as embedded resources) - doOpenSslDsaTest("unencrypted"); - doOpenSslRsaTest("unencrypted"); - - doOpenSslTests("aes128"); - doOpenSslTests("aes192"); - doOpenSslTests("aes256"); - doOpenSslTests("blowfish"); - doOpenSslTests("des1"); - doOpenSslTests("des2"); - doOpenSslTests("des3"); - doOpenSslTests("rc2_128"); - - doOpenSslDsaTest("rc2_40_cbc"); - doOpenSslRsaTest("rc2_40_cbc"); - doOpenSslDsaTest("rc2_64_cbc"); - doOpenSslRsaTest("rc2_64_cbc"); - - doDudPasswordTest("7fd98", 0, "corrupted stream - out of bounds length found"); - doDudPasswordTest("ef677", 1, "corrupted stream - out of bounds length found"); - doDudPasswordTest("800ce", 2, "unknown tag 26 encountered"); - doDudPasswordTest("b6cd8", 3, "DEF length 81 object truncated by 56"); - doDudPasswordTest("28ce09", 4, "DEF length 110 object truncated by 28"); - doDudPasswordTest("2ac3b9", 5, "DER length more than 4 bytes: 11"); - doDudPasswordTest("2cba96", 6, "DEF length 100 object truncated by 35"); - doDudPasswordTest("2e3354", 7, "DEF length 42 object truncated by 9"); - doDudPasswordTest("2f4142", 8, "DER length more than 4 bytes: 14"); - doDudPasswordTest("2fe9bb", 9, "DER length more than 4 bytes: 65"); - doDudPasswordTest("3ee7a8", 10, "DER length more than 4 bytes: 57"); - doDudPasswordTest("41af75", 11, "unknown tag 16 encountered"); - doDudPasswordTest("1704a5", 12, "corrupted stream detected"); - doDudPasswordTest("1c5822", 13, "unknown object in getInstance: org.bouncycastle.asn1.DERUTF8String"); - doDudPasswordTest("5a3d16", 14, "corrupted stream detected"); - doDudPasswordTest("8d0c97", 15, "corrupted stream detected"); - doDudPasswordTest("bc0daf", 16, "corrupted stream detected"); - doDudPasswordTest("aaf9c4d",17, "corrupted stream - out of bounds length found"); - - doNoPasswordTest(); - - // encrypted private key test - pGet = new Password("password".toCharArray()); - pemRd = openPEMResource("enckey.pem", pGet); - - RSAPrivateCrtKey privKey = (RSAPrivateCrtKey)pemRd.readObject(); - - if (!privKey.getPublicExponent().equals(new BigInteger("10001", 16))) - { - fail("decryption of private key data check failed"); - } - - // general PKCS8 test - pGet = new Password("password".toCharArray()); - pemRd = openPEMResource("pkcs8test.pem", pGet); - - while ((privKey = (RSAPrivateCrtKey)pemRd.readObject()) != null) - { - if (!privKey.getPublicExponent().equals(new BigInteger("10001", 16))) - { - fail("decryption of private key data check failed"); - } - } - } - - private void keyPairTest( - String name, - KeyPair pair) - throws IOException - { - PEMReader pemRd; - ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - PEMWriter pWrt = new PEMWriter(new OutputStreamWriter(bOut)); - - pWrt.writeObject(pair.getPublic()); - - pWrt.close(); - - pemRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray()))); - - PublicKey k = (PublicKey)pemRd.readObject(); - if (!k.equals(pair.getPublic())) - { - fail("Failed public key read: " + name); - } - - bOut = new ByteArrayOutputStream(); - pWrt = new PEMWriter(new OutputStreamWriter(bOut)); - - pWrt.writeObject(pair.getPrivate()); - - pWrt.close(); - - pemRd = new PEMReader(new InputStreamReader(new ByteArrayInputStream(bOut.toByteArray()))); - - KeyPair kPair = (KeyPair)pemRd.readObject(); - if (!kPair.getPrivate().equals(pair.getPrivate())) - { - fail("Failed private key read: " + name); - } - - if (!kPair.getPublic().equals(pair.getPublic())) - { - fail("Failed private key public read: " + name); - } - } - - private void doOpenSslTests( - String baseName) - throws IOException - { - doOpenSslDsaModesTest(baseName); - doOpenSslRsaModesTest(baseName); - } - - private void doOpenSslDsaModesTest( - String baseName) - throws IOException - { - doOpenSslDsaTest(baseName + "_cbc"); - doOpenSslDsaTest(baseName + "_cfb"); - doOpenSslDsaTest(baseName + "_ecb"); - doOpenSslDsaTest(baseName + "_ofb"); - } - - private void doOpenSslRsaModesTest( - String baseName) - throws IOException - { - doOpenSslRsaTest(baseName + "_cbc"); - doOpenSslRsaTest(baseName + "_cfb"); - doOpenSslRsaTest(baseName + "_ecb"); - doOpenSslRsaTest(baseName + "_ofb"); - } - - private void doOpenSslDsaTest( - String name) - throws IOException - { - String fileName = "dsa/openssl_dsa_" + name + ".pem"; - - doOpenSslTestFile(fileName, DSAPrivateKey.class); - } - - private void doOpenSslRsaTest( - String name) - throws IOException - { - String fileName = "rsa/openssl_rsa_" + name + ".pem"; - - doOpenSslTestFile(fileName, RSAPrivateKey.class); - } - - private void doOpenSslTestFile( - String fileName, - Class expectedPrivKeyClass) - throws IOException - { - PEMReader pr = openPEMResource("data/" + fileName, new Password("changeit".toCharArray())); - Object o = pr.readObject(); - - if (o == null || !(o instanceof KeyPair)) - { - fail("Didn't find OpenSSL key"); - } - - KeyPair kp = (KeyPair) o; - PrivateKey privKey = kp.getPrivate(); - - if (!expectedPrivKeyClass.isInstance(privKey)) - { - fail("Returned key not of correct type"); - } - } - - private void doDudPasswordTest(String password, int index, String message) - { - // illegal state exception check - in this case the wrong password will - // cause an underlying class cast exception. - try - { - PasswordFinder pGet = new Password(password.toCharArray()); - - PEMReader pemRd = openPEMResource("test.pem", pGet); - Object o; - - while ((o = pemRd.readObject()) != null) - { - } - - fail("issue not detected: " + index); - } - catch (IOException e) - { - if (e.getCause() != null && !e.getCause().getMessage().equals(message)) - { - e.printStackTrace(); - fail("issue " + index + " exception thrown, but wrong message"); - } - else if (e.getCause() == null && !e.getMessage().equals(message)) - { - e.printStackTrace(); - fail("issue " + index + " exception thrown, but wrong message"); - } - } - } - - private void doNoPasswordTest() - throws IOException - { - PasswordFinder pGet = new Password("".toCharArray()); - - PEMReader pemRd = openPEMResource("smimenopw.pem", pGet); - Object o; - PrivateKey key = null; - - while ((o = pemRd.readObject()) != null) - { - key = (PrivateKey)o; - } - - if (key == null) - { - fail("private key not detected"); - } - } - - public static void main( - String[] args) - { - Security.addProvider(new BouncyCastleProvider()); - - runTest(new ReaderTest()); - } -} diff --git a/bcpkix/src/main/java/org/bouncycastle/openssl/test/WriterTest.java b/bcpkix/src/main/java/org/bouncycastle/openssl/test/WriterTest.java index cb911eb..e41efd6 100644 --- a/bcpkix/src/main/java/org/bouncycastle/openssl/test/WriterTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/openssl/test/WriterTest.java @@ -18,13 +18,18 @@ import java.security.spec.RSAPrivateCrtKeySpec; import java.util.List; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.openssl.PEMReader; +import org.bouncycastle.openssl.PEMEncryptedKeyPair; +import org.bouncycastle.openssl.PEMKeyPair; +import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.openssl.PEMWriter; import org.bouncycastle.openssl.PasswordFinder; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; +import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder; +import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder; import org.bouncycastle.util.encoders.Base64; import org.bouncycastle.util.io.pem.PemHeader; import org.bouncycastle.util.io.pem.PemObject; -import org.bouncycastle.util.io.pem.PemReader; import org.bouncycastle.util.test.SimpleTest; public class WriterTest @@ -154,23 +159,23 @@ public class WriterTest throws IOException { StringWriter sw = new StringWriter(); - PEMWriter pw = new PEMWriter(sw, provider); + PEMWriter pw = new PEMWriter(sw); pw.writeObject(akp); pw.close(); String data = sw.toString(); - PEMReader pr = new PEMReader(new StringReader(data)); + PEMParser pr = new PEMParser(new StringReader(data)); Object o = pr.readObject(); - if (o == null || !(o instanceof KeyPair)) + if (o == null || !(o instanceof PEMKeyPair)) { fail("Didn't find OpenSSL key"); } - KeyPair kp = (KeyPair) o; + KeyPair kp = new JcaPEMKeyConverter().setProvider("BC").getKeyPair((PEMKeyPair)o); PrivateKey privKey = kp.getPrivate(); if (!akp.equals(privKey)) @@ -186,14 +191,14 @@ public class WriterTest throws IOException { StringWriter sw = new StringWriter(); - PEMWriter pw = new PEMWriter(sw, provider); + PEMWriter pw = new PEMWriter(sw); - pw.writeObject(akp, algorithm, testPassword, random); + pw.writeObject(new JcaMiscPEMGenerator(akp, new JcePEMEncryptorBuilder(algorithm).setSecureRandom(random).build(testPassword))); pw.close(); String data = sw.toString(); - PemReader pRaw = new PemReader(new StringReader(data)); + PEMParser pRaw = new PEMParser(new StringReader(data)); PemObject pemObject = pRaw.readPemObject(); List headers = pemObject.getHeaders(); @@ -215,16 +220,16 @@ public class WriterTest } } - PEMReader pr = new PEMReader(new StringReader(data), new Password(testPassword), provider); + PEMParser pr = new PEMParser(new StringReader(data)); Object o = pr.readObject(); - if (o == null || !(o instanceof KeyPair)) + if (o == null || !(o instanceof PEMEncryptedKeyPair)) { fail("Didn't find OpenSSL key"); } - KeyPair kp = (KeyPair) o; + KeyPair kp = new JcaPEMKeyConverter().setProvider("BC").getKeyPair(((PEMEncryptedKeyPair)o).decryptKeyPair(new JcePEMDecryptorProviderBuilder().setProvider("BC").build(testPassword))); PrivateKey privKey = kp.getPrivate(); if (!akp.equals(privKey)) diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/BufferingContentSigner.java b/bcpkix/src/main/java/org/bouncycastle/operator/BufferingContentSigner.java new file mode 100644 index 0000000..d174367 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/operator/BufferingContentSigner.java @@ -0,0 +1,70 @@ +package org.bouncycastle.operator; + +import java.io.OutputStream; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.util.io.BufferingOutputStream; + +/** + * A class that explicitly buffers the data to be signed, sending it in one + * block when ready for signing. + */ +public class BufferingContentSigner + implements ContentSigner +{ + private final ContentSigner contentSigner; + private final OutputStream output; + + /** + * Base constructor. + * + * @param contentSigner the content signer to be wrapped. + */ + public BufferingContentSigner(ContentSigner contentSigner) + { + this.contentSigner = contentSigner; + this.output = new BufferingOutputStream(contentSigner.getOutputStream()); + } + + /** + * Base constructor. + * + * @param contentSigner the content signer to be wrapped. + * @param bufferSize the size of the internal buffer to use. + */ + public BufferingContentSigner(ContentSigner contentSigner, int bufferSize) + { + this.contentSigner = contentSigner; + this.output = new BufferingOutputStream(contentSigner.getOutputStream(), bufferSize); + } + + /** + * Return the algorithm identifier supported by this signer. + * + * @return algorithm identifier for the signature generated. + */ + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentSigner.getAlgorithmIdentifier(); + } + + /** + * Return the buffering stream. + * + * @return the output stream used to accumulate the data. + */ + public OutputStream getOutputStream() + { + return