diff options
Diffstat (limited to 'pkix/src/main/java/org/bouncycastle/cms/jcajce')
36 files changed, 3452 insertions, 0 deletions
diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java new file mode 100644 index 00000000..bd36b73c --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/CMSUtils.java @@ -0,0 +1,69 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Provider; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.cms.IssuerAndSerialNumber; +import org.bouncycastle.asn1.x509.Certificate; +import org.bouncycastle.asn1.x509.TBSCertificateStructure; +import org.bouncycastle.asn1.x509.X509Extension; + +class CMSUtils +{ + static TBSCertificateStructure getTBSCertificateStructure( + X509Certificate cert) + throws CertificateEncodingException + { + return TBSCertificateStructure.getInstance(cert.getTBSCertificate()); + } + + static IssuerAndSerialNumber getIssuerAndSerialNumber(X509Certificate cert) + throws CertificateEncodingException + { + Certificate certStruct = Certificate.getInstance(cert.getEncoded()); + + return new IssuerAndSerialNumber(certStruct.getIssuer(), cert.getSerialNumber()); + } + + + static byte[] getSubjectKeyId(X509Certificate cert) + { + byte[] ext = cert.getExtensionValue(X509Extension.subjectKeyIdentifier.getId()); + + if (ext != null) + { + return ASN1OctetString.getInstance(ASN1OctetString.getInstance(ext).getOctets()).getOctets(); + } + else + { + return null; + } + } + + static EnvelopedDataHelper createContentHelper(Provider provider) + { + if (provider != null) + { + return new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + } + else + { + return new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + } + } + + static EnvelopedDataHelper createContentHelper(String providerName) + { + if (providerName != null) + { + return new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + } + else + { + return new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + } + } + +}
\ No newline at end of file diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/DefaultJcaJceExtHelper.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/DefaultJcaJceExtHelper.java new file mode 100644 index 00000000..129829bb --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/DefaultJcaJceExtHelper.java @@ -0,0 +1,26 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.PrivateKey; + +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jcajce.DefaultJcaJceHelper; +import org.bouncycastle.operator.SymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceSymmetricKeyUnwrapper; + +class DefaultJcaJceExtHelper + extends DefaultJcaJceHelper + implements JcaJceExtHelper +{ + public JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey) + { + return new JceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey); + } + + public SymmetricKeyUnwrapper createSymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, SecretKey keyEncryptionKey) + { + return new JceSymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java new file mode 100644 index 00000000..5f3958f7 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/EnvelopedDataHelper.java @@ -0,0 +1,657 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.IOException; +import java.security.AlgorithmParameterGenerator; +import java.security.AlgorithmParameters; +import java.security.GeneralSecurityException; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.KeyFactory; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.SecureRandom; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.InvalidParameterSpecException; +import java.util.HashMap; +import java.util.Map; + +import javax.crypto.Cipher; +import