Package br.net.woodstock.rockframework.security.sign.impl

Source Code of br.net.woodstock.rockframework.security.sign.impl.BouncyCastleSignerHelper

/*
* This file is part of rockframework.
*
* rockframework is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* rockframework is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program.  If not, see <http://www.gnu.org/licenses/>;.
*/
package br.net.woodstock.rockframework.security.sign.impl;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;

import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.CMSSignerDigestMismatchException;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationVerifier;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.SignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.CollectionStore;

import br.net.woodstock.rockframework.core.RockFrameworkLogger;
import br.net.woodstock.rockframework.security.cert.util.Certificates;
import br.net.woodstock.rockframework.security.digest.DigestType;
import br.net.woodstock.rockframework.security.digest.Digester;
import br.net.woodstock.rockframework.security.digest.impl.BasicDigester;
import br.net.woodstock.rockframework.security.util.BouncyCastleProviderHelper;

abstract class BouncyCastleSignerHelper {

  private BouncyCastleSignerHelper() {
    //
  }

  public static DigestType getDigestTypeFromOid(final String oid) {
    if (PKCSObjectIdentifiers.md2.getId().equals(oid)) {
      return DigestType.MD2;
    }
    if (PKCSObjectIdentifiers.md5.getId().equals(oid)) {
      return DigestType.MD5;
    }
    if (OIWObjectIdentifiers.idSHA1.getId().equals(oid)) {
      return DigestType.SHA1;
    }
    if (NISTObjectIdentifiers.id_sha256.getId().equals(oid)) {
      return DigestType.SHA_256;
    }
    if (NISTObjectIdentifiers.id_sha384.getId().equals(oid)) {
      return DigestType.SHA_384;
    }
    if (NISTObjectIdentifiers.id_sha512.getId().equals(oid)) {
      return DigestType.SHA_512;
    }
    return null;
  }

  @SuppressWarnings("rawtypes")
  public static boolean verifySignature(final SignerInformation signerInformation, final CollectionStore certificatesStore, final byte[] data, final boolean detached) throws IOException, CMSException, OperatorCreationException {
    Collection collection = certificatesStore.getMatches(null);
    boolean verified = true;
    if (!collection.isEmpty()) {
      Object obj = collection.iterator().next(); // Only first cert

      Certificate cert = null;
      if (obj instanceof Certificate) {
        cert = (Certificate) obj;
      } else if (obj instanceof X509CertificateHolder) {
        X509CertificateHolder holder = (X509CertificateHolder) obj;
        cert = Certificates.get(holder.getEncoded());
      } else {
        RockFrameworkLogger.getLogger().warn("Unhandled certificate from store '" + obj.getClass().getCanonicalName() + "'");
      }

      if (cert != null) {
        SignerInformationVerifier signerInformationVerifier = null;

        if (detached) {
          JcaSimpleSignerInfoVerifierBuilder builder = new JcaSimpleSignerInfoVerifierBuilder();
          builder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
          signerInformationVerifier = builder.build((X509Certificate) cert);
        } else {
          JcaContentVerifierProviderBuilder jcaContentVerifierProviderBuilder = new JcaContentVerifierProviderBuilder();
          jcaContentVerifierProviderBuilder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);

          ContentVerifierProvider contentVerifierProvider = jcaContentVerifierProviderBuilder.build((X509Certificate) cert);

          JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
          digestCalculatorProviderBuilder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
          DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();

          SignatureAlgorithmIdentifierFinder signatureAlgorithmIdentifierFinder = new DefaultSignatureAlgorithmIdentifierFinder();
          CMSSignatureAlgorithmNameGenerator signatureAlgorithmNameGenerator = new DefaultCMSSignatureAlgorithmNameGenerator();

          signerInformationVerifier = new SignerInformationVerifier(signatureAlgorithmNameGenerator, signatureAlgorithmIdentifierFinder, contentVerifierProvider, digestCalculatorProvider);
        }

        try {
          verified = signerInformation.verify(signerInformationVerifier);
        } catch (CMSSignerDigestMismatchException e) {
          RockFrameworkLogger.getLogger().debug(e.getMessage(), e);
          verified = false;
        }

        if ((!detached) && (verified)) {
          byte[] contentDigest = signerInformation.getContentDigest();
          AlgorithmIdentifier algorithmOID = signerInformation.getDigestAlgorithmID();
          DigestType type = BouncyCastleSignerHelper.getDigestTypeFromOid(algorithmOID.getAlgorithm().getId());
          Digester digester = new BasicDigester(type);
          byte[] dataDigest = digester.digest(data);

          if (!MessageDigest.isEqual(contentDigest, dataDigest)) {
            verified = false;
          }
        }
      }
    }
    return verified;
  }

}
TOP

Related Classes of br.net.woodstock.rockframework.security.sign.impl.BouncyCastleSignerHelper

TOP
Copyright © 2018 www.massapi.com. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.