1 /* 2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs; 27 28 import java.io.OutputStream; 29 import java.io.IOException; 30 import java.math.BigInteger; 31 import java.security.CryptoPrimitive; 32 import java.security.InvalidKeyException; 33 import java.security.MessageDigest; 34 import java.security.NoSuchAlgorithmException; 35 import java.security.Principal; 36 import java.security.PublicKey; 37 import java.security.Signature; 38 import java.security.SignatureException; 39 import java.security.Timestamp; 40 import java.security.cert.CertPathValidatorException; 41 import java.security.cert.CertificateException; 42 import java.security.cert.CertificateFactory; 43 import java.security.cert.CertPath; 44 import java.security.cert.X509Certificate; 45 import java.util.ArrayList; 46 import java.util.Arrays; 47 import java.util.Collections; 48 import java.util.EnumSet; 49 import java.util.Set; 50 51 import sun.security.timestamp.TimestampToken; 52 import sun.security.util.ConstraintsParameters; 53 import sun.security.util.Debug; 54 import sun.security.util.DerEncoder; 55 import sun.security.util.DerInputStream; 56 import sun.security.util.DerOutputStream; 57 import sun.security.util.DerValue; 58 import sun.security.util.DisabledAlgorithmConstraints; 59 import sun.security.util.HexDumpEncoder; 60 import sun.security.util.KeyUtil; 61 import sun.security.util.ObjectIdentifier; 62 import sun.security.x509.AlgorithmId; 63 import sun.security.x509.X500Name; 64 import sun.security.x509.KeyUsageExtension; 65 66 /** 67 * A SignerInfo, as defined in PKCS#7's signedData type. 68 * 69 * @author Benjamin Renaud 70 */ 71 public class SignerInfo implements DerEncoder { 72 73 // Digest and Signature restrictions 74 private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = 75 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); 76 77 private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = 78 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); 79 80 private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = 81 new DisabledAlgorithmConstraints( 82 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); 83 84 BigInteger version; 436 keyUsage = new KeyUsageExtension(keyUsageBits); 437 } catch (IOException ioe) { 438 throw new SignatureException("Failed to parse keyUsage " 439 + "extension"); 440 } 441 442 boolean digSigAllowed = keyUsage.get( 443 KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue(); 444 445 boolean nonRepuAllowed = keyUsage.get( 446 KeyUsageExtension.NON_REPUDIATION).booleanValue(); 447 448 if (!digSigAllowed && !nonRepuAllowed) { 449 throw new SignatureException("Key usage restricted: " 450 + "cannot be used for " 451 + "digital signatures"); 452 } 453 } 454 455 Signature sig = Signature.getInstance(algname); 456 sig.initVerify(key); 457 sig.update(dataSigned); 458 if (sig.verify(encryptedDigest)) { 459 return this; 460 } 461 462 } catch (IOException e) { 463 throw new SignatureException("IO error verifying signature:\n" + 464 e.getMessage()); 465 466 } catch (InvalidKeyException e) { 467 throw new SignatureException("InvalidKey: " + e.getMessage()); 468 469 } 470 return null; 471 } 472 473 /* Verify the content of the pkcs7 block. */ 474 SignerInfo verify(PKCS7 block) 475 throws NoSuchAlgorithmException, SignatureException { 476 return verify(block, null); 477 } 478 479 480 public BigInteger getVersion() { 481 return version; 482 } 483 484 public X500Name getIssuerName() { 485 return issuerName; 486 } 487 488 public BigInteger getCertificateSerialNumber() { 489 return certificateSerialNumber; 490 } 491 492 public AlgorithmId getDigestAlgorithmId() { 493 return digestAlgorithmId; 494 } 495 496 public PKCS9Attributes getAuthenticatedAttributes() { 497 return authenticatedAttributes; 498 } | 1 /* 2 * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.pkcs; 27 28 import java.io.OutputStream; 29 import java.io.IOException; 30 import java.math.BigInteger; 31 import java.security.cert.CertPathValidatorException; 32 import java.security.cert.CertificateException; 33 import java.security.cert.CertificateFactory; 34 import java.security.cert.CertPath; 35 import java.security.cert.X509Certificate; 36 import java.security.*; 37 import java.util.ArrayList; 38 import java.util.Arrays; 39 import java.util.Collections; 40 import java.util.EnumSet; 41 import java.util.Set; 42 43 import sun.security.timestamp.TimestampToken; 44 import sun.security.util.ConstraintsParameters; 45 import sun.security.util.Debug; 46 import sun.security.util.DerEncoder; 47 import sun.security.util.DerInputStream; 48 import sun.security.util.DerOutputStream; 49 import sun.security.util.DerValue; 50 import sun.security.util.DisabledAlgorithmConstraints; 51 import sun.security.util.HexDumpEncoder; 52 import sun.security.util.KeyUtil; 53 import sun.security.util.ObjectIdentifier; 54 import sun.security.x509.AlgorithmId; 55 import sun.security.x509.X500Name; 56 import sun.security.x509.KeyUsageExtension; 57 import sun.security.util.SignatureUtil; 58 59 /** 60 * A SignerInfo, as defined in PKCS#7's signedData type. 61 * 62 * @author Benjamin Renaud 63 */ 64 public class SignerInfo implements DerEncoder { 65 66 // Digest and Signature restrictions 67 private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = 68 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); 69 70 private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = 71 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); 72 73 private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = 74 new DisabledAlgorithmConstraints( 75 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); 76 77 BigInteger version; 429 keyUsage = new KeyUsageExtension(keyUsageBits); 430 } catch (IOException ioe) { 431 throw new SignatureException("Failed to parse keyUsage " 432 + "extension"); 433 } 434 435 boolean digSigAllowed = keyUsage.get( 436 KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue(); 437 438 boolean nonRepuAllowed = keyUsage.get( 439 KeyUsageExtension.NON_REPUDIATION).booleanValue(); 440 441 if (!digSigAllowed && !nonRepuAllowed) { 442 throw new SignatureException("Key usage restricted: " 443 + "cannot be used for " 444 + "digital signatures"); 445 } 446 } 447 448 Signature sig = Signature.getInstance(algname); 449 450 // set parameters before Signature.initSign/initVerify call, 451 // so key can be checked when it's set 452 AlgorithmParameters ap = 453 digestEncryptionAlgorithmId.getParameters(); 454 try { 455 SignatureUtil.specialSetParameter(sig, ap); 456 } catch (ProviderException | InvalidAlgorithmParameterException e) { 457 throw new SignatureException(e.getMessage(), e); 458 } 459 460 sig.initVerify(key); 461 sig.update(dataSigned); 462 if (sig.verify(encryptedDigest)) { 463 return this; 464 } 465 } catch (IOException e) { 466 throw new SignatureException("IO error verifying signature:\n" + 467 e.getMessage()); 468 } catch (InvalidKeyException e) { 469 throw new SignatureException("InvalidKey: " + e.getMessage()); 470 } 471 return null; 472 } 473 474 /* Verify the content of the pkcs7 block. */ 475 SignerInfo verify(PKCS7 block) 476 throws NoSuchAlgorithmException, SignatureException { 477 return verify(block, null); 478 } 479 480 public BigInteger getVersion() { 481 return version; 482 } 483 484 public X500Name getIssuerName() { 485 return issuerName; 486 } 487 488 public BigInteger getCertificateSerialNumber() { 489 return certificateSerialNumber; 490 } 491 492 public AlgorithmId getDigestAlgorithmId() { 493 return digestAlgorithmId; 494 } 495 496 public PKCS9Attributes getAuthenticatedAttributes() { 497 return authenticatedAttributes; 498 } |