1 /*
2 * Copyright (c) 2011, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package com.oracle.ipack.signer;
27
28 import java.io.File;
29 import java.io.FileInputStream;
30 import java.io.IOException;
31 import java.io.InputStream;
32 import java.security.KeyStore;
33 import java.security.KeyStoreException;
34 import java.security.NoSuchAlgorithmException;
35 import java.security.PrivateKey;
36 import java.security.UnrecoverableKeyException;
37 import java.security.cert.Certificate;
38 import java.security.cert.CertificateException;
39 import java.security.cert.X509Certificate;
40 import java.util.Arrays;
41 import javax.naming.InvalidNameException;
42 import javax.naming.ldap.LdapName;
43 import javax.naming.ldap.Rdn;
44 import org.bouncycastle.cert.jcajce.JcaCertStore;
45 import org.bouncycastle.cms.CMSException;
46 import org.bouncycastle.cms.CMSProcessableByteArray;
47 import org.bouncycastle.cms.CMSSignedData;
48 import org.bouncycastle.cms.CMSSignedDataGenerator;
49 import org.bouncycastle.cms.CMSTypedData;
50 import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoGeneratorBuilder;
51 import org.bouncycastle.operator.OperatorCreationException;
52 import org.bouncycastle.util.Store;
53
54 public final class Signer {
55 private final CMSSignedDataGenerator signatureGenerator;
56 private final String subjectName;
57
58 private Signer(final CMSSignedDataGenerator signatureGenerator,
59 final String subjectName) {
60 this.signatureGenerator = signatureGenerator;
61 this.subjectName = subjectName;
62 }
63
64 public static Signer create(
65 final File keystoreFile,
66 final String keystorePassword,
67 final String signingAlias,
68 final String keyPassword) throws IOException,
69 KeyStoreException,
70 NoSuchAlgorithmException,
71 CertificateException,
72 UnrecoverableKeyException,
73 OperatorCreationException,
74 CMSException,
75 InvalidNameException {
76 final KeyStore jksKeyStore = KeyStore.getInstance("JKS");
77 final InputStream is = new FileInputStream(keystoreFile);
78 try {
79 jksKeyStore.load(is, keystorePassword.toCharArray());
80 } finally {
81 is.close();
82 }
83
84 final PrivateKey privateKey =
85 (PrivateKey) jksKeyStore.getKey(signingAlias,
86 keyPassword.toCharArray());
87 final Certificate[] certChain =
88 jksKeyStore.getCertificateChain(signingAlias);
89 if (certChain == null) {
90 throw new CertificateException(
91 "Certificate chain not found under \"" + signingAlias
92 + "\"");
93 }
94
95 final X509Certificate signingCert = (X509Certificate) certChain[0];
96 final String subjectName = getSubjectName(signingCert);
97
98 final Store certs = new JcaCertStore(Arrays.asList(certChain));
99 final CMSSignedDataGenerator signatureGenerator =
100 new CMSSignedDataGenerator();
101
102 signatureGenerator.addSignerInfoGenerator(
103 new JcaSimpleSignerInfoGeneratorBuilder()
104 .setProvider("BC")
105 .build("SHA1withRSA", privateKey, signingCert));
106 signatureGenerator.addCertificates(certs);
107
108 return new Signer(signatureGenerator, subjectName);
109 }
110
111 public byte[] sign(final byte[] data) throws CMSException, IOException {
112 final CMSTypedData typedData = new CMSProcessableByteArray(data);
113 final CMSSignedData signedData = signatureGenerator.generate(typedData);
114
115 return signedData.getEncoded();
116 }
117
118 public String getSubjectName() {
119 return subjectName;
120 }
121
122 private static String getSubjectName(final X509Certificate cert)
123 throws InvalidNameException {
124 final String fullSubjectDn = cert.getSubjectX500Principal().getName();
125 final LdapName fullSubjectLn = new LdapName(fullSubjectDn);
126 for (final Rdn rdn: fullSubjectLn.getRdns()) {
127 if ("CN".equalsIgnoreCase(rdn.getType())) {
128 return rdn.getValue().toString();
129 }
130 }
131
132 throw new InvalidNameException("Common name not found");
133 }
134 }