javax.crypto.KeyAgreement; +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.RC2ParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1Null; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.DERNull; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.pkcs.RC2CBCParameter; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSAlgorithm; +import org.bouncycastle.cms.CMSEnvelopedDataGenerator; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.SymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; + +class EnvelopedDataHelper +{ + protected static final Map BASE_CIPHER_NAMES = new HashMap(); + protected static final Map CIPHER_ALG_NAMES = new HashMap(); + protected static final Map MAC_ALG_NAMES = new HashMap(); + + static + { + BASE_CIPHER_NAMES.put(CMSAlgorithm.DES_CBC, "DES"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.DES_EDE3_CBC, "DESEDE"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.AES128_CBC, "AES"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.AES192_CBC, "AES"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.AES256_CBC, "AES"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.RC2_CBC, "RC2"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.CAST5_CBC, "CAST5"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.CAMELLIA128_CBC, "Camellia"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.CAMELLIA192_CBC, "Camellia"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.CAMELLIA256_CBC, "Camellia"); + BASE_CIPHER_NAMES.put(CMSAlgorithm.SEED_CBC, "SEED"); + + CIPHER_ALG_NAMES.put(CMSAlgorithm.DES_CBC, "DES/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.DES_EDE3_CBC, "DESEDE/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.AES128_CBC, "AES/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.AES192_CBC, "AES/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.AES256_CBC, "AES/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(PKCSObjectIdentifiers.rsaEncryption, "RSA/ECB/PKCS1Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.CAST5_CBC, "CAST5/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.CAMELLIA128_CBC, "Camellia/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.CAMELLIA192_CBC, "Camellia/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.CAMELLIA256_CBC, "Camellia/CBC/PKCS5Padding"); + CIPHER_ALG_NAMES.put(CMSAlgorithm.SEED_CBC, "SEED/CBC/PKCS5Padding"); + + MAC_ALG_NAMES.put(CMSAlgorithm.DES_EDE3_CBC, "DESEDEMac"); + MAC_ALG_NAMES.put(CMSAlgorithm.AES128_CBC, "AESMac"); + MAC_ALG_NAMES.put(CMSAlgorithm.AES192_CBC, "AESMac"); + MAC_ALG_NAMES.put(CMSAlgorithm.AES256_CBC, "AESMac"); + MAC_ALG_NAMES.put(CMSAlgorithm.RC2_CBC, "RC2Mac"); + } + + private static final short[] rc2Table = { + 0xbd, 0x56, 0xea, 0xf2, 0xa2, 0xf1, 0xac, 0x2a, 0xb0, 0x93, 0xd1, 0x9c, 0x1b, 0x33, 0xfd, 0xd0, + 0x30, 0x04, 0xb6, 0xdc, 0x7d, 0xdf, 0x32, 0x4b, 0xf7, 0xcb, 0x45, 0x9b, 0x31, 0xbb, 0x21, 0x5a, + 0x41, 0x9f, 0xe1, 0xd9, 0x4a, 0x4d, 0x9e, 0xda, 0xa0, 0x68, 0x2c, 0xc3, 0x27, 0x5f, 0x80, 0x36, + 0x3e, 0xee, 0xfb, 0x95, 0x1a, 0xfe, 0xce, 0xa8, 0x34, 0xa9, 0x13, 0xf0, 0xa6, 0x3f, 0xd8, 0x0c, + 0x78, 0x24, 0xaf, 0x23, 0x52, 0xc1, 0x67, 0x17, 0xf5, 0x66, 0x90, 0xe7, 0xe8, 0x07, 0xb8, 0x60, + 0x48, 0xe6, 0x1e, 0x53, 0xf3, 0x92, 0xa4, 0x72, 0x8c, 0x08, 0x15, 0x6e, 0x86, 0x00, 0x84, 0xfa, + 0xf4, 0x7f, 0x8a, 0x42, 0x19, 0xf6, 0xdb, 0xcd, 0x14, 0x8d, 0x50, 0x12, 0xba, 0x3c, 0x06, 0x4e, + 0xec, 0xb3, 0x35, 0x11, 0xa1, 0x88, 0x8e, 0x2b, 0x94, 0x99, 0xb7, 0x71, 0x74, 0xd3, 0xe4, 0xbf, + 0x3a, 0xde, 0x96, 0x0e, 0xbc, 0x0a, 0xed, 0x77, 0xfc, 0x37, 0x6b, 0x03, 0x79, 0x89, 0x62, 0xc6, + 0xd7, 0xc0, 0xd2, 0x7c, 0x6a, 0x8b, 0x22, 0xa3, 0x5b, 0x05, 0x5d, 0x02, 0x75, 0xd5, 0x61, 0xe3, + 0x18, 0x8f, 0x55, 0x51, 0xad, 0x1f, 0x0b, 0x5e, 0x85, 0xe5, 0xc2, 0x57, 0x63, 0xca, 0x3d, 0x6c, + 0xb4, 0xc5, 0xcc, 0x70, 0xb2, 0x91, 0x59, 0x0d, 0x47, 0x20, 0xc8, 0x4f, 0x58, 0xe0, 0x01, 0xe2, + 0x16, 0x38, 0xc4, 0x6f, 0x3b, 0x0f, 0x65, 0x46, 0xbe, 0x7e, 0x2d, 0x7b, 0x82, 0xf9, 