1 /*
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs;
27
28 import java.io.OutputStream;
29 import java.io.IOException;
30 import java.math.BigInteger;
31 import java.security.CryptoPrimitive;
32 import java.security.InvalidKeyException;
33 import java.security.MessageDigest;
34 import java.security.NoSuchAlgorithmException;
35 import java.security.Principal;
36 import java.security.PublicKey;
37 import java.security.Signature;
38 import java.security.SignatureException;
39 import java.security.Timestamp;
40 import java.security.cert.CertPathValidatorException;
41 import java.security.cert.CertificateException;
42 import java.security.cert.CertificateFactory;
43 import java.security.cert.CertPath;
44 import java.security.cert.X509Certificate;
45 import java.util.ArrayList;
46 import java.util.Arrays;
47 import java.util.Collections;
48 import java.util.EnumSet;
49 import java.util.Set;
50
51 import sun.security.timestamp.TimestampToken;
52 import sun.security.util.ConstraintsParameters;
53 import sun.security.util.Debug;
54 import sun.security.util.DerEncoder;
55 import sun.security.util.DerInputStream;
56 import sun.security.util.DerOutputStream;
57 import sun.security.util.DerValue;
58 import sun.security.util.DisabledAlgorithmConstraints;
59 import sun.security.util.HexDumpEncoder;
60 import sun.security.util.KeyUtil;
61 import sun.security.util.ObjectIdentifier;
62 import sun.security.x509.AlgorithmId;
63 import sun.security.x509.X500Name;
64 import sun.security.x509.KeyUsageExtension;
65
66 /**
67 * A SignerInfo, as defined in PKCS#7's signedData type.
68 *
69 * @author Benjamin Renaud
70 */
71 public class SignerInfo implements DerEncoder {
72
73 // Digest and Signature restrictions
74 private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET =
75 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
76
77 private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET =
78 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
79
80 private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
81 new DisabledAlgorithmConstraints(
82 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
83
84 BigInteger version;
436 keyUsage = new KeyUsageExtension(keyUsageBits);
437 } catch (IOException ioe) {
438 throw new SignatureException("Failed to parse keyUsage "
439 + "extension");
440 }
441
442 boolean digSigAllowed = keyUsage.get(
443 KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue();
444
445 boolean nonRepuAllowed = keyUsage.get(
446 KeyUsageExtension.NON_REPUDIATION).booleanValue();
447
448 if (!digSigAllowed && !nonRepuAllowed) {
449 throw new SignatureException("Key usage restricted: "
450 + "cannot be used for "
451 + "digital signatures");
452 }
453 }
454
455 Signature sig = Signature.getInstance(algname);
456 sig.initVerify(key);
457 sig.update(dataSigned);
458 if (sig.verify(encryptedDigest)) {
459 return this;
460 }
461
462 } catch (IOException e) {
463 throw new SignatureException("IO error verifying signature:\n" +
464 e.getMessage());
465
466 } catch (InvalidKeyException e) {
467 throw new SignatureException("InvalidKey: " + e.getMessage());
468
469 }
470 return null;
471 }
472
473 /* Verify the content of the pkcs7 block. */
474 SignerInfo verify(PKCS7 block)
475 throws NoSuchAlgorithmException, SignatureException {
476 return verify(block, null);
477 }
478
479
480 public BigInteger getVersion() {
481 return version;
482 }
483
484 public X500Name getIssuerName() {
485 return issuerName;
486 }
487
488 public BigInteger getCertificateSerialNumber() {
489 return certificateSerialNumber;
490 }
491
492 public AlgorithmId getDigestAlgorithmId() {
493 return digestAlgorithmId;
494 }
495
496 public PKCS9Attributes getAuthenticatedAttributes() {
497 return authenticatedAttributes;
498 }
|
1 /*
2 * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.pkcs;