output; + } + + /** + * Generate signature from internally buffered data. + * + * @return the signature calculated from the bytes written to the buffering stream. + */ + public byte[] getSignature() + { + return contentSigner.getSignature(); + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/DefaultSecretKeyProvider.java b/bcpkix/src/main/java/org/bouncycastle/operator/DefaultSecretKeySizeProvider.java index 234c38b..a1c6ba1 100644 --- a/bcpkix/src/main/java/org/bouncycastle/operator/DefaultSecretKeyProvider.java +++ b/bcpkix/src/main/java/org/bouncycastle/operator/DefaultSecretKeySizeProvider.java @@ -5,16 +5,17 @@ import java.util.HashMap; import java.util.Map; import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.ntt.NTTObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.util.Integers; -public class DefaultSecretKeyProvider +public class DefaultSecretKeySizeProvider implements SecretKeySizeProvider { - public static final SecretKeySizeProvider INSTANCE = new DefaultSecretKeyProvider(); + public static final SecretKeySizeProvider INSTANCE = new DefaultSecretKeySizeProvider(); private static final Map KEY_SIZES; @@ -24,7 +25,7 @@ public class DefaultSecretKeyProvider keySizes.put(new ASN1ObjectIdentifier("1.2.840.113533.7.66.10"), Integers.valueOf(128)); - keySizes.put(PKCSObjectIdentifiers.des_EDE3_CBC.getId(), Integers.valueOf(192)); + keySizes.put(PKCSObjectIdentifiers.des_EDE3_CBC, Integers.valueOf(192)); keySizes.put(NISTObjectIdentifiers.id_aes128_CBC, Integers.valueOf(128)); keySizes.put(NISTObjectIdentifiers.id_aes192_CBC, Integers.valueOf(192)); @@ -34,21 +35,35 @@ public class DefaultSecretKeyProvider keySizes.put(NTTObjectIdentifiers.id_camellia192_cbc, Integers.valueOf(192)); keySizes.put(NTTObjectIdentifiers.id_camellia256_cbc, Integers.valueOf(256)); + keySizes.put(CryptoProObjectIdentifiers.gostR28147_gcfb, Integers.valueOf(256)); + KEY_SIZES = Collections.unmodifiableMap(keySizes); } public int getKeySize(AlgorithmIdentifier algorithmIdentifier) { - // TODO: not all ciphers/oid relationships are this simple. - Integer keySize = (Integer)KEY_SIZES.get(algorithmIdentifier.getAlgorithm()); + int keySize = getKeySize(algorithmIdentifier.getAlgorithm()); - if (keySize != null) + // just need the OID + if (keySize > 0) { - return keySize.intValue(); + return keySize; } + // TODO: support OID/Parameter key sizes (e.g. RC2). + return -1; } + public int getKeySize(ASN1ObjectIdentifier algorithm) + { + Integer keySize = (Integer)KEY_SIZES.get(algorithm); + + if (keySize != null) + { + return keySize.intValue(); + } + return -1; + } } diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/SecretKeySizeProvider.java b/bcpkix/src/main/java/org/bouncycastle/operator/SecretKeySizeProvider.java index 15d7a67..5f92ef0 100644 --- a/bcpkix/src/main/java/org/bouncycastle/operator/SecretKeySizeProvider.java +++ b/bcpkix/src/main/java/org/bouncycastle/operator/SecretKeySizeProvider.java @@ -1,8 +1,17 @@ package org.bouncycastle.operator; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; public interface SecretKeySizeProvider { int getKeySize(AlgorithmIdentifier algorithmIdentifier); + + /** + * Return the key size implied by the OID, if one exists. + * + * @param algorithm the OID of the algorithm of interest. + * @return -1 if there is no fixed key size associated with the OID, or more information is required. + */ + int getKeySize(ASN1ObjectIdentifier algorithm); } diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaAlgorithmParametersConverter.java b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaAlgorithmParametersConverter.java new file mode 100644 index 0000000..d4e2162 --- /dev/null +++ b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaAlgorithmParametersConverter.java @@ -0,0 +1,73 @@ +package org.bouncycastle.operator.jcajce; + + +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.InvalidAlgorithmParameterException; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.MGF1ParameterSpec; + +import javax.crypto.spec.OAEPParameterSpec; +import javax.crypto.spec.PSource; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RSAESOAEPparams; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; + +public class JcaAlgorithmParametersConverter +{ + public JcaAlgorithmParametersConverter() + { + } + + public AlgorithmIdentifier getAlgorithmIdentifier(ASN1ObjectIdentifier algId, AlgorithmParameters parameters) + throws InvalidAlgorithmParameterException + { + try + { + ASN1Encodable params = ASN1Primitive.fromByteArray(parameters.getEncoded()); + + return new AlgorithmIdentifier(algId, params); + } + catch (IOException e) + { + throw new InvalidAlgorithmParameterException("unable to encode parameters object: " + e.getMessage()); + } + } + + public AlgorithmIdentifier getAlgorithmIdentifier(ASN1ObjectIdentifier algorithm, AlgorithmParameterSpec algorithmSpec) + throws InvalidAlgorithmParameterException + { + if (algorithmSpec instanceof OAEPParameterSpec) + { + if (algorithmSpec.equals(OAEPParameterSpec.DEFAULT)) + { + return new AlgorithmIdentifier(algorithm, + new RSAESOAEPparams(RSAESOAEPparams.DEFAULT_HASH_ALGORITHM, RSAESOAEPparams.DEFAULT_MASK_GEN_FUNCTION, RSAESOAEPparams.DEFAULT_P_SOURCE_ALGORITHM)); + } + else + { + OAEPParameterSpec oaepSpec = (OAEPParameterSpec)algorithmSpec; + PSource pSource = oaepSpec.getPSource(); + + if (!oaepSpec.getMGFAlgorithm().equals(OAEPParameterSpec.DEFAULT.getMGFAlgorithm())) + { + throw new InvalidAlgorithmParameterException("only " + OAEPParameterSpec.DEFAULT.getMGFAlgorithm() + " mask generator supported."); + } + + AlgorithmIdentifier hashAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find(oaepSpec.getDigestAlgorithm()); + AlgorithmIdentifier mgf1HashAlgorithm = new DefaultDigestAlgorithmIdentifierFinder().find((((MGF1ParameterSpec)oaepSpec.getMGFParameters()).getDigestAlgorithm())); + return new AlgorithmIdentifier(algorithm, + new RSAESOAEPparams(hashAlgorithm, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_mgf1, mgf1HashAlgorithm), + new AlgorithmIdentifier(PKCSObjectIdentifiers.id_pSpecified, new DEROctetString(((PSource.PSpecified)pSource).getValue())))); + } + } + + throw new InvalidAlgorithmParameterException("unknown parameter spec passed."); + } +} diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentVerifierProviderBuilder.java b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentVerifierProviderBuilder.java index 56c3771..87a6699 100644 --- a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentVerifierProviderBuilder.java +++ b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentVerifierProviderBuilder.java @@ -12,6 +12,7 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; import org.bouncycastle.jcajce.DefaultJcaJceHelper; @@ -144,6 +145,12 @@ public class JcaContentVerifierProviderBuilder }; } + public ContentVerifierProvider build(SubjectPublicKeyInfo publicKey) + throws OperatorCreationException + { + return this.build(helper.convertPublicKey(publicKey)); + } + private SignatureOutputStream createSignatureStream(AlgorithmIdentifier algorithm, PublicKey publicKey) throws OperatorCreationException { diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyUnwrapper.java b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyUnwrapper.java index 9413f96..9140ef2 100644 --- a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyUnwrapper.java +++ b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyUnwrapper.java @@ -1,5 +1,6 @@ package org.bouncycastle.operator.jcajce; +import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; import java.security.InvalidKeyException; import java.security.Key; @@ -80,10 +81,18 @@ public class JceAsymmetricKeyUnwrapper Key sKey = null; Cipher keyCipher = helper.createAsymmetricWrapper(this.getAlgorithmIdentifier().getAlgorithm(), extraMappings); + AlgorithmParameters algParams = helper.createAlgorithmParameters(this.getAlgorithmIdentifier()); try { - keyCipher.init(Cipher.UNWRAP_MODE, privKey); + if (algParams != null) + { + keyCipher.init(Cipher.UNWRAP_MODE, privKey, algParams); + } + else + { + keyCipher.init(Cipher.UNWRAP_MODE, privKey); + } sKey = keyCipher.unwrap(encryptedKey, helper.getKeyAlgorithmName(encryptedKeyAlgorithm.getAlgorithm()), Cipher.SECRET_KEY); } catch (GeneralSecurityException e) diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyWrapper.java b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyWrapper.java index 4a2ffae..d19dbcf 100644 --- a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyWrapper.java +++ b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/JceAsymmetricKeyWrapper.java @@ -1,6 +1,8 @@ package org.bouncycastle.operator.jcajce; +import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; import java.security.Provider; import java.security.ProviderException; import java.security.PublicKey; @@ -12,6 +14,7 @@ import java.util.Map; import javax.crypto.Cipher; import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.jcajce.DefaultJcaJceHelper; import org.bouncycastle.jcajce.NamedJcaJceHelper; @@ -40,6 +43,19 @@ public class JceAsymmetricKeyWrapper this(certificate.getPublicKey()); } + /** + * Create a wrapper, overriding the algorithm type that is stored in the public key. + * + * @param algorithmIdentifier identifier for encryption algorithm to be used. + * @param publicKey the public key to be used. + */ + public JceAsymmetricKeyWrapper(AlgorithmIdentifier algorithmIdentifier, PublicKey publicKey) + { + super(algorithmIdentifier); + + this.publicKey = publicKey; + } + public JceAsymmetricKeyWrapper setProvider(Provider provider) { this.helper = new OperatorHelper(new ProviderJcaJceHelper(provider)); @@ -86,13 +102,25 @@ public class JceAsymmetricKeyWrapper throws OperatorException { Cipher keyEncryptionCipher = helper.createAsymmetricWrapper(getAlgorithmIdentifier().getAlgorithm(), extraMappings); + AlgorithmParameters algParams = helper.createAlgorithmParameters(this.getAlgorithmIdentifier()); + byte[] encryptedKeyBytes = null; try { - keyEncryptionCipher.init(Cipher.WRAP_MODE, publicKey, random); + if (algParams != null) + { + keyEncryptionCipher.init(Cipher.WRAP_MODE, publicKey, algParams, random); + } + else + { + keyEncryptionCipher.init(Cipher.WRAP_MODE, publicKey, random); + } encryptedKeyBytes = keyEncryptionCipher.wrap(OperatorUtils.getJceKey(encryptionKey)); } + catch (InvalidKeyException e) + { + } catch (GeneralSecurityException e) { } @@ -114,6 +142,10 @@ public class JceAsymmetricKeyWrapper keyEncryptionCipher.init(Cipher.ENCRYPT_MODE, publicKey, random); encryptedKeyBytes = keyEncryptionCipher.doFinal(OperatorUtils.getJceKey(encryptionKey).getEncoded()); } + catch (InvalidKeyException e) + { + throw new OperatorException("unable to encrypt contents key", e); + } catch (GeneralSecurityException e) { throw new OperatorException("unable to encrypt contents key", e); diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java index bdffa53..2e0bcc1 100644 --- a/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java +++ b/bcpkix/src/main/java/org/bouncycastle/operator/jcajce/OperatorHelper.java @@ -4,14 +4,18 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.AlgorithmParameters; import