0x40, 0xb5, + 0x1d, 0x73, 0xf8, 0xeb, 0x26, 0xc7, 0x87, 0x97, 0x25, 0x54, 0xb1, 0x28, 0xaa, 0x98, 0x9d, 0xa5, + 0x64, 0x6d, 0x7a, 0xd4, 0x10, 0x81, 0x44, 0xef, 0x49, 0xd6, 0xae, 0x2e, 0xdd, 0x76, 0x5c, 0x2f, + 0xa7, 0x1c, 0xc9, 0x09, 0x69, 0x9a, 0x83, 0xcf, 0x29, 0x39, 0xb9, 0xe9, 0x4c, 0xff, 0x43, 0xab + }; + + private static final short[] rc2Ekb = { + 0x5d, 0xbe, 0x9b, 0x8b, 0x11, 0x99, 0x6e, 0x4d, 0x59, 0xf3, 0x85, 0xa6, 0x3f, 0xb7, 0x83, 0xc5, + 0xe4, 0x73, 0x6b, 0x3a, 0x68, 0x5a, 0xc0, 0x47, 0xa0, 0x64, 0x34, 0x0c, 0xf1, 0xd0, 0x52, 0xa5, + 0xb9, 0x1e, 0x96, 0x43, 0x41, 0xd8, 0xd4, 0x2c, 0xdb, 0xf8, 0x07, 0x77, 0x2a, 0xca, 0xeb, 0xef, + 0x10, 0x1c, 0x16, 0x0d, 0x38, 0x72, 0x2f, 0x89, 0xc1, 0xf9, 0x80, 0xc4, 0x6d, 0xae, 0x30, 0x3d, + 0xce, 0x20, 0x63, 0xfe, 0xe6, 0x1a, 0xc7, 0xb8, 0x50, 0xe8, 0x24, 0x17, 0xfc, 0x25, 0x6f, 0xbb, + 0x6a, 0xa3, 0x44, 0x53, 0xd9, 0xa2, 0x01, 0xab, 0xbc, 0xb6, 0x1f, 0x98, 0xee, 0x9a, 0xa7, 0x2d, + 0x4f, 0x9e, 0x8e, 0xac, 0xe0, 0xc6, 0x49, 0x46, 0x29, 0xf4, 0x94, 0x8a, 0xaf, 0xe1, 0x5b, 0xc3, + 0xb3, 0x7b, 0x57, 0xd1, 0x7c, 0x9c, 0xed, 0x87, 0x40, 0x8c, 0xe2, 0xcb, 0x93, 0x14, 0xc9, 0x61, + 0x2e, 0xe5, 0xcc, 0xf6, 0x5e, 0xa8, 0x5c, 0xd6, 0x75, 0x8d, 0x62, 0x95, 0x58, 0x69, 0x76, 0xa1, + 0x4a, 0xb5, 0x55, 0x09, 0x78, 0x33, 0x82, 0xd7, 0xdd, 0x79, 0xf5, 0x1b, 0x0b, 0xde, 0x26, 0x21, + 0x28, 0x74, 0x04, 0x97, 0x56, 0xdf, 0x3c, 0xf0, 0x37, 0x39, 0xdc, 0xff, 0x06, 0xa4, 0xea, 0x42, + 0x08, 0xda, 0xb4, 0x71, 0xb0, 0xcf, 0x12, 0x7a, 0x4e, 0xfa, 0x6c, 0x1d, 0x84, 0x00, 0xc8, 0x7f, + 0x91, 0x45, 0xaa, 0x2b, 0xc2, 0xb1, 0x8f, 0xd5, 0xba, 0xf2, 0xad, 0x19, 0xb2, 0x67, 0x36, 0xf7, + 0x0f, 0x0a, 0x92, 0x7d, 0xe3, 0x9d, 0xe9, 0x90, 0x3e, 0x23, 0x27, 0x66, 0x13, 0xec, 0x81, 0x15, + 0xbd, 0x22, 0xbf, 0x9f, 0x7e, 0xa9, 0x51, 0x4b, 0x4c, 0xfb, 0x02, 0xd3, 0x70, 0x86, 0x31, 0xe7, + 0x3b, 0x05, 0x03, 0x54, 0x60, 0x48, 0x65, 0x18, 0xd2, 0xcd, 0x5f, 0x32, 0x88, 0x0e, 0x35, 0xfd + }; + + private JcaJceExtHelper helper; + + EnvelopedDataHelper(JcaJceExtHelper helper) + { + this.helper = helper; + } + + String getBaseCipherName(ASN1ObjectIdentifier algorithm) + { + String name = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (name == null) + { + return algorithm.getId(); + } + + return name; + } + + Key getJceKey(GenericKey key) + { + if (key.getRepresentation() instanceof Key) + { + return (Key)key.getRepresentation(); + } + + if (key.getRepresentation() instanceof byte[]) + { + return new SecretKeySpec((byte[])key.getRepresentation(), "ENC"); + } + + throw new IllegalArgumentException("unknown generic key type"); + } + + Key getJceKey(ASN1ObjectIdentifier algorithm, GenericKey key) + { + if (key.getRepresentation() instanceof Key) + { + return (Key)key.getRepresentation(); + } + + if (key.getRepresentation() instanceof byte[]) + { + return new SecretKeySpec((byte[])key.getRepresentation(), getBaseCipherName(algorithm)); + } + + throw new IllegalArgumentException("unknown generic key type"); + } + + Cipher createCipher(ASN1ObjectIdentifier algorithm) + throws CMSException + { + try + { + String cipherName = (String)CIPHER_ALG_NAMES.get(algorithm); + + if (cipherName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createCipher(cipherName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createCipher(algorithm.getId()); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create cipher: " + e.getMessage(), e); + } + } + + Mac createMac(ASN1ObjectIdentifier algorithm) + throws CMSException + { + try + { + String macName = (String)MAC_ALG_NAMES.get(algorithm); + + if (macName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createMac(macName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createMac(algorithm.getId()); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create mac: " + e.getMessage(), e); + } + } + + Cipher