27
28 import java.io.OutputStream;
29 import java.io.IOException;
30 import java.math.BigInteger;
31 import java.security.cert.CertPathValidatorException;
32 import java.security.cert.CertificateException;
33 import java.security.cert.CertificateFactory;
34 import java.security.cert.CertPath;
35 import java.security.cert.X509Certificate;
36 import java.security.*;
37 import java.util.ArrayList;
38 import java.util.Arrays;
39 import java.util.Collections;
40 import java.util.EnumSet;
41 import java.util.Set;
42
43 import sun.security.timestamp.TimestampToken;
44 import sun.security.util.ConstraintsParameters;
45 import sun.security.util.Debug;
46 import sun.security.util.DerEncoder;
47 import sun.security.util.DerInputStream;
48 import sun.security.util.DerOutputStream;
49 import sun.security.util.DerValue;
50 import sun.security.util.DisabledAlgorithmConstraints;
51 import sun.security.util.HexDumpEncoder;
52 import sun.security.util.KeyUtil;
53 import sun.security.util.ObjectIdentifier;
54 import sun.security.x509.AlgorithmId;
55 import sun.security.x509.X500Name;
56 import sun.security.x509.KeyUsageExtension;
57 import sun.security.util.SignatureUtil;
58
59 /**
60 * A SignerInfo, as defined in PKCS#7's signedData type.
61 *
62 * @author Benjamin Renaud
63 */
64 public class SignerInfo implements DerEncoder {
65
66 // Digest and Signature restrictions
67 private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET =
68 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
69
70 private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET =
71 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
72
73 private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
74 new DisabledAlgorithmConstraints(
75 DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
76
77 BigInteger version;
429 keyUsage = new KeyUsageExtension(keyUsageBits);
430 } catch (IOException ioe) {
431 throw new SignatureException("Failed to parse keyUsage "
432 + "extension");
433 }
434
435 boolean digSigAllowed = keyUsage.get(
436 KeyUsageExtension.DIGITAL_SIGNATURE).booleanValue();
437
438 boolean nonRepuAllowed = keyUsage.get(
439 KeyUsageExtension.NON_REPUDIATION).booleanValue();
440
441 if (!digSigAllowed && !nonRepuAllowed) {
442 throw new SignatureException("Key usage restricted: "
443 + "cannot be used for "
444 + "digital signatures");
445 }
446 }
447
448 Signature sig = Signature.getInstance(algname);
449
450 // set parameters before Signature.initSign/initVerify call,
451 // so key can be checked when it's set
452 AlgorithmParameters ap =
453 digestEncryptionAlgorithmId.getParameters();
454 try {
455 SignatureUtil.specialSetParameter(sig, ap);
456 } catch (ProviderException | InvalidAlgorithmParameterException e) {
457 throw new SignatureException(e.getMessage(), e);
458 }
459
460 sig.initVerify(key);
461 sig.update(dataSigned);
462 if (sig.verify(encryptedDigest)) {
463 return this;
464 }
465 } catch (IOException e) {
466 throw new SignatureException("IO error verifying signature:\n" +
467 e.getMessage());
468 } catch (InvalidKeyException e) {
469 throw new SignatureException("InvalidKey: " + e.getMessage());
470 }
471 return null;
472 }
473
474 /* Verify the content of the pkcs7 block. */
475 SignerInfo verify(PKCS7 block)
476 throws NoSuchAlgorithmException, SignatureException {
477 return verify(block, null);
478 }
479
480 public BigInteger getVersion() {
481 return version;
482 }
483
484 public X500Name getIssuerName() {
485 return issuerName;
486 }
487
488 public BigInteger getCertificateSerialNumber() {
489 return certificateSerialNumber;
490 }
491
492 public AlgorithmId getDigestAlgorithmId() {
493 return digestAlgorithmId;
494 }
495
496 public PKCS9Attributes getAuthenticatedAttributes() {
497 return authenticatedAttributes;
498 }
|