Package org.ejbca.extra.db

Source Code of org.ejbca.extra.db.ExtRAMsgHelper

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
/*************************************************************************
*                                                                       *
*  EJBCA: The OpenSource Certificate Authority                          *
*                                                                       *
*  This software is free software; you can redistribute it and/or       *
*  modify it under the terms of the GNU Lesser General Public           *
*  License as published by the Free Software Foundation; either         *
*  version 2.1 of the License, or any later version.                    *
*                                                                       *
*  See terms of license at gnu.org.                                     *
*                                                                       *
*************************************************************************/
package org.ejbca.extra.db;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.cms.CMSEnvelopedData;
import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSSignedGenerator;
import org.bouncycastle.cms.RecipientInformation;
import org.bouncycastle.cms.RecipientInformationStore;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;

/**
* Class containing static help methods used to encrypt, decrypt, sign  and verify ExtRASubMessages
*
* @author philip
* $Id: ExtRAMsgHelper.java 9330 2010-06-30 18:16:53Z anatom $
*/
public class ExtRAMsgHelper {
 
  private static final Log log = LogFactory.getLog(ExtRAMsgHelper.class);

  private static String provider = "BC"; // default provider
  private static String encAlg = CMSEnvelopedDataGenerator.AES256_CBC; // default encryption algorithm
  private static String signAlg = CMSSignedGenerator.DIGEST_SHA256; // default signature digest
 
  /**
   * Method to initalize the helper class. Should be called before any of the methods are used
   * in not hte default values should be used.
   *
   * @param provider provider to use "BC" is default.
   * @param encAlg encryption algorithm to use, must be supproted by the specified provider.
   * @prarm signAlg signature algorighm to use, must be supproted by the specified provider.
   */
  public static void init(String provider, String encAlg, String signAlg){
    ExtRAMsgHelper.provider = provider;   
    ExtRAMsgHelper.encAlg = encAlg;
    ExtRAMsgHelper.signAlg = signAlg;
  }
 
  /**
   * Method that should be used to encrypt data in a message.
   *
   * Uses the algorithm specified in the init method.
   *
   * @param encCert, the recepient to encrypt to.
   * @param data
   * @return encrypted byte[]
   * @throws IOException
   */
  public static byte[] encryptData(X509Certificate encCert, byte[] data) throws IOException{

        CMSEnvelopedDataGenerator edGen = new CMSEnvelopedDataGenerator();                             
      
      CMSEnvelopedData ed;
    try {
      edGen.addKeyTransRecipient(encCert);
      ed = edGen.generate(
          new CMSProcessableByteArray(data),encAlg,provider);
    } catch (Exception e) {
            log.error("Error Encryotin Keys:: ", e);
            throw new IOException(e.getMessage());       
    }
       
   
    return ed.getEncoded();    
  }

  /**
   * Method that should be used to decrypt data in a message.
   *
   * Uses the algorithm specified in the init method.
   *
   * @param decKey, the recipients private key.
   * @param encData, the encrypted data
   * @return encrypted byte[] or null if decryption failed.
   */
  public static byte[] decryptData(PrivateKey decKey, byte[] encData) {
    byte[] retdata = null;
    try{
      CMSEnvelopedData ed = new CMSEnvelopedData(encData);          
     
      RecipientInformationStore  recipients = ed.getRecipientInfos();            
      Iterator    it =  recipients.getRecipients().iterator();
      RecipientInformation   recipient = (RecipientInformation) it.next();     
      retdata = recipient.getContent(decKey, provider);
    } catch(Exception e){
      log.error("Error decypting data : ", e);
    }
                 
      return retdata; 
 

  /**
   * Method that signes the given data using the algorithm specified in the init method.
   *
   * @param signKey, the key used to sign the data
   * @param signCert the certificate
   * @param data
   * @return the signed data or null if signature failed
   */
  public static byte[] signData(PrivateKey signKey, X509Certificate signCert, byte[] data){
    byte[] retdata = null;
    try{
          ArrayList certList = new ArrayList();
          certList.add(signCert);
          CertStore certs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList), provider);         
      CMSSignedDataGenerator    gen = new CMSSignedDataGenerator();
      gen.addCertificatesAndCRLs(certs);
      gen.addSigner(signKey, signCert, signAlg);       
      CMSSignedData           signedData = gen.generate(new CMSProcessableByteArray(data), true, provider);
      retdata = signedData.getEncoded();
    } catch(Exception e){
      log.error("Error signing data : ", e);
    }
    return retdata;
 