createRFC3211Wrapper(ASN1ObjectIdentifier algorithm) + throws CMSException + { + String cipherName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (cipherName == null) + { + throw new CMSException("no name for " + algorithm); + } + + cipherName += "RFC3211Wrap"; + + try + { + return helper.createCipher(cipherName); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create cipher: " + e.getMessage(), e); + } + } + + KeyAgreement createKeyAgreement(ASN1ObjectIdentifier algorithm) + throws CMSException + { + try + { + String agreementName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (agreementName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createKeyAgreement(agreementName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createKeyAgreement(algorithm.getId()); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create key pair generator: " + e.getMessage(), e); + } + } + + AlgorithmParameterGenerator createAlgorithmParameterGenerator(ASN1ObjectIdentifier algorithm) + throws GeneralSecurityException + { + String algorithmName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (algorithmName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createAlgorithmParameterGenerator(algorithmName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createAlgorithmParameterGenerator(algorithm.getId()); + } + + Cipher createContentCipher(final Key sKey, final AlgorithmIdentifier encryptionAlgID) + throws CMSException + { + return (Cipher)execute(new JCECallback() + { + public Object doInJCE() + throws CMSException, InvalidAlgorithmParameterException, + InvalidKeyException, InvalidParameterSpecException, NoSuchAlgorithmException, + NoSuchPaddingException, NoSuchProviderException + { + Cipher cipher = createCipher(encryptionAlgID.getAlgorithm()); + ASN1Encodable sParams = encryptionAlgID.getParameters(); + String encAlg = encryptionAlgID.getAlgorithm().getId(); + + if (sParams != null && !(sParams instanceof ASN1Null)) + { + try + { + AlgorithmParameters params = createAlgorithmParameters(encryptionAlgID.getAlgorithm()); + + try + { + params.init(sParams.toASN1Primitive().getEncoded(), "ASN.1"); + } + catch (IOException e) + { + throw new CMSException("error decoding algorithm parameters.", e); + } + + cipher.init(Cipher.DECRYPT_MODE, sKey, params); + } + catch (NoSuchAlgorithmException e) + { + if (encAlg.equals(CMSAlgorithm.DES_CBC.getId()) + || encAlg.equals(CMSEnvelopedDataGenerator.DES_EDE3_CBC) + || encAlg.equals(CMSEnvelopedDataGenerator.IDEA_CBC) + || encAlg.equals(CMSEnvelopedDataGenerator.AES128_CBC) + || encAlg.equals(CMSEnvelopedDataGenerator.AES192_CBC) + || encAlg.equals(CMSEnvelopedDataGenerator.AES256_CBC)) + { + cipher.init(Cipher.DECRYPT_MODE, sKey, new IvParameterSpec( + ASN1OctetString.getInstance(sParams).getOctets())); + } + else + { + throw e; + } + } + } + else + { + if (encAlg.equals(CMSAlgorithm.DES_CBC.getId()) + || encAlg.equals(CMSEnvelopedDataGenerator.DES_EDE3_CBC) + || encAlg.equals(CMSEnvelopedDataGenerator.IDEA_CBC) + || encAlg.equals(CMSEnvelopedDataGenerator.CAST5_CBC)) + { + cipher.init(Cipher.DECRYPT_MODE, sKey, new IvParameterSpec(new byte[8])); + } + else + { + cipher.init(Cipher.DECRYPT_MODE, sKey); + } + } + + return cipher; + } + }); + } + + Mac createContentMac(final Key sKey, final AlgorithmIdentifier macAlgId) + throws CMSException + { + return (Mac)execute(new JCECallback() + { + public Object doInJCE() + throws CMSException, InvalidAlgorithmParameterException, + InvalidKeyException, InvalidParameterSpecException, NoSuchAlgorithmException, + NoSuchPaddingException, NoSuchProviderException + { + Mac mac = createMac(macAlgId.getAlgorithm()); + ASN1Encodable sParams = macAlgId.getParameters(); + String macAlg = macAlgId.getAlgorithm().getId(); + + if (sParams != null && !