java.security.GeneralSecurityException; +import java.security.KeyFactory; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; +import java.security.PublicKey; import java.security.Signature; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; import java.security.spec.PSSParameterSpec; +import java.security.spec.X509EncodedKeySpec; import java.util.HashMap; import java.util.Map; @@ -29,9 +33,11 @@ import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.RSASSAPSSparams; import org.bouncycastle.asn1.teletrust.TeleTrusTObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.jcajce.JcaJceHelper; +import org.bouncycastle.jcajce.JcaJceUtils; import org.bouncycastle.operator.OperatorCreationException; class OperatorHelper @@ -181,6 +187,41 @@ class OperatorHelper } } + AlgorithmParameters createAlgorithmParameters(AlgorithmIdentifier cipherAlgId) + throws OperatorCreationException + { + AlgorithmParameters parameters; + + if (cipherAlgId.getAlgorithm().equals(PKCSObjectIdentifiers.rsaEncryption)) + { + return null; + } + + try + { + parameters = helper.createAlgorithmParameters(cipherAlgId.getAlgorithm().getId()); + } + catch (NoSuchAlgorithmException e) + { + return null; // There's a good chance there aren't any! + } + catch (NoSuchProviderException e) + { + throw new OperatorCreationException("cannot create algorithm parameters: " + e.getMessage(), e); + } + + try + { + parameters.init(cipherAlgId.getParameters().toASN1Primitive().getEncoded()); + } + catch (IOException e) + { + throw new OperatorCreationException("cannot initialise algorithm parameters: " + e.getMessage(), e); + } + + return parameters; + } + MessageDigest createDigest(AlgorithmIdentifier digAlgId) throws GeneralSecurityException { @@ -258,7 +299,7 @@ class OperatorHelper { AlgorithmParameters params = helper.createAlgorithmParameters(algName); - params.init(algorithm.getParameters().toASN1Primitive().getEncoded(), "ASN.1"); + JcaJceUtils.loadParameters(params, algorithm.getParameters()); PSSParameterSpec spec = (PSSParameterSpec)params.getParameterSpec(PSSParameterSpec.class); sig.setParameter(spec); @@ -367,6 +408,33 @@ class OperatorHelper } } + public PublicKey convertPublicKey(SubjectPublicKeyInfo publicKeyInfo) + throws OperatorCreationException + { + try + { + KeyFactory keyFact = helper.createKeyFactory(publicKeyInfo.getAlgorithm().getAlgorithm().getId()); + + return keyFact.generatePublic(new X509EncodedKeySpec(publicKeyInfo.getEncoded())); + } + catch (IOException e) + { + throw new OperatorCreationException("cannot get encoded form of key: " + e.getMessage(), e); + } + catch (NoSuchAlgorithmException e) + { + throw new OperatorCreationException("cannot create key factory: " + e.getMessage(), e); + } + catch (NoSuchProviderException e) + { + throw new OperatorCreationException("cannot find factory provider: " + e.getMessage(), e); + } + catch (InvalidKeySpecException e) + { + throw new OperatorCreationException("cannot create key factory: " + e.getMessage(), e); + } + } + // TODO: put somewhere public so cause easily accessed private static class OpCertificateException extends CertificateException diff --git a/bcpkix/src/main/java/org/bouncycastle/operator/package.html b/bcpkix/src/main/java/org/bouncycastle/operator/package.html deleted file mode 100644 index b64343a..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/operator/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Basic operators for doing encryption, signing, and digest operations. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEInputDecryptorProviderBuilder.java b/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEInputDecryptorProviderBuilder.java index 79ab492..5379d47 100644 --- a/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEInputDecryptorProviderBuilder.java +++ b/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEInputDecryptorProviderBuilder.java @@ -11,8 +11,10 @@ import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.PBEParameterSpec; +import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.cryptopro.GOST28147Parameters; import org.bouncycastle.asn1.pkcs.PBES2Parameters; import org.bouncycastle.asn1.pkcs.PBKDF2Params; import org.bouncycastle.asn1.pkcs.PKCS12PBEParams; @@ -23,19 +25,19 @@ import org.bouncycastle.jcajce.JcaJceHelper; import org.bouncycastle.jcajce.NamedJcaJceHelper; import org.bouncycastle.jcajce.ProviderJcaJceHelper; import org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey; -import org.bouncycastle.operator.DefaultSecretKeyProvider; -import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.jcajce.spec.GOST28147ParameterSpec; +import org.bouncycastle.jcajce.spec.PBKDF2KeySpec; +import org.bouncycastle.operator.DefaultSecretKeySizeProvider; import org.bouncycastle.operator.InputDecryptor; import org.bouncycastle.operator.InputDecryptorProvider; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.SecretKeySizeProvider; -import org.bouncycastle.operator.jcajce.JceGenericKey; public class JcePKCSPBEInputDecryptorProviderBuilder { private JcaJceHelper helper = new DefaultJcaJceHelper(); private boolean wrongPKCS12Zero = false; - private SecretKeySizeProvider keySizeProvider = DefaultSecretKeyProvider.INSTANCE; + private SecretKeySizeProvider keySizeProvider = DefaultSecretKeySizeProvider.INSTANCE; public JcePKCSPBEInputDecryptorProviderBuilder() { @@ -125,13 +127,31 @@ public class JcePKCSPBEInputDecryptorProviderBuilder SecretKeyFactory keyFact = helper.createSecretKeyFactory(alg.getKeyDerivationFunc().getAlgorithm().getId()); - key = keyFact.generateSecret(new PBEKeySpec(password, func.getSalt(), func.getIterationCount().intValue(), keySizeProvider.getKeySize(encScheme))); + if (func.isDefaultPrf()) + { + key = keyFact.generateSecret(new PBEKeySpec(password, func.getSalt(), func.getIterationCount().intValue(), keySizeProvider.getKeySize(encScheme))); + } + else + { + key = keyFact.generateSecret(new PBKDF2KeySpec(password, func.getSalt(), func.getIterationCount().intValue(), keySizeProvider.getKeySize(encScheme), func.getPrf())); + } cipher = helper.createCipher(alg.getEncryptionScheme().getAlgorithm().getId()); encryptionAlg = AlgorithmIdentifier.getInstance(alg.getEncryptionScheme()); - cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(ASN1OctetString.getInstance(alg.getEncryptionScheme().getParameters()).getOctets())); + ASN1Encodable encParams = alg.getEncryptionScheme().getParameters(); + if (encParams instanceof ASN1OctetString) + { + cipher.init(Cipher.DECRYPT_MODE, key, new IvParameterSpec(ASN1OctetString.getInstance(encParams).getOctets())); + } + else + { + // TODO: at the moment it's just GOST, but... + GOST28147Parameters gParams = GOST28147Parameters.getInstance(encParams); + + cipher.init(Cipher.DECRYPT_MODE, key, new GOST28147ParameterSpec(gParams.getEncryptionParamSet(), gParams.getIV())); + } } } catch (Exception e) @@ -150,11 +170,6 @@ public class JcePKCSPBEInputDecryptorProviderBuilder { return new CipherInputStream(input, cipher); } - - public GenericKey getKey() - { - return new JceGenericKey(encryptionAlg, key); - } }; } }; diff --git a/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEOutputEncryptorBuilder.java b/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEOutputEncryptorBuilder.java index b37d2cb..fe53d58 100644 --- a/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEOutputEncryptorBuilder.java +++ b/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/JcePKCSPBEOutputEncryptorBuilder.java @@ -26,7 +26,7 @@ import org.bouncycastle.jcajce.DefaultJcaJceHelper; import org.bouncycastle.jcajce.JcaJceHelper; import org.bouncycastle.jcajce.NamedJcaJceHelper; import org.bouncycastle.jcajce.ProviderJcaJceHelper; -import org.bouncycastle.operator.DefaultSecretKeyProvider; +import org.bouncycastle.operator.DefaultSecretKeySizeProvider; import org.bouncycastle.operator.GenericKey; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.OutputEncryptor; @@ -38,7 +38,7 @@ public class JcePKCSPBEOutputEncryptorBuilder private ASN1ObjectIdentifier algorithm; private ASN1ObjectIdentifier keyEncAlgorithm; private SecureRandom random; - private SecretKeySizeProvider keySizeProvider = DefaultSecretKeyProvider.INSTANCE; + private SecretKeySizeProvider keySizeProvider = DefaultSecretKeySizeProvider.INSTANCE; public JcePKCSPBEOutputEncryptorBuilder(ASN1ObjectIdentifier algorithm) { diff --git a/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/package.html b/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/package.html deleted file mode 100644 index 9b10dc4..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/pkcs/jcajce/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -JCA extensions to the PKCS#10 certification request package. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/pkcs/package.html b/bcpkix/src/main/java/org/bouncycastle/pkcs/package.html deleted file mode 100644 index c83de7c..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/pkcs/package.html +++ /dev/null @@ -1,7 +0,0 @@ -<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" - "http://www.w3.org/TR/html4/loose.dtd"> -<html> -<body bgcolor="#ffffff"> -Basic support package for handling and creating PKCS#10 certification requests, PKCS#8 encrypted keys and PKCS#12 keys stores. -</body> -</html>
\ No newline at end of file diff --git a/bcpkix/src/main/java/org/bouncycastle/pkcs/test/PfxPduTest.java b/bcpkix/src/main/java/org/bouncycastle/pkcs/test/PfxPduTest.java index 9c4d138..2bbf9ea 100644 --- a/bcpkix/src/main/java/org/bouncycastle/pkcs/test/PfxPduTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/pkcs/test/PfxPduTest.java @@ -19,6 +19,7 @@ import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Encoding; import org.bouncycastle.asn1.DERBMPString; import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.cryptopro.CryptoProObjectIdentifiers; import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.ContentInfo; @@ -455,6 +456,74 @@ public class PfxPduTest + "LgBvAHIAZzAxMCEwCQYFKw4DAhoFAAQUc8hyg5aq/58lH3whwo66zJkWY28E" + "CKHZUIQsQX9hAgIIAA=="); + private byte[] gostPfx = Base64.decode( + "MIIHEgIBAzCCBssGCSqGSIb3DQEHAaCCBrwEgga4MIIGtDCCBYEGCSqGSIb3" + + "DQEHBqCCBXIwggVuAgEAMIIFZwYJKoZIhvcNAQcBMFUGCSqGSIb3DQEFDTBI" + + "MCcGCSqGSIb3DQEFDDAaBAi114+lRrpkXAICCAAwCgYGKoUDAgIKBQAwHQYG" + + "KoUDAgIVMBMECLEIQPMsz/ZZBgcqhQMCAh8BgIIFAbu13yJiW/BnSKYKbtv9" + + "tDJoTv6l9BVpCCI4tvpzJnMeLBJyVZU4JevcJNii+R1LilVuuB+xc8e7/P4G" + + "6TILWmnnispr9KPRAbYRfoCJOa59+TYJMur58wwDuYgMapQAFzsvpzyUWi62" + + "o3uQbbLKO9hQCeJW2L+K9cbg8k33MjXMLpnblKpqmZbHTmBJDFR3xGw7IEjD" + + "UNqruu7DlHY6jctiVJSii9UNEVetSo9AAzfROxRjROg38VsWxLyO9wEMBv/8" + + "H8ur+zOtmQPGqirNXmN+pa08OvZin9kh7CgswW03xIbfsdGGGLRAWtvCnEwJ" + + "mS2tEfH1SZcuVLpMomhq3FU/jsc12k+vq/jw4I2cmfDL41ieK72bwNj8xUXu" + + "JHeoFSPGX4z+nsJUrFbFG4VBuDs2Y0SCWLyYZvdjvJwYjfqtyi/RoFSZjGHF" + + "crstf9YNQ0vW0efCJ7pUBH44OrbnCx5ng2U5jFm1b3HBIKA2RX+Tlhv14MgT" + + "KSftPZ67eSmgdsyPuQAdMu6fEdBMpVKMNZNRV565690sqi+1jOmH94TUX8XU" + + "2pRQj6eGGLq6lgGnnDabcePUEPXW8zW2KYrDKYJ/1QZmVGldvlqnjZMNhIO+" + + "Afsqax/P8RBjMduGqdilGdRzbN8PdhVaN0Ys+WzFxiS9gtaA2yPzcQuedWDN" + + "T7sIrfIapgFYmmHRQ7ht4AKj+lmOyNadONYw+ww+8RzHB1d2Kk+iXeZCtvH0" + + "XFWJZtuoGKSt/gkI0E2vpDfMbLaczaRC7ityO0iJs25ozP4JhZRBVvOmpxc9" + + "YuIetbTnTf1TLJKXDgt1IwPZeugbofSeiNv117lx8VgtvMYFD4W+WQlB8HnO" + + "C8NOYjkMPElc6PCMB9gGm0cIu1fKLvY8ycLav93JJjdDuC0kgKLb2+8mC5+2" + + "DdMkcfgW6hy4c98xnJs8enCww3A4xkRbMU13zMq70liqmKHV2SSurg5hwUHM" + + "ZthT8p988ZBrnqW24lXfMBqTK4YtIBMeMnvKocYBXr96ig3GfahI1Aj2Bw2e" + + "bpZTVeayYUd+2xX8JJMdqna6Q61AL8/eUhJUETz5+fgQJtPjcKmdJfVHO6nB" + + "vOk1t/rjK17eiXLxHCyvfP+Tw8lSFOhcvr4eIeG8WfsWNRu2eKKosOU7uash" + + "QpnvQieqDeijuRxf+tbbJ5D86inwbJqdxra7wNuZXmiaB9gFDzNbNjhtL+6i" + + "gUyX/iQHKi9bNK+PH6pdH/gkwnG/juhdgqoNY6GRty/LUOPgXD+r5e/ST16R" + + "vnlwrlKp5FzRWBEkem+dhelj3rb+cxKEyvPe3TvIUFcmIlV1VCRQ1fBHtX18" + + "eC3a3GprH8c40z3S/kdyk7GlFQ27DRLka+iDN05b+MP5jlgvfqYBKxwLfeNu" + + "MpxWoCUvYWiQdMih86/l0H+0o5UB8SqRbpuvr6fY910JCk0hDaO1pgB3HlRz" + + "k1vb46pg25heXQm3JmO+ghxjOGliYBWjl8p7AfRS9cjS8ca+X02Mv9Viv7Ce" + + "3+Gz0MVwfK98viJ3CFxkaEBlM2LM0IeUQbkHG+YwYaTSfl4GYyrug4F0ZdrA" + + "KeY9/kIxa/OJxjcIMs2H+2mSpxmrb7ylmHZ2RB8ITiduRVtO091hn/J7N+eT" + + "h6BvLBKIFU+UFUdgjxoDNDk7ao++Mu9T3dQfceFBOYzW9vMQgX30yaPLSdan" + + "ZMAP0VtiNjCCASsGCSqGSIb3DQEHAaCCARwEggEYMIIBFDCCARAGCyqGSIb3" + + "DQEMCgECoIGyMIGvMFUGCSqGSIb3DQEFDTBIMCcGCSqGSIb3DQEFDDAaBAiQ" + + "Owewo16xzQICCAAwCgYGKoUDAgIKBQAwHQYGKoUDAgIVMBMECHSCNJJcQ2VI" + + "BgcqhQMCAh8BBFYCyRRpFtZgnsxeK7ZHT+aOyoVmzhtnLrqoBHgV4nJJW2/e" + + "UcJjc2Rlbzfd+3L/GWcRGF8Bgn+MjiaAqE64Rzaao9t2hc3myw1WrCfPnoEx" + + "VI7OPBM5FzFMMCMGCSqGSIb3DQEJFTEWBBTV7LvI27QWRmHD45X2WKXYs3ct" + + "AzAlBgkqhkiG9w0BCRQxGB4WAGMAcABfAGUAeABwAG8AcgB0AGUAZDA+MC4w" + + "CgYGKoUDAgIJBQAEIJbGZorQsNM63+xozwEI561cTFVCbyHAEEpkvF3eijT8" + + "BAgY5sDtkrVeBQICCAA="); + + private byte[] gostPfxFoo123 = Base64.decode( + "MIID6gIBAzCCA6MGCSqGSIb3DQEHAaCCA5QEggOQMIIDjDCCApQGCSqGSIb3" + + "DQEHBqCCAoUwggKBAgEAMIICegYJKoZIhvcNAQcBMFUGCSqGSIb3DQEFDTBI" + + "MCcGCSqGSIb3DQEFDDAaBAhIVrbUVNoQ2wICCAAwCgYGKoUDAgIKBQAwHQYG" + + "KoUDAgIVMBMECBLmAh+XCCYhBgcqhQMCAh8BgIICFP9hQLgDq5SORy2npOdo" + + "1bvoGl9Qdga1kV9s2c1/Y1kTGpuiYKfm5Il+PurzYdE5t/Wi2+SxoePm/AKA" + + "x1Ep5btK/002wnyRbUKdjgF1r7fMXRrd5Ioy8lYxB1v6qhHmzE5fz7FxY+iV" + + "Z70dSRS0JkTasI8MRsFLkJJfDb9twgoch8lYGFfYirHLcVy4xxA3JO9VSHm2" + + "8nuSWSnsmGN0ufPX14UpV2RFe3Rt0gZ0Jc8u2h2Mo0sIoVU6HVwdXzoe6LN7" + + "1NPZdRuhVtjxEvjDAvNJ8WHXQnBQMai2nVAj87uNr6OHLRs+foEccEY9WpPQ" + + "GPt4XbPt4MtmVctT2+Gsvf6Ws2UCx6hD4k8i28a6xS8lhTVam2g/2Z5cxtUV" + + "HxYt7j13HjuQVsuSNdgtrUnw3l43LnBxRZhlFz0r2zrvTB04ynenS+lGdVuG" + + "0TauIH+rdP1ubujw6lFdG9RNgUxWvS5IdwbFGX73a+ZrWiYJeERX11N/6r3g" + + "0EqVFNH9t/ROsdAtCCe2FycQoOSb+VxPU6I+SHjwe7Oa7R8Xxazh/eWTsV59" + + "QzPuLriUMbyYdQIf4xdclgcJoxFElopgl4orRfzH3XQsVbtTxN33lwjkE0j/" + + "686VtcO+b+dU7+BEB7O5yDcx1tupgre0ha/0KOlYfPvmbogGdDf0r6MOwrS7" + + "QFXxKlHfp8vn4mNwoy7pjrzjmjclkbkwgfEGCSqGSIb3DQEHAaCB4wSB4DCB" + + "3TCB2gYLKoZIhvcNAQwKAQKggaMwgaAwVQYJKoZIhvcNAQUNMEgwJwYJKoZI" + + "hvcNAQUMMBoECLD6Ld7TqurqAgIIADAKBgYqhQMCAgoFADAdBgYqhQMCAhUw" + + "EwQIoYXV7LETOEAGByqFAwICHwEERyBQK9LuYnOO0ELrge+a6JFeAVwPL85V" + + "ip2Kj/GfD3nzZR4tPzCwAt79RriKQklNqa3uCc9o0C9Zk5Qcj36SqiXxD1tz" + + "Ea63MSUwIwYJKoZIhvcNAQkVMRYEFKjg5gKM+i+vFhSwaga8YGaZ5thVMD4w" + + "LjAKBgYqhQMCAgkFAAQgIwD0CRCwva2Bjdlv5g970H2bCB1aafBNr/hxJLZE" + + "Ey4ECAW3VYXJzJpYAgIIAA=="); + /** * we generate the CA's certificate */ @@ -1042,6 +1111,90 @@ public class PfxPduTest } } + public void testGOST1() + throws Exception + { + char[] password = "1".toCharArray(); + + InputDecryptorProvider inputDecryptorProvider = new JcePKCSPBEInputDecryptorProviderBuilder() + .setProvider("BC").build(password); + PKCS12PfxPdu pfx = new PKCS12PfxPdu(gostPfx); + + assertTrue(pfx.hasMac()); + assertTrue(pfx.isMacValid(new JcePKCS12MacCalculatorBuilderProvider().setProvider("BC"), password)); + + ContentInfo[] infos = pfx.getContentInfos(); + + for (int i = 0; i != infos.length; i++) + { + if (infos[i].getContentType().equals(PKCSObjectIdentifiers.encryptedData)) + { + PKCS12SafeBagFactory dataFact = new PKCS12SafeBagFactory(infos[i], inputDecryptorProvider); + + PKCS12SafeBag[] bags = dataFact.getSafeBags(); + + // TODO: finish! +// assertEquals(3, bags.length); +// assertEquals(PKCSObjectIdentifiers.certBag, bags[0].getType()); + } + else + { + PKCS12SafeBagFactory dataFact = new PKCS12SafeBagFactory(infos[i]); + + PKCS12SafeBag[] bags = dataFact.getSafeBags(); + + assertEquals(1, bags.length); + assertEquals(PKCSObjectIdentifiers.pkcs8ShroudedKeyBag, bags[0].getType()); + + PKCS8EncryptedPrivateKeyInfo encInfo = (PKCS8EncryptedPrivateKeyInfo)bags[0].getBagValue(); + PrivateKeyInfo info = encInfo.decryptPrivateKeyInfo(inputDecryptorProvider); + assertEquals(CryptoProObjectIdentifiers.gostR3410_2001, info.getPrivateKeyAlgorithm().getAlgorithm()); + } + } + } + + public void testGOST2() + throws Exception + { + char[] password = "foo123".toCharArray(); + + InputDecryptorProvider inputDecryptorProvider = new JcePKCSPBEInputDecryptorProviderBuilder() + .setProvider("BC").build(password); + PKCS12PfxPdu pfx = new PKCS12PfxPdu(gostPfxFoo123); + + assertTrue(pfx.hasMac()); + assertTrue(pfx.isMacValid(new JcePKCS12MacCalculatorBuilderProvider().setProvider("BC"), password)); + + ContentInfo[] infos = pfx.getContentInfos(); + + for (int i = 0; i != infos.length; i++) + { + if (infos[i].getContentType().equals(PKCSObjectIdentifiers.encryptedData)) + { + PKCS12SafeBagFactory dataFact = new PKCS12SafeBagFactory(infos[i], inputDecryptorProvider); + + PKCS12SafeBag[] bags = dataFact.getSafeBags(); + + // TODO: finish! +// assertEquals(3, bags.length); +// assertEquals(PKCSObjectIdentifiers.certBag, bags[0].getType()); + } + else + { + PKCS12SafeBagFactory dataFact = new PKCS12SafeBagFactory(infos[i]); + + PKCS12SafeBag[] bags = dataFact.getSafeBags(); + + assertEquals(1, bags.length); + assertEquals(PKCSObjectIdentifiers.pkcs8ShroudedKeyBag, bags[0].getType()); + + PKCS8EncryptedPrivateKeyInfo encInfo = (PKCS8EncryptedPrivateKeyInfo)bags[0].getBagValue(); + PrivateKeyInfo info = encInfo.decryptPrivateKeyInfo(inputDecryptorProvider); + assertEquals(CryptoProObjectIdentifiers.gostR3410_2001, info.getPrivateKeyAlgorithm().getAlgorithm()); + } + } + } + private X509Certificate[] createCertChain(KeyFactory fact, PublicKey pubKey) throws Exception { diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/TSPUtil.java b/bcpkix/src/main/java/org/bouncycastle/tsp/TSPUtil.java index 76054b9..d757071 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/TSPUtil.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/TSPUtil.java @@ -1,26 +1,17 @@ package org.bouncycastle.tsp; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.Provider; -import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.HashMap; -import java.util.HashSet; import java.util.List; import java.util.Map; -import java.util.Set; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1ObjectIdentifier; -import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.cms.Attribute; import org.bouncycastle.asn1.cms.AttributeTable; @@ -35,7 +26,6 @@ import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.ExtensionsGenerator; import org.bouncycastle.asn1.x509.KeyPurposeId; -import org.bouncycastle.asn1.x509.X509Extensions; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.operator.DigestCalculator; @@ -46,7 +36,6 @@ import org.bouncycastle.util.Integers; public class TSPUtil { - private static Set EMPTY_SET = Collections.unmodifiableSet(new HashSet()); private static List EMPTY_LIST = Collections.unmodifiableList(new ArrayList()); private static final Map digestLengths = new HashMap(); @@ -82,64 +71,6 @@ public class TSPUtil digestNames.put(CryptoProObjectIdentifiers.gostR3411.getId(), "GOST3411"); } - /** - * Fetches the signature time-stamp attributes from a SignerInformation object. - * Checks that the MessageImprint for each time-stamp matches the signature field. - * (see RFC 3161 Appendix A). - * - * @param signerInfo a SignerInformation to search for time-stamps - * @param provider an optional provider to use to create MessageDigest instances - * @return a collection of TimeStampToken objects - * @throws TSPValidationException - * @deprecated use getSignatureTimestamps(SignerInformation, DigestCalculatorProvider) - */ - public static Collection getSignatureTimestamps(SignerInformation signerInfo, Provider provider) - throws TSPValidationException - { - List timestamps = new ArrayList(); - - AttributeTable unsignedAttrs = signerInfo.getUnsignedAttributes(); - if (unsignedAttrs != null) - { - ASN1EncodableVector allTSAttrs = unsignedAttrs.getAll( - PKCSObjectIdentifiers.id_aa_signatureTimeStampToken); - for (int i = 0; i < allTSAttrs.size(); ++i) - { - Attribute tsAttr = (Attribute)allTSAttrs.get(i); - ASN1Set tsAttrValues = tsAttr.getAttrValues(); - for (int j = 0; j < tsAttrValues.size(); ++j) - { - try - { - ContentInfo contentInfo = ContentInfo.getInstance(tsAttrValues.getObjectAt(j)); - TimeStampToken timeStampToken = new TimeStampToken(contentInfo); - TimeStampTokenInfo tstInfo = timeStampToken.getTimeStampInfo(); - - MessageDigest digest = createDigestInstance(tstInfo.getMessageImprintAlgOID().getId(), provider); - byte[] expectedDigest = digest.digest(signerInfo.getSignature()); - - if (!Arrays.constantTimeAreEqual(expectedDigest, tstInfo.getMessageImprintDigest())) - { - throw new TSPValidationException("Incorrect digest in message imprint"); - } - - timestamps.add(timeStampToken); - } - catch (NoSuchAlgorithmException e) - { - throw new TSPValidationException("Unknown hash algorithm specified in timestamp"); - } - catch (Exception e) - { - throw new TSPValidationException("Timestamp could not be parsed"); - } - } - } - } - - return timestamps; - } - /** * Fetches the signature time-stamp attributes from a SignerInformation object. * Checks that the MessageImprint for each time-stamp matches the signature field. @@ -207,56 +138,9 @@ public class TSPUtil * Validate the passed in certificate as being of the correct type to be used * for time stamping. To be valid it must have an ExtendedKeyUsage extension * which has a key purpose identifier of id-kp-timeStamping. - * - * @param cert the certificate of interest. - * @throws TSPValidationException if the certicate fails on one of the check points. - */ - public static void validateCertificate( - X509Certificate cert) - throws TSPValidationException - { - if (cert.getVersion() != 3) - { - throw new IllegalArgumentException("Certificate must have an ExtendedKeyUsage extension."); - } - - byte[] ext = cert.getExtensionValue(X509Extensions.ExtendedKeyUsage.getId()); - if (ext == null) - { - throw new TSPValidationException("Certificate must have an ExtendedKeyUsage extension."); - } - - if (!cert.getCriticalExtensionOIDs().contains(X509Extensions.ExtendedKeyUsage.getId())) - { - throw new TSPValidationException("Certificate must have an ExtendedKeyUsage extension marked as critical."); - } - - ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(ext)); - - try - { - aIn = new ASN1InputStream(new ByteArrayInputStream(((ASN1OctetString)aIn.readObject()).getOctets())); - - ExtendedKeyUsage extKey = ExtendedKeyUsage.getInstance(aIn.readObject()); - - if (!extKey.hasKeyPurposeId(KeyPurposeId.id_kp_timeStamping) || extKey.size() != 1) - { - throw new TSPValidationException("ExtendedKeyUsage not solely time