@Override public Attribute getValue() throws SignerException { try { X509Certificate cert = (X509Certificate) certificates[0]; X509Certificate issuerCert = (X509Certificate) certificates[1]; Digest digest = DigestFactory.getInstance().factoryDefault(); digest.setAlgorithm(DigestAlgorithmEnum.SHA_256); byte[] certHash = digest.digest(cert.getEncoded()); X500Name dirName = new X500Name(issuerCert.getSubjectX500Principal().getName()); GeneralName name = new GeneralName(dirName); GeneralNames issuer = new GeneralNames(name); ASN1Integer serialNumber = new ASN1Integer(cert.getSerialNumber()); IssuerSerial issuerSerial = new IssuerSerial(issuer, serialNumber); AlgorithmIdentifier algId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256);// SHA-256 ESSCertIDv2 essCertIDv2 = new ESSCertIDv2(algId, certHash, issuerSerial); // return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new DERSequence(essCertIDv2))); return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new DERSequence( new ASN1Encodable[] { new DERSequence(essCertIDv2) }))); } catch (CertificateEncodingException ex) { throw new SignerException(ex.getMessage()); } }
public void performTest() throws Exception { // check getInstance on default algorithm. byte[] digest = new byte [256]; ESSCertIDv2 essCertIdv2 = new ESSCertIDv2(new AlgorithmIdentifier( NISTObjectIdentifiers.id_sha256), digest); ASN1Primitive asn1Object = essCertIdv2.toASN1Primitive(); ESSCertIDv2.getInstance(asn1Object); }
public TimeStampToken(CMSSignedData signedData) throws TSPException, IOException { this.tsToken = signedData; if (!this.tsToken.getSignedContentTypeOID().equals(PKCSObjectIdentifiers.id_ct_TSTInfo.getId())) { throw new TSPValidationException("ContentInfo object not for a time stamp."); } Collection signers = tsToken.getSignerInfos().getSigners(); if (signers.size() != 1) { throw new IllegalArgumentException("Time-stamp token signed by " + signers.size() + " signers, but it must contain just the TSA signature."); } tsaSignerInfo = (SignerInformation)signers.iterator().next(); try { CMSProcessable content = tsToken.getSignedContent(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); content.write(bOut); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(bOut.toByteArray())); this.tstInfo = new TimeStampTokenInfo(TSTInfo.getInstance(aIn.readObject())); Attribute attr = tsaSignerInfo.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificate); if (attr != null) { SigningCertificate signCert = SigningCertificate.getInstance(attr.getAttrValues().getObjectAt(0)); this.certID = new CertID(ESSCertID.getInstance(signCert.getCerts()[0])); } else { attr = tsaSignerInfo.getSignedAttributes().get(PKCSObjectIdentifiers.id_aa_signingCertificateV2); if (attr == null) { throw new TSPValidationException("no signing certificate attribute found, time stamp invalid."); } SigningCertificateV2 signCertV2 = SigningCertificateV2.getInstance(attr.getAttrValues().getObjectAt(0)); this.certID = new CertID(ESSCertIDv2.getInstance(signCertV2.getCerts()[0])); } } catch (CMSException e) { throw new TSPException(e.getMessage(), e.getUnderlyingException()); } }
CertID(ESSCertIDv2 certID) { this.certIDv2 = certID; this.certID = null; }
private void verifySigningCertificateV2(final BigInteger signingTokenSerialNumber, final GeneralNames signingTokenIssuerName, final Attribute signingCertificateAttributeV2) { final ASN1Set attrValues = signingCertificateAttributeV2.getAttrValues(); DigestAlgorithm lastDigestAlgorithm = null; byte[] signingTokenCertHash = null; for (int ii = 0; ii < attrValues.size(); ii++) { final ASN1Encodable asn1Encodable = attrValues.getObjectAt(ii); final SigningCertificateV2 signingCertificateAttribute = SigningCertificateV2.getInstance(asn1Encodable); if (signingCertificateAttribute == null) { LOG.warn("SigningCertificateV2 attribute is not well defined!"); continue; } final ESSCertIDv2[] essCertIDv2s = signingCertificateAttribute.getCerts(); for (final ESSCertIDv2 essCertIDv2 : essCertIDv2s) { final String algorithmId = essCertIDv2.getHashAlgorithm().getAlgorithm().getId(); final DigestAlgorithm digestAlgorithm = DigestAlgorithm.forOID(algorithmId); signingCertificateValidity.setDigestAlgorithm(digestAlgorithm); if (digestAlgorithm != lastDigestAlgorithm) { signingTokenCertHash = signingCertificateValidity.getCertificateToken().getDigest(digestAlgorithm); if (LOG.isDebugEnabled()) { LOG.debug("Candidate Certificate Hash {} with algorithm {}", Utils.toHex(signingTokenCertHash), digestAlgorithm.getName()); } lastDigestAlgorithm = digestAlgorithm; } final byte[] certHash = essCertIDv2.getCertHash(); signingCertificateValidity.setDigestPresent(true); if (LOG.isDebugEnabled()) { LOG.debug("Found Certificate Hash in SigningCertificateV2 {} with algorithm {}", Utils.toHex(certHash), digestAlgorithm.getName()); } final IssuerSerial issuerSerial = essCertIDv2.getIssuerSerial(); final boolean match = verifySigningCertificateReferences(signingTokenSerialNumber, signingTokenIssuerName, signingTokenCertHash, certHash, issuerSerial); if (match) { return; } LOG.warn( "RFC 5035: The first certificate identified in the sequence of certificate identifiers MUST be the certificate used to verify the signature."); } } }