  /**
   * Method used to verify signed data.
   *
   * @param TrustedCACerts a Collection of trusted certifcates, should contain the entire chains
   * @param TrustedCRLs a Collection of trusted CRLS, use null if no CRL check should be used.
   * @param signedData the data to verify
   * @return true if signature verifes
   */
  public static ParsedSignatureResult verifySignature(Collection cACertChain, Collection trustedCRLs, byte[] signedData){
    return verifySignature(cACertChain, trustedCRLs, signedData, new Date());
  }
 
  /**
   * Method used to verify signed data.
   *
   * @param TrustedCACerts a Collection of trusted certificates, should contain the entire chains
   * @param TrustedCRLs a Collection of trusted CRLS, use null if no CRL check should be used.
   * @param signedData the data to verify
   * @param date the date used to check the validity against.
   * @return a ParsedSignatureResult.
   */
  public static ParsedSignatureResult verifySignature(Collection cACertChain, Collection trustedCRLs, byte[] signedData, Date date){
    boolean verifies = false;       
        X509Certificate usercert = null;
        ParsedSignatureResult retval = new ParsedSignatureResult(false,null,null);
    byte[] content = null;
       
       
        try{
          // First verify the signature
          CMSSignedData     sp = new CMSSignedData(signedData);                                 
         
          CertStore               certs = sp.getCertificatesAndCRLs("Collection", "BC");
          SignerInformationStore  signers = sp.getSignerInfos();
         
          ByteArrayOutputStream baos = new ByteArrayOutputStream();         
          ((CMSProcessableByteArray) sp.getSignedContent()).write(baos);
          content = baos.toByteArray();
          baos.close();
         
          Collection              c = signers.getSigners();
          Iterator                it = c.iterator();
         
          while (it.hasNext())
          {
            SignerInformation   signer = (SignerInformation)it.next();
            Collection          certCollection = certs.getCertificates(signer.getSID());
           
            Iterator        certIt = certCollection.iterator();
            usercert = (X509Certificate)certIt.next();  
           
            boolean validalg = signer.getDigestAlgOID().equals(signAlg);
           
           
            verifies = validalg && signer.verify(usercert.getPublicKey(), "BC");
           
          }
         
          // Second validate the certificate          
          X509Certificate rootCert = null;
          Iterator iter = cACertChain.iterator();
          while(iter.hasNext()){
            X509Certificate cert = (X509Certificate) iter.next();
            if(cert.getIssuerDN().equals(cert.getSubjectDN())){
              rootCert = cert;
              break;
            }
          }
         
          if(rootCert == null){
            throw new CertPathValidatorException("Error Root CA cert not found in cACertChain");
          }
         
          List list = new ArrayList();
          list.add(usercert);
          list.add(cACertChain);
          if(trustedCRLs != null){
            list.add(trustedCRLs);
          }
         
          CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list);
          CertStore store = CertStore.getInstance("Collection", ccsp);
         
          //validating path
          List certchain = new ArrayList();
          certchain.addAll(cACertChain);
          certchain.add(usercert);
          CertPath cp = CertificateFactory.getInstance("X.509","BC").generateCertPath(certchain);
         
          Set trust = new HashSet();
          trust.add(new TrustAnchor(rootCert, null));
         
          CertPathValidator cpv = CertPathValidator.getInstance("PKIX","BC");
          PKIXParameters param = new PKIXParameters(trust);
          param.addCertStore(store);
          param.setDate(date);
          if(trustedCRLs == null){
            param.setRevocationEnabled(false);
          }else{
            param.setRevocationEnabled(true);
          }
          cpv.validate(cp, param);
          retval = new ParsedSignatureResult(verifies, usercert,content);
        }catch(Exception e){
      log.error("Error verifying data : ", e);
    }

   
    return retval;
  }
 
}
TOP

Related Classes of org.ejbca.extra.db.ExtRAMsgHelper

  • org.bouncycastle.cms.CMSEnvelopedData
  • org.bouncycastle.cms.CMSEnvelopedDataGenerator
  • org.bouncycastle.cms.CMSProcessableByteArray
  • org.bouncycastle.cms.CMSSignedData
  • org.bouncycastle.cms.CMSSignedDataGenerator
  • org.bouncycastle.cms.RecipientInformation
  • org.bouncycastle.cms.RecipientInformationStore
  • org.bouncycastle.cms.SignerInformation
  • org.bouncycastle.cms.SignerInformationStore
  • java.security.cert.TrustAnchor
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.