stamping."); - } - } - catch (IOException e) - { - throw new TSPValidationException("cannot process ExtendedKeyUsage extension"); - } - } - - /** - * Validate the passed in certificate as being of the correct type to be used - * for time stamping. To be valid it must have an ExtendedKeyUsage extension - * which has a key purpose identifier of id-kp-timeStamping. * * @param cert the certificate of interest. - * @throws TSPValidationException if the certicate fails on one of the check points. + * @throws TSPValidationException if the certificate fails on one of the check points. */ public static void validateCertificate( X509CertificateHolder cert) @@ -286,23 +170,6 @@ public class TSPUtil } } - /* - * Return the digest algorithm using one of the standard JCA string - * representations rather than the algorithm identifier (if possible). - */ - static String getDigestAlgName( - String digestAlgOID) - { - String digestName = (String)digestNames.get(digestAlgOID); - - if (digestName != null) - { - return digestName; - } - - return digestAlgOID; - } - static int getDigestLength( String digestAlgOID) throws TSPException @@ -317,47 +184,6 @@ public class TSPUtil throw new TSPException("digest algorithm cannot be found."); } - static MessageDigest createDigestInstance(String digestAlgOID, Provider provider) - throws NoSuchAlgorithmException - { - String digestName = TSPUtil.getDigestAlgName(digestAlgOID); - - if (provider != null) - { - try - { - return MessageDigest.getInstance(digestName, provider); - } - catch (NoSuchAlgorithmException e) - { - // Ignore - } - } - - return MessageDigest.getInstance(digestName); - } - - static Set getCriticalExtensionOIDs(X509Extensions extensions) - { - if (extensions == null) - { - return EMPTY_SET; - } - - return Collections.unmodifiableSet(new HashSet(java.util.Arrays.asList(extensions.getCriticalExtensionOIDs()))); - } - - static Set getNonCriticalExtensionOIDs(X509Extensions extensions) - { - if (extensions == null) - { - return EMPTY_SET; - } - - // TODO: should probably produce a set that imposes correct ordering - return Collections.unmodifiableSet(new HashSet(java.util.Arrays.asList(extensions.getNonCriticalExtensionOIDs()))); - } - static List getExtensionOIDs(Extensions extensions) { if (extensions == null) diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampRequest.java b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampRequest.java index 8acc41b..696c2d8 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampRequest.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampRequest.java @@ -4,7 +4,6 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; -import java.security.NoSuchProviderException; import java.util.Arrays; import java.util.Collections; import java.util.Enumeration; @@ -58,9 +57,15 @@ public class TimeStampRequest public TimeStampRequest(InputStream in) throws IOException { + this(loadRequest(in)); + } + + private static TimeStampReq loadRequest(InputStream in) + throws IOException + { try { - this.req = TimeStampReq.getInstance(new ASN1InputStream(in).readObject()); + return TimeStampReq.getInstance(new ASN1InputStream(in).readObject()); } catch (ClassCastException e) { @@ -126,27 +131,6 @@ public class TimeStampRequest /** * Validate the timestamp request, checking the digest to see if it is of an * accepted type and whether it is of the correct length for the algorithm specified. - * - * @param algorithms a set of String OIDS giving accepted algorithms. - * @param policies if non-null a set of policies we are willing to sign under. - * @param extensions if non-null a set of extensions we are willing to accept. - * @param provider the provider to confirm the digest size against. - * @throws TSPException if the request is invalid, or processing fails. - * @deprecated use validate method without provider argument. - */ - public void validate( - Set algorithms, - Set policies, - Set extensions, - String provider) - throws TSPException, NoSuchProviderException - { - validate(algorithms, policies, extensions); - } - - /** - * Validate the timestamp request, checking the digest to see if it is of an - * accepted type and whether it is of the correct length for the algorithm specified. * * @param algorithms a set of OIDs giving accepted algorithms. * @param policies if non-null a set of policies OIDs we are willing to sign under. @@ -228,34 +212,6 @@ public class TimeStampRequest return TSPUtil.getExtensionOIDs(extensions); } - /* (non-Javadoc) - * @see java.security.cert.X509Extension#getExtensionValue(java.lang.String) - * @deprecated use getExtension(ASN1ObjectIdentifier) - */ - public byte[] getExtensionValue(String oid) - { - Extensions exts = req.getExtensions(); - - if (exts != null) - { - Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid)); - - if (ext != null) - { - try - { - return ext.getExtnValue().getEncoded(); - } - catch (Exception e) - { - throw new RuntimeException("error encoding " + e.toString()); - } - } - } - - return null; - } - /** * Returns a set of ASN1ObjectIdentifiers giving the non-critical extensions. * @return a set of ASN1ObjectIdentifiers. diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampResponseGenerator.java b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampResponseGenerator.java index 15f5b13..7b7c757 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampResponseGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampResponseGenerator.java @@ -1,17 +1,13 @@ package org.bouncycastle.tsp; -import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; import java.util.Date; import java.util.HashSet; import java.util.Iterator; import java.util.Set; import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.DERInteger; @@ -142,82 +138,6 @@ public class TimeStampResponseGenerator /** * Return an appropriate TimeStampResponse. * <p> - * If genTime is null a timeNotAvailable error response will be returned. - * - * @param request the request this response is for. - * @param serialNumber serial number for the response token. - * @param genTime generation time for the response token. - * @param provider provider to use for signature calculation. - * @deprecated use method that does not require provider - * @return - * @throws NoSuchAlgorithmException - * @throws NoSuchProviderException - * @throws TSPException - */ - public TimeStampResponse generate( - TimeStampRequest request, - BigInteger serialNumber, - Date genTime, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, TSPException - { - TimeStampResp resp; - - try - { - if (genTime == null) - { - throw new TSPValidationException("The time source is not available.", PKIFailureInfo.timeNotAvailable); - } - - request.validate(acceptedAlgorithms, acceptedPolicies, acceptedExtensions, provider); - - status = PKIStatus.GRANTED; - this.addStatusString("Operation Okay"); - - PKIStatusInfo pkiStatusInfo = getPKIStatusInfo(); - - ContentInfo tstTokenContentInfo = null; - try - { - ByteArrayInputStream bIn = new ByteArrayInputStream(tokenGenerator.generate(request, serialNumber, genTime, provider).toCMSSignedData().getEncoded()); - ASN1InputStream aIn = new ASN1InputStream(bIn); - - tstTokenContentInfo = ContentInfo.getInstance(aIn.readObject()); - } - catch (java.io.IOException ioEx) - { - throw new TSPException( - "Timestamp token received cannot be converted to ContentInfo", ioEx); - } - - resp = new TimeStampResp(pkiStatusInfo, tstTokenContentInfo); - } - catch (TSPValidationException e) - { - status = PKIStatus.REJECTION; - - this.setFailInfoField(e.getFailureCode()); - this.addStatusString(e.getMessage()); - - PKIStatusInfo pkiStatusInfo = getPKIStatusInfo(); - - resp = new TimeStampResp(pkiStatusInfo, null); - } - - try - { - return new TimeStampResponse(resp); - } - catch (IOException e) - { - throw new TSPException("created badly formatted response!"); - } - } - - /** - * Return an appropriate TimeStampResponse. - * <p> * If genTime is null a timeNotAvailable error response will be returned. Calling generate() is the * equivalent of: * <pre> diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampToken.java b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampToken.java index bc4a631..0422998 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampToken.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampToken.java @@ -4,14 +4,6 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.cert.CertStore; -import java.security.cert.CertificateEncodingException; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; -import java.security.cert.X509Certificate; import java.util.Collection; import java.util.Date; @@ -32,7 +24,6 @@ import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.IssuerSerial; -import org.bouncycastle.asn1.x509.X509Name; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.CMSProcessable; @@ -40,13 +31,14 @@ import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.SignerId; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationVerifier; -import org.bouncycastle.jce.PrincipalUtil; -import org.bouncycastle.jce.X509Principal; import org.bouncycastle.operator.DigestCalculator; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.Store; +/** + * Carrier class for a TimeStampToken. + */ public class TimeStampToken { CMSSignedData tsToken; @@ -158,17 +150,6 @@ public class TimeStampToken return tsaSignerInfo.getUnsignedAttributes(); } - /** - * @deprecated use getCertificates() or getCRLs() - */ - public CertStore getCertificatesAndCRLs( - String type, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, CMSException - { - return tsToken.getCertificatesAndCRLs(type, provider); - } - public Store getCertificates() { return tsToken.getCertificates(); @@ -188,90 +169,6 @@ public class TimeStampToken * Validate the time stamp token. * <p> * To be valid the token must be signed by the passed in certificate and - * the certificate must be the one referred to by the SigningCertificate - * attribute included in the hashed attributes of the token. The - * certificate must also have the ExtendedKeyUsageExtension with only - * KeyPurposeId.id_kp_timeStamping and have been valid at the time the - * timestamp was created. - * </p> - * <p> - * A successful call to validate means all the above are true. - * </p> - * @deprecated - */ - public void validate( - X509Certificate cert, - String provider) - throws TSPException, TSPValidationException, - CertificateExpiredException, CertificateNotYetValidException, NoSuchProviderException - { - try - { - if (!Arrays.constantTimeAreEqual(certID.getCertHash(), MessageDigest.getInstance(certID.getHashAlgorithmName()).digest(cert.getEncoded()))) - { - throw new TSPValidationException("certificate hash does not match certID hash."); - } - - if (certID.getIssuerSerial() != null) - { - if (!certID.getIssuerSerial().getSerial().getValue().equals(cert.getSerialNumber())) - { - throw new TSPValidationException("certificate serial number does not match certID for signature."); - } - - GeneralName[] names = certID.getIssuerSerial().getIssuer().getNames(); - X509Principal principal = PrincipalUtil.getIssuerX509Principal(cert); - boolean found = false; - - for (int i = 0; i != names.length; i++) - { - if (names[i].getTagNo() == 4 && new X509Principal(X509Name.getInstance(names[i].getName())).equals(principal)) - { - found = true; - break; - } - } - - if (!found) - { - throw new TSPValidationException("certificate name does not match certID for signature. "); - } - } - - TSPUtil.validateCertificate(cert); - - cert.checkValidity(tstInfo.getGenTime()); - - if (!tsaSignerInfo.verify(cert, provider)) - { - throw new TSPValidationException("signature not created by certificate."); - } - } - catch (CMSException e) - { - if (e.getUnderlyingException() != null) - { - throw new TSPException(e.getMessage(), e.getUnderlyingException()); - } - else - { - throw new TSPException("CMS exception: " + e, e); - } - } - catch (NoSuchAlgorithmException e) - { - throw new TSPException("cannot find algorithm: " + e, e); - } - catch (CertificateEncodingException e) - { - throw new TSPException("problem processing certificate: " + e, e); - } - } - - /** - * Validate the time stamp token. - * <p> - * To be valid the token must be signed by the passed in certificate and * the certificate must be the one referred to by the SigningCertificate * attribute included in the hashed attributes of the token. The * certificate must also have the ExtendedKeyUsageExtension with only diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampTokenGenerator.java b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampTokenGenerator.java index 1a1cec1..008ca95 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampTokenGenerator.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/TimeStampTokenGenerator.java @@ -1,26 +1,10 @@ package org.bouncycastle.tsp; -import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.OutputStream; import java.math.BigInteger; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.security.NoSuchProviderException; -import java.security.PrivateKey; -import java.security.cert.CRLException; -import java.security.cert.CertStore; -import java.security.cert.CertStoreException; -import java.security.cert.CertificateEncodingException; -import java.security.cert.X509CRL; -import java.security.cert.X509Certificate; -import java.security.interfaces.DSAPrivateKey; -import java.security.interfaces.RSAPrivateKey; import java.util.ArrayList; -import java.util.Collection; import java.util.Date; -import java.util.Hashtable; -import java.util.Iterator; import java.util.List; import java.util.Map; @@ -30,8 +14,6 @@ import org.bouncycastle.asn1.ASN1GeneralizedTime; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DERNull; -import org.bouncycastle.asn1.DERSet; -import org.bouncycastle.asn1.cms.Attribute; import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.ess.ESSCertID; import org.bouncycastle.asn1.ess.ESSCertIDv2; @@ -44,24 +26,17 @@ import org.bouncycastle.asn1.tsp.MessageImprint; import org.bouncycastle.asn1.tsp.TSTInfo; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.GeneralName; -import org.bouncycastle.cert.jcajce.JcaX509CRLHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.IssuerSerial; +import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSAttributeTableGenerationException; import org.bouncycastle.cms.CMSAttributeTableGenerator; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.CMSProcessableByteArray; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.CMSSignedDataGenerator; -import org.bouncycastle.cms.CMSSignedGenerator; -import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator; import org.bouncycastle.cms.SignerInfoGenerator; -import org.bouncycastle.cms.SimpleAttributeTableGenerator; -import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; -import org.bouncycastle.jce.interfaces.GOST3410PrivateKey; import org.bouncycastle.operator.DigestCalculator; -import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; -import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; import org.bouncycastle.util.CollectionStore; import org.bouncycastle.util.Store; @@ -105,12 +80,6 @@ public class TimeStampTokenGenerator private ASN1ObjectIdentifier tsaPolicyOID; - PrivateKey key; - X509Certificate cert; - String digestOID; - AttributeTable signedAttr; - AttributeTable unsignedAttr; - private List certs = new ArrayList(); private List crls = new ArrayList(); private List attrCerts = new ArrayList(); @@ -134,6 +103,29 @@ public class TimeStampTokenGenerator ASN1ObjectIdentifier tsaPolicy) throws IllegalArgumentException, TSPException { + this(signerInfoGen, digestCalculator, tsaPolicy, false); + } + + /** + * Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from + * the signer's associated certificate using the sha1DigestCalculator. If alternate values are required + * for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in, + * otherwise a standard digest based value will be added. + * + * @param signerInfoGen the generator for the signer we are using. + * @param digestCalculator calculator for to use for digest of certificate. + * @param tsaPolicy tasPolicy to send. + * @param isIssuerSerialIncluded should issuerSerial be included in the ESSCertIDs, true if yes, by default false. + * @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated certificate for the signer, + * @throws TSPException if the signer certificate cannot be processed. + */ + public TimeStampTokenGenerator( + final SignerInfoGenerator signerInfoGen, + DigestCalculator digestCalculator, + ASN1ObjectIdentifier tsaPolicy, + boolean isIssuerSerialIncluded) + throws IllegalArgumentException, TSPException + { this.signerInfoGen = signerInfoGen; this.tsaPolicyOID = tsaPolicy; @@ -142,19 +134,22 @@ public class TimeStampTokenGenerator throw new IllegalArgumentException("SignerInfoGenerator must have an associated certificate"); } - TSPUtil.validateCertificate(signerInfoGen.getAssociatedCertificate()); + X509CertificateHolder assocCert = signerInfoGen.getAssociatedCertificate(); + TSPUtil.validateCertificate(assocCert); try { OutputStream dOut = digestCalculator.getOutputStream(); - dOut.write(signerInfoGen.getAssociatedCertificate().getEncoded()); + dOut.write(assocCert.getEncoded()); dOut.close(); if (digestCalculator.getAlgorithmIdentifier().getAlgorithm().equals(OIWObjectIdentifiers.idSHA1)) { - final ESSCertID essCertid = new ESSCertID(digestCalculator.getDigest()); + final ESSCertID essCertid = new ESSCertID(digestCalculator.getDigest(), + isIssuerSerialIncluded ? new IssuerSerial(new GeneralNames(new GeneralName(assocCert.getIssuer())), assocCert.getSerialNumber()) + : null); this.signerInfoGen = new SignerInfoGenerator(signerInfoGen, new CMSAttributeTableGenerator() { @@ -175,7 +170,9 @@ public class TimeStampTokenGenerator else { AlgorithmIdentifier digAlgID = new AlgorithmIdentifier(digestCalculator.getAlgorithmIdentifier().getAlgorithm()); - final ESSCertIDv2 essCertid = new ESSCertIDv2(digAlgID, digestCalculator.getDigest()); + final ESSCertIDv2 essCertid = new ESSCertIDv2(digAlgID, digestCalculator.getDigest(), + isIssuerSerialIncluded ? new IssuerSerial(new GeneralNames(new GeneralName(assocCert.getIssuer())), new ASN1Integer(assocCert.getSerialNumber())) + : null); this.signerInfoGen = new SignerInfoGenerator(signerInfoGen, new CMSAttributeTableGenerator() { @@ -201,185 +198,6 @@ public class TimeStampTokenGenerator } /** - * Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from - * the signer's associated certificate using the sha1DigestCalculator. - * - * @param sha1DigestCalculator calculator for SHA-1 of certificate. - * @param signerInfoGen the generator for the signer we are using. - * @param tsaPolicy tasPolicy to send. - * @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated certificate for the signer, - * @throws TSPException if the signer certificate cannot be processed. - * @deprecated use constructor taking signerInfoGen first. - */ - public TimeStampTokenGenerator( - DigestCalculator sha1DigestCalculator, - final SignerInfoGenerator signerInfoGen, - ASN1ObjectIdentifier tsaPolicy) - throws IllegalArgumentException, TSPException - { - this(signerInfoGen, sha1DigestCalculator, tsaPolicy); - } - - /** - * basic creation - only the default attributes will be included here. - * @deprecated use SignerInfoGenerator constructor that takes a digest calculator - */ - public TimeStampTokenGenerator( - final SignerInfoGenerator signerInfoGen, - ASN1ObjectIdentifier tsaPolicy) - throws IllegalArgumentException, TSPException - { - this(new DigestCalculator() - { - private ByteArrayOutputStream bOut = new ByteArrayOutputStream(); - - public AlgorithmIdentifier getAlgorithmIdentifier() - { - return new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1, DERNull.INSTANCE); - } - - public OutputStream getOutputStream() - { - return bOut; - } - - public byte[] getDigest() - { - try - { - return MessageDigest.getInstance("SHA-1").digest(bOut.toByteArray()); - } - catch (NoSuchAlgorithmException e) - { - throw new IllegalStateException("cannot find sha-1: "+ e.getMessage()); - } - } - }, signerInfoGen, tsaPolicy); - } - - /** - * basic creation - only the default attributes will be included here. - * @deprecated use SignerInfoGenerator constructor that takes a digest calculator. - */ - public TimeStampTokenGenerator( - PrivateKey key, - X509Certificate cert, - String digestOID, - String tsaPolicyOID) - throws IllegalArgumentException, TSPException - { - this(key, cert, digestOID, tsaPolicyOID, null, null); - } - - /** - * basic creation - only the default attributes will be included here. - * @deprecated use SignerInfoGenerator constructor that takes a digest calculator. - */ - public TimeStampTokenGenerator( - PrivateKey key, - X509Certificate cert, - ASN1ObjectIdentifier digestOID, - String tsaPolicyOID) - throws IllegalArgumentException, TSPException - { - this(key, cert, digestOID.getId(), tsaPolicyOID, null, null); - } - - /** - * create with a signer with extra signed/unsigned attributes. - * @deprecated use SignerInfoGenerator constructor that takes a digest calculator. - */ - public TimeStampTokenGenerator( - PrivateKey key, - X509Certificate cert, - String digestOID, - String tsaPolicyOID, - AttributeTable signedAttr, - AttributeTable unsignedAttr) - throws IllegalArgumentException, TSPException - { - this.key = key; - this.cert = cert; - this.digestOID = digestOID; - this.tsaPolicyOID = new ASN1ObjectIdentifier(tsaPolicyOID); - this.unsignedAttr = unsignedAttr; - - // - // add the essCertid - // - Hashtable signedAttrs = null; - - if (signedAttr != null) - { - signedAttrs = signedAttr.toHashtable(); - } - else - { - signedAttrs = new Hashtable(); - } - - - TSPUtil.validateCertificate(cert); - - try - { - ESSCertID essCertid = new ESSCertID(MessageDigest.getInstance("SHA-1").digest(cert.getEncoded())); - signedAttrs.put(PKCSObjectIdentifiers.id_aa_signingCertificate, - new Attribute( - PKCSObjectIdentifiers.id_aa_signingCertificate, - new DERSet(new SigningCertificate(essCertid)))); - } - catch (NoSuchAlgorithmException e) - { - throw new TSPException("Can't find a SHA-1 implementation.", e); - } - catch (CertificateEncodingException e) - { - throw new TSPException("Exception processing certificate.", e); - } - - this.signedAttr = new AttributeTable(signedAttrs); - } - - /** - * @deprecated use