(sParams instanceof ASN1Null)) + { + try + { + AlgorithmParameters params = createAlgorithmParameters(macAlgId.getAlgorithm()); + + try + { + params.init(sParams.toASN1Primitive().getEncoded(), "ASN.1"); + } + catch (IOException e) + { + throw new CMSException("error decoding algorithm parameters.", e); + } + + mac.init(sKey, params.getParameterSpec(IvParameterSpec.class)); + } + catch (NoSuchAlgorithmException e) + { + throw e; + } + } + else + { + mac.init(sKey); + } + + return mac; + } + }); + } + + AlgorithmParameters createAlgorithmParameters(ASN1ObjectIdentifier algorithm) + throws NoSuchAlgorithmException, NoSuchProviderException + { + String algorithmName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (algorithmName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createAlgorithmParameters(algorithmName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createAlgorithmParameters(algorithm.getId()); + } + + + KeyPairGenerator createKeyPairGenerator(ASN1ObjectIdentifier algorithm) + throws CMSException + { + try + { + String cipherName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (cipherName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createKeyPairGenerator(cipherName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createKeyPairGenerator(algorithm.getId()); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create key pair generator: " + e.getMessage(), e); + } + } + + public KeyGenerator createKeyGenerator(ASN1ObjectIdentifier algorithm) + throws CMSException + { + try + { + String cipherName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (cipherName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createKeyGenerator(cipherName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createKeyGenerator(algorithm.getId()); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create key generator: " + e.getMessage(), e); + } + } + + AlgorithmParameters generateParameters(ASN1ObjectIdentifier encryptionOID, SecretKey encKey, SecureRandom rand) + throws CMSException + { + try + { + AlgorithmParameterGenerator pGen = createAlgorithmParameterGenerator(encryptionOID); + + if (encryptionOID.equals(CMSEnvelopedDataGenerator.RC2_CBC)) + { + byte[] iv = new byte[8]; + + rand.nextBytes(iv); + + try + { + pGen.init(new RC2ParameterSpec(encKey.getEncoded().length * 8, iv), rand); + } + catch (InvalidAlgorithmParameterException e) + { + throw new CMSException("parameters generation error: " + e, e); + } + } + + return pGen.generateParameters(); + } + catch (NoSuchAlgorithmException e) + { + return null; + } + catch (GeneralSecurityException e) + { + throw new CMSException("exception creating algorithm parameter generator: " + e, e); + } + } + + AlgorithmIdentifier getAlgorithmIdentifier(ASN1ObjectIdentifier encryptionOID, AlgorithmParameters params) + throws CMSException + { + ASN1Encodable asn1Params; + if (params != null) + { + try + { + asn1Params = ASN1Primitive.fromByteArray(params.getEncoded("ASN.1")); + } + catch (IOException e) + { + throw new CMSException("cannot encode parameters: " + e.getMessage(), e); + } + } + else + { + asn1Params = DERNull.INSTANCE; + } + + return new AlgorithmIdentifier( + encryptionOID, + asn1Params); + } + + static Object execute(JCECallback callback) throws CMSException + { + try + { + return callback.doInJCE(); + } + catch (NoSuchAlgorithmException e) + { + throw new CMSException("can't find algorithm.", e); + } + catch (InvalidKeyException e) + { + throw new CMSException("key invalid in message.", e); + } + catch (NoSuchProviderException e) + { + throw new CMSException("can't find provider.", e); + } + catch (NoSuchPaddingException e) + { + throw new CMSException("required padding not supported.", e); + } + catch (InvalidAlgorithmParameterException e) + { + throw new CMSException("algorithm parameters invalid.", e); + } + catch (InvalidParameterSpecException e) + { + throw new CMSException("MAC algorithm parameter spec invalid.", e); + } + } + + public KeyFactory createKeyFactory(ASN1ObjectIdentifier algorithm) + throws CMSException + { + try + { + String cipherName = (String)BASE_CIPHER_NAMES.get(algorithm); + + if (cipherName != null) + { + try + { + // this is reversed as the Sun policy files now allow unlimited strength RSA + return helper.createKeyFactory(cipherName); + } + catch (NoSuchAlgorithmException e) + { + // Ignore + } + } + return helper.createKeyFactory(algorithm.getId()); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot create key factory: " + e.getMessage(), e); + } + } + + public JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey) + { + return helper.createAsymmetricUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey); + } + + public SymmetricKeyUnwrapper createSymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, SecretKey keyEncryptionKey) + { + return helper.createSymmetricUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey); + } + + public AlgorithmIdentifier getAlgorithmIdentifier(ASN1ObjectIdentifier macOID, AlgorithmParameterSpec paramSpec) + { + if (paramSpec instanceof IvParameterSpec) + { + return new AlgorithmIdentifier(macOID, new DEROctetString(((IvParameterSpec)paramSpec).getIV())); + } + + if (paramSpec instanceof RC2ParameterSpec) + { + RC2ParameterSpec rc2Spec = (RC2ParameterSpec)paramSpec; + + int effKeyBits = ((RC2ParameterSpec)paramSpec).getEffectiveKeyBits(); + + if (effKeyBits != -1) + { + int parameterVersion; + + if (effKeyBits < 256) + { + parameterVersion = rc2Table[effKeyBits]; + } + else + { + parameterVersion = effKeyBits; + } + + return new AlgorithmIdentifier(macOID, new RC2CBCParameter(parameterVersion, rc2Spec.getIV())); + } + + return new AlgorithmIdentifier(macOID, new RC2CBCParameter(rc2Spec.getIV())); + } + + throw new IllegalStateException("unknown parameter spec: " + paramSpec); + } + + static interface JCECallback + { + Object doInJCE() + throws CMSException, InvalidAlgorithmParameterException, InvalidKeyException, InvalidParameterSpecException, + NoSuchAlgorithmException, NoSuchPaddingException, NoSuchProviderException; + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaJceExtHelper.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaJceExtHelper.java new file mode 100644 index 00000000..75b6d91d --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaJceExtHelper.java @@ -0,0 +1,18 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.PrivateKey; + +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jcajce.JcaJceHelper; +import org.bouncycastle.operator.SymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; + +public interface JcaJceExtHelper + extends JcaJceHelper +{ + JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey); + + SymmetricKeyUnwrapper createSymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, SecretKey keyEncryptionKey); +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSelectorConverter.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSelectorConverter.java new file mode 100644 index 00000000..a26cbe70 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSelectorConverter.java @@ -0,0 +1,55 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.IOException; +import java.security.cert.X509CertSelector; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.cms.KeyTransRecipientId; +import org.bouncycastle.cms.SignerId; + +public class JcaSelectorConverter +{ + public JcaSelectorConverter() + { + + } + + public SignerId getSignerId(X509CertSelector certSelector) + { + try + { + if (certSelector.getSubjectKeyIdentifier() != null) + { + return new SignerId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber(), ASN1OctetString.getInstance(certSelector.getSubjectKeyIdentifier()).getOctets()); + } + else + { + return new SignerId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber()); + } + } + catch (IOException e) + { + throw new IllegalArgumentException("unable to convert issuer: " + e.getMessage()); + } + } + + public KeyTransRecipientId getKeyTransRecipientId(X509CertSelector certSelector) + { + try + { + if (certSelector.getSubjectKeyIdentifier() != null) + { + return new KeyTransRecipientId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber(), ASN1OctetString.getInstance(certSelector.getSubjectKeyIdentifier()).getOctets()); + } + else + { + return new KeyTransRecipientId(X500Name.getInstance(certSelector.getIssuerAsBytes()), certSelector.getSerialNumber()); + } + } + catch (IOException e) + { + throw new IllegalArgumentException("unable to convert issuer: " + e.getMessage()); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerId.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerId.java new file mode 100644 index 00000000..056f7c06 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerId.java @@ -0,0 +1,56 @@ +package org.bouncycastle.cms.jcajce; + +import java.math.BigInteger; +import java.security.cert.X509Certificate; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.cms.SignerId; + +public class JcaSignerId + extends SignerId +{ + /** + * Construct a signer identifier based on the issuer, serial number and subject key identifier (if present) of the passed in + * certificate. + * + * @param certificate certificate providing the issue and serial number and subject key identifier. + */ + public JcaSignerId(X509Certificate certificate) + { + super(convertPrincipal(certificate.getIssuerX500Principal()), certificate.getSerialNumber(), CMSUtils.getSubjectKeyId(certificate)); + } + + /** + * Construct a signer identifier based on the provided issuer and serial number.. + * + * @param issuer the issuer to use. + * @param serialNumber the serial number to use. + */ + public JcaSignerId(X500Principal issuer, BigInteger serialNumber) + { + super(convertPrincipal(issuer), serialNumber); + } + + /** + * Construct a signer identifier based on the provided issuer, serial number, and subjectKeyId.. + * + * @param issuer the issuer to use. + * @param serialNumber the serial number to use. + * @param subjectKeyId the subject key ID to use. + */ + public JcaSignerId(X500Principal issuer, BigInteger serialNumber, byte[] subjectKeyId) + { + super(convertPrincipal(issuer), serialNumber, subjectKeyId); + } + + private static X500Name convertPrincipal(X500Principal issuer) + { + if (issuer == null) + { + return null; + } + return X500Name.getInstance(issuer.getEncoded()); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerInfoGeneratorBuilder.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerInfoGeneratorBuilder.java new file mode 100644 index 00000000..4a0e7ca4 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerInfoGeneratorBuilder.java @@ -0,0 +1,68 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.cms.CMSAttributeTableGenerator; +import org.bouncycastle.cms.SignerInfoGenerator; +import org.bouncycastle.cms.SignerInfoGeneratorBuilder; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorCreationException; + +public class JcaSignerInfoGeneratorBuilder +{ + private SignerInfoGeneratorBuilder builder; + + public JcaSignerInfoGeneratorBuilder(DigestCalculatorProvider digestProvider) + { + builder = new SignerInfoGeneratorBuilder(digestProvider); + } + + /** + * If the passed in flag is true, the signer signature will be based on the data, not + * a collection of signed attributes, and no signed attributes will be included. + * + * @return the builder object + */ + public JcaSignerInfoGeneratorBuilder setDirectSignature(boolean hasNoSignedAttributes) + { + builder