addCertificates and addCRLs - * @param certificates - * @throws CertStoreException - * @throws TSPException - */ - public void setCertificatesAndCRLs(CertStore certificates) - throws CertStoreException, TSPException - { - Collection c1 = certificates.getCertificates(null); - - for (Iterator it = c1.iterator(); it.hasNext();) - { - try - { - certs.add(new JcaX509CertificateHolder((X509Certificate)it.next())); - } - catch (CertificateEncodingException e) - { - throw new TSPException("cannot encode certificate: " + e.getMessage(), e); - } - } - - c1 = certificates.getCRLs(null); - - for (Iterator it = c1.iterator(); it.hasNext();) - { - try - { - crls.add(new JcaX509CRLHolder((X509CRL)it.next())); - } - catch (CRLException e) - { - throw new TSPException("cannot encode CRL: " + e.getMessage(), e); - } - } - } - - /** * Add the store of X509 Certificates to the generator. * * @param certStore a Store containing X509CertificateHolder objects @@ -434,55 +252,22 @@ public class TimeStampTokenGenerator { this.tsa = tsa; } - - //------------------------------------------------------------------------------ - - public TimeStampToken generate( - TimeStampRequest request, - BigInteger serialNumber, - Date genTime, - String provider) - throws NoSuchAlgorithmException, NoSuchProviderException, TSPException - { - if (signerInfoGen == null) - { - try - { - JcaSignerInfoGeneratorBuilder sigBuilder = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider(provider).build()); - - sigBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(signedAttr)); - - if (unsignedAttr != null) - { - sigBuilder.setUnsignedAttributeGenerator(new SimpleAttributeTableGenerator(unsignedAttr)); - } - - signerInfoGen = sigBuilder.build(new JcaContentSignerBuilder(getSigAlgorithm(key, digestOID)).setProvider(provider).build(key), cert); - } - catch (OperatorCreationException e) - { - throw new TSPException("Error generating signing operator", e); - } - catch (CertificateEncodingException e) - { - throw new TSPException("Error encoding certificate", e); - } - } - - return generate(request, serialNumber, genTime); - } + /** + * Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime. + * + * @param request the originating request. + * @param serialNumber serial number for the TimeStampToken + * @param genTime token generation time. + * @return a TimeStampToken + * @throws TSPException + */ public TimeStampToken generate( TimeStampRequest request, BigInteger serialNumber, Date genTime) throws TSPException { - if (signerInfoGen == null) - { - throw new IllegalStateException("can only use this method with SignerInfoGenerator constructor"); - } - ASN1ObjectIdentifier digestAlgOID = request.getMessageImprintAlgOID(); AlgorithmIdentifier algID = new AlgorithmIdentifier(digestAlgOID, DERNull.INSTANCE); @@ -568,34 +353,4 @@ public class TimeStampTokenGenerator throw new TSPException("Exception encoding info", e); } } - - private String getSigAlgorithm( - PrivateKey key, - String digestOID) - { - String enc = null; - - if (key instanceof RSAPrivateKey || "RSA".equalsIgnoreCase(key.getAlgorithm())) - { - enc = "RSA"; - } - else if (key instanceof DSAPrivateKey || "DSA".equalsIgnoreCase(key.getAlgorithm())) - { - enc = "DSA"; - } - else if ("ECDSA".equalsIgnoreCase(key.getAlgorithm()) || "EC".equalsIgnoreCase(key.getAlgorithm())) - { - enc = "ECDSA"; - } - else if (key instanceof GOST3410PrivateKey || "GOST3410".equalsIgnoreCase(key.getAlgorithm())) - { - enc = "GOST3410"; - } - else if ("ECGOST3410".equalsIgnoreCase(key.getAlgorithm())) - { - enc = CMSSignedGenerator.ENCRYPTION_ECGOST3410; - } - - return TSPUtil.getDigestAlgName(digestOID) + "with" + enc; - } } diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/cms/package.html b/bcpkix/src/main/java/org/bouncycastle/tsp/cms/package.html deleted file mode 100644 index 2cf1bac..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/cms/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Classes for dealing Syntax for Binding Documents with Time-Stamps - RFC 5544. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/package.html b/bcpkix/src/main/java/org/bouncycastle/tsp/package.html deleted file mode 100644 index 45d0c3c..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/package.html +++ /dev/null @@ -1,5 +0,0 @@ -<html> -<body bgcolor="#ffffff"> -Classes for dealing Time Stamp Protocol (TSP) - RFC 3161. -</body> -</html> diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/test/AllTests.java b/bcpkix/src/main/java/org/bouncycastle/tsp/test/AllTests.java index 87d4688..19fc664 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/test/AllTests.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/test/AllTests.java @@ -22,7 +22,6 @@ public class AllTests TestSuite suite = new TestSuite("TSP Tests"); suite.addTestSuite(ParseTest.class); - suite.addTestSuite(TSPTest.class); suite.addTestSuite(NewTSPTest.class); suite.addTestSuite(CMSTimeStampedDataTest.class); suite.addTestSuite(CMSTimeStampedDataParserTest.class); diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/test/CMSTimeStampedDataGeneratorTest.java b/bcpkix/src/main/java/org/bouncycastle/tsp/test/CMSTimeStampedDataGeneratorTest.java index e274dc0..a9ab7db 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/test/CMSTimeStampedDataGeneratorTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/test/CMSTimeStampedDataGeneratorTest.java @@ -81,7 +81,7 @@ public class CMSTimeStampedDataGeneratorTest throws Exception { BcDigestCalculatorProvider calculatorProvider = new BcDigestCalculatorProvider(); - String algOID = "2.16.840.1.101.3.4.2.1"; // SHA-256 + ASN1ObjectIdentifier algOID = new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.1"); // SHA-256 DigestCalculator hashCalculator = calculatorProvider.get(new AlgorithmIdentifier(algOID)); cmsTimeStampedDataGenerator.initialiseMessageImprintDigestCalculator(hashCalculator); @@ -125,7 +125,7 @@ public class CMSTimeStampedDataGeneratorTest cmsTimeStampedDataGenerator.setMetaData(true, fileInput, "TXT"); BcDigestCalculatorProvider calculatorProvider = new BcDigestCalculatorProvider(); - String algOID = "2.16.840.1.101.3.4.2.1"; // SHA-256 + ASN1ObjectIdentifier algOID = new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.1"); // SHA-256 DigestCalculator hashCalculator = calculatorProvider.get(new AlgorithmIdentifier(algOID)); cmsTimeStampedDataGenerator.initialiseMessageImprintDigestCalculator(hashCalculator); @@ -136,7 +136,7 @@ public class CMSTimeStampedDataGeneratorTest TimeStampToken timeStampToken = createTimeStampToken(hashCalculator.getDigest(), NISTObjectIdentifiers.id_sha256); CMSTimeStampedData cmsTimeStampedData = cmsTimeStampedDataGenerator.generate(timeStampToken, baseData); - for (int i = 0; i < 3; i++) + for (int i = 0; i <= 3; i++) { byte[] newRequestData = cmsTimeStampedData.calculateNextHash(hashCalculator); TimeStampToken newTimeStampToken = createTimeStampToken(newRequestData, NISTObjectIdentifiers.id_sha256); @@ -167,7 +167,7 @@ public class CMSTimeStampedDataGeneratorTest CMSTimeStampedData cmsTimeStampedData = cmsTimeStampedDataGenerator.generate(timeStampToken, baseData); - for (int i = 0; i < 3; i++) { + for (int i = 0; i <= 3; i++) { switch (i) { case 0: algIdentifier = NISTObjectIdentifiers.id_sha224; @@ -213,7 +213,7 @@ public class CMSTimeStampedDataGeneratorTest byte[] digest = imprintCalculator.getDigest(); TimeStampToken[] tokens = cmsTspData.getTimeStampTokens(); - assertEquals("TimeStampToken expected and verified are different", 4, tokens.length); + assertEquals("TimeStampToken expected and verified are different", 5, tokens.length); for (int i = 0; i < tokens.length; i++) { cmsTspData.validate(newCalculatorProvider, digest, tokens[i]); @@ -243,7 +243,7 @@ public class CMSTimeStampedDataGeneratorTest byte[] digest = imprintCalculator.getDigest(); TimeStampToken[] tokens = cmsTspData.getTimeStampTokens(); - assertEquals("TimeStampToken expected and verified are different", 4, tokens.length); + assertEquals("TimeStampToken expected and verified are different", 5, tokens.length); for (int i = 0; i < tokens.length; i++) { cmsTspData.validate(newCalculatorProvider, digest, tokens[i]); @@ -291,7 +291,7 @@ public class CMSTimeStampedDataGeneratorTest TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - new JcaSimpleSignerInfoGeneratorBuilder().build(algorithmName, privateKey, cert), new ASN1ObjectIdentifier("1.2")); + new JcaSimpleSignerInfoGeneratorBuilder().build(algorithmName, privateKey, cert), new SHA1DigestCalculator(), new ASN1ObjectIdentifier("1.2")); tsTokenGen.addCertificates(certs); diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/test/NewTSPTest.java b/bcpkix/src/main/java/org/bouncycastle/tsp/test/NewTSPTest.java index 7f69e6e..7bf19be 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/test/NewTSPTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/test/NewTSPTest.java @@ -724,7 +724,7 @@ public class NewTSPTest TimeStampToken tsToken = tsResp.getTimeStampToken(); - tsToken.validate(cert, "BC"); + tsToken.validate(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)); // // check validation @@ -771,7 +771,7 @@ public class NewTSPTest { JcaSignerInfoGeneratorBuilder infoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider(BC).build()); - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(infoGeneratorBuilder.build(new JcaContentSignerBuilder("MD5withRSA").setProvider(BC).build(privateKey), cert), new ASN1ObjectIdentifier("1.2.3")); + TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator(infoGeneratorBuilder.build(new JcaContentSignerBuilder("MD5withRSA").setProvider(BC).build(privateKey), cert), new SHA1DigestCalculator(), new ASN1ObjectIdentifier("1.2.3")); tsTokenGen.addCertificates(certs); @@ -788,7 +788,7 @@ public class NewTSPTest TimeStampToken tsToken = tsResp.getTimeStampToken(); - tsToken.validate(cert, "BC"); + tsToken.validate(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)); // // check validation diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/test/ParseTest.java b/bcpkix/src/main/java/org/bouncycastle/tsp/test/ParseTest.java index d94bfb7..557d012 100644 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/test/ParseTest.java +++ b/bcpkix/src/main/java/org/bouncycastle/tsp/test/ParseTest.java @@ -299,7 +299,7 @@ public class ParseTest try { - req.validate(TSPAlgorithms.ALLOWED, null, null, "BC"); + req.validate(TSPAlgorithms.ALLOWED, null, null); } catch (Exception e) { @@ -327,7 +327,7 @@ public class ParseTest resp.validate(req); - resp.getTimeStampToken().validate(cert, "BC"); + resp.getTimeStampToken().validate(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)); } private void unacceptableResponseParse( diff --git a/bcpkix/src/main/java/org/bouncycastle/tsp/test/TSPTest.java b/bcpkix/src/main/java/org/bouncycastle/tsp/test/TSPTest.java deleted file mode 100644 index f0d635d..0000000 --- a/bcpkix/src/main/java/org/bouncycastle/tsp/test/TSPTest.java +++ /dev/null @@ -1,603 +0,0 @@ -package org.bouncycastle.tsp.test; - -import java.math.BigInteger; -import java.security.KeyPair; -import java.security.PrivateKey; -import java.security.cert.CertStore; -import java.security.cert.CollectionCertStoreParameters; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Date; -import java.util.HashSet; -import java.util.List; - -import junit.framework.TestCase; -import org.bouncycastle.asn1.cmp.PKIFailureInfo; -import org.bouncycastle.asn1.cms.AttributeTable; -import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; -import org.bouncycastle.tsp.GenTimeAccuracy; -import org.bouncycastle.tsp.TSPAlgorithms; -import org.bouncycastle.tsp.TSPValidationException; -import org.bouncycastle.tsp.TimeStampRequest; -import org.bouncycastle.tsp.TimeStampRequestGenerator; -import org.bouncycastle.tsp.TimeStampResponse; -import org.bouncycastle.tsp.TimeStampResponseGenerator; -import org.bouncycastle.tsp.TimeStampToken; -import org.bouncycastle.tsp.TimeStampTokenGenerator; -import org.bouncycastle.tsp.TimeStampTokenInfo; -import org.bouncycastle.util.Arrays; - -public class TSPTest - extends TestCase -{ - public void testGeneral() - throws Exception - { - String signDN = "O=Bouncy Castle, C=AU"; - KeyPair signKP = TSPTestUtil.makeKeyPair(); - X509Certificate signCert = TSPTestUtil.makeCACertificate(signKP, - signDN, signKP, signDN); - - String origDN = "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU"; - KeyPair origKP = TSPTestUtil.makeKeyPair(); - X509Certificate origCert = TSPTestUtil.makeCertificate(origKP, - origDN, signKP, signDN); - - - - List certList = new ArrayList(); - certList.add(origCert); - certList.add(signCert); - - CertStore certs = CertStore.getInstance("Collection", - new CollectionCertStoreParameters(certList), "BC"); - - basicTest(origKP.getPrivate(), origCert, certs); - responseValidationTest(origKP.getPrivate(), origCert, certs); - incorrectHashTest(origKP.getPrivate(), origCert, certs); - badAlgorithmTest(origKP.getPrivate(), origCert, certs); - timeNotAvailableTest(origKP.getPrivate(), origCert, certs); - badPolicyTest(origKP.getPrivate(), origCert, certs); - tokenEncodingTest(origKP.getPrivate(), origCert, certs); - certReqTest(origKP.getPrivate(), origCert, certs); - testAccuracyZeroCerts(origKP.getPrivate(), origCert, certs); - testAccuracyWithCertsAndOrdering(origKP.getPrivate(), origCert, certs); - testNoNonse(origKP.getPrivate(), origCert, certs); - } - - private void basicTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.SHA1, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - tsToken.validate(cert, "BC"); - - AttributeTable table = tsToken.getSignedAttributes(); - - assertNotNull("no signingCertificate attribute found", table.get(PKCSObjectIdentifiers.id_aa_signingCertificate)); - } - - private void responseValidationTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.MD5, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - tsToken.validate(cert, "BC"); - - // - // check validation - // - tsResp.validate(request); - - try - { - request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(101)); - - tsResp.validate(request); - - fail("response validation failed on invalid nonce."); - } - catch (TSPValidationException e) - { - // ignore - } - - try - { - request = reqGen.generate(TSPAlgorithms.SHA1, new byte[22], BigInteger.valueOf(100)); - - tsResp.validate(request); - - fail("response validation failed on wrong digest."); - } - catch (TSPValidationException e) - { - // ignore - } - - try - { - request = reqGen.generate(TSPAlgorithms.MD5, new byte[20], BigInteger.valueOf(100)); - - tsResp.validate(request); - - fail("response validation failed on wrong digest."); - } - catch (TSPValidationException e) - { - // ignore - } - } - - private void incorrectHashTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.SHA1, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[16]); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - if (tsToken != null) - { - fail("incorrectHash - token not null."); - } - - PKIFailureInfo failInfo = tsResp.getFailInfo(); - - if (failInfo == null) - { - fail("incorrectHash - failInfo set to null."); - } - - if (failInfo.intValue() != PKIFailureInfo.badDataFormat) - { - fail("incorrectHash - wrong failure info returned."); - } - } - - private void badAlgorithmTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.SHA1, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate("1.2.3.4.5", new byte[20]); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - if (tsToken != null) - { - fail("badAlgorithm - token not null."); - } - - PKIFailureInfo failInfo = tsResp.getFailInfo(); - - if (failInfo == null) - { - fail("badAlgorithm - failInfo set to null."); - } - - if (failInfo.intValue() != PKIFailureInfo.badAlg) - { - fail("badAlgorithm - wrong failure info returned."); - } - } - - private void timeNotAvailableTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.SHA1, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate("1.2.3.4.5", new byte[20]); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), null, "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - if (tsToken != null) - { - fail("timeNotAvailable - token not null."); - } - - PKIFailureInfo failInfo = tsResp.getFailInfo(); - - if (failInfo == null) - { - fail("timeNotAvailable - failInfo set to null."); - } - - if (failInfo.intValue() != PKIFailureInfo.timeNotAvailable) - { - fail("timeNotAvailable - wrong failure info returned."); - } - } - - private void badPolicyTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.SHA1, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - - reqGen.setReqPolicy("1.1"); - - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20]); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED, new HashSet()); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - if (tsToken != null) - { - fail("badPolicy - token not null."); - } - - PKIFailureInfo failInfo = tsResp.getFailInfo(); - - if (failInfo == null) - { - fail("badPolicy - failInfo set to null."); - } - - if (failInfo.intValue() != PKIFailureInfo.unacceptedPolicy) - { - fail("badPolicy - wrong failure info returned."); - } - } - - private void certReqTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.MD5, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - - // - // request with certReq false - // - reqGen.setCertReq(false); - - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - assertNull(tsToken.getTimeStampInfo().getGenTimeAccuracy()); // check for abscence of accuracy - - assertEquals("1.2", tsToken.getTimeStampInfo().getPolicy().getId()); - - try - { - tsToken.validate(cert, "BC"); - } - catch (TSPValidationException e) - { - fail("certReq(false) verification of token failed."); - } - - CertStore respCerts = tsToken.getCertificatesAndCRLs("Collection", "BC"); - - Collection certsColl = respCerts.getCertificates(null); - - if (!certsColl.isEmpty()) - { - fail("certReq(false) found certificates in response."); - } - } - - - private void tokenEncodingTest( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.SHA1, "1.2.3.4.5.6"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampResponse tsResponse = new TimeStampResponse(tsResp.getEncoded()); - - if (!Arrays.areEqual(tsResponse.getEncoded(), tsResp.getEncoded()) - || !Arrays.areEqual(tsResponse.getTimeStampToken().getEncoded(), - tsResp.getTimeStampToken().getEncoded())) - { - fail(); - } - } - - private void testAccuracyZeroCerts( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.MD5, "1.2"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - tsTokenGen.setAccuracySeconds(1); - tsTokenGen.setAccuracyMillis(2); - tsTokenGen.setAccuracyMicros(3); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - tsToken.validate(cert, "BC"); - - // - // check validation - // - tsResp.validate(request); - - // - // check tstInfo - // - TimeStampTokenInfo tstInfo = tsToken.getTimeStampInfo(); - - // - // check accuracy - // - GenTimeAccuracy accuracy = tstInfo.getGenTimeAccuracy(); - - assertEquals(1, accuracy.getSeconds()); - assertEquals(2, accuracy.getMillis()); - assertEquals(3, accuracy.getMicros()); - - assertEquals(new BigInteger("23"), tstInfo.getSerialNumber()); - - assertEquals("1.2", tstInfo.getPolicy().getId()); - - // - // test certReq - // - CertStore store = tsToken.getCertificatesAndCRLs("Collection", "BC"); - - Collection certificates = store.getCertificates(null); - - assertEquals(0, certificates.size()); - } - - private void testAccuracyWithCertsAndOrdering( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.MD5, "1.2.3"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - tsTokenGen.setAccuracySeconds(3); - tsTokenGen.setAccuracyMillis(1); - tsTokenGen.setAccuracyMicros(2); - - tsTokenGen.setOrdering(true); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - - reqGen.setCertReq(true); - - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); - - assertTrue(request.getCertReq()); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("23"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - tsToken.validate(cert, "BC"); - - // - // check validation - // - tsResp.validate(request); - - // - // check tstInfo - // - TimeStampTokenInfo tstInfo = tsToken.getTimeStampInfo(); - - // - // check accuracy - // - GenTimeAccuracy accuracy = tstInfo.getGenTimeAccuracy(); - - assertEquals(3, accuracy.getSeconds()); - assertEquals(1, accuracy.getMillis()); - assertEquals(2, accuracy.getMicros()); - - assertEquals(new BigInteger("23"), tstInfo.getSerialNumber()); - - assertEquals("1.2.3", tstInfo.getPolicy().getId()); - - assertEquals(true, tstInfo.isOrdered()); - - assertEquals(tstInfo.getNonce(), BigInteger.valueOf(100)); - - // - // test certReq - // - CertStore store = tsToken.getCertificatesAndCRLs("Collection", "BC"); - - Collection certificates = store.getCertificates(null); - - assertEquals(2, certificates.size()); - } - - private void testNoNonse( - PrivateKey privateKey, - X509Certificate cert, - CertStore certs) - throws Exception - { - TimeStampTokenGenerator tsTokenGen = new TimeStampTokenGenerator( - privateKey, cert, TSPAlgorithms.MD5, "1.2.3"); - - tsTokenGen.setCertificatesAndCRLs(certs); - - TimeStampRequestGenerator reqGen = new TimeStampRequestGenerator(); - TimeStampRequest request = reqGen.generate(TSPAlgorithms.SHA1, new byte[20]); - - assertFalse(request.getCertReq()); - - TimeStampResponseGenerator tsRespGen = new TimeStampResponseGenerator(tsTokenGen, TSPAlgorithms.ALLOWED); - - TimeStampResponse tsResp = tsRespGen.generate(request, new BigInteger("24"), new Date(), "BC"); - - tsResp = new TimeStampResponse(tsResp.getEncoded()); - - TimeStampToken tsToken = tsResp.getTimeStampToken(); - - tsToken.validate(cert, "BC"); - - // - // check validation - // - tsResp.validate(request); - - // - // check tstInfo - // - TimeStampTokenInfo tstInfo = tsToken.getTimeStampInfo(); - - // - // check accuracy - // - GenTimeAccuracy accuracy = tstInfo.getGenTimeAccuracy(); - - assertNull(accuracy); - - assertEquals(new BigInteger("24"), tstInfo.getSerialNumber()); - - assertEquals("1.2.3", tstInfo.getPolicy().getId()); - - assertEquals(false, tstInfo.isOrdered()); - - assertNull(tstInfo.getNonce()); - - // - // test certReq - // - CertStore store = tsToken.getCertificatesAndCRLs("Collection", "BC"); - - Collection certificates = store.getCertificates(null); - - assertEquals(0, certificates.size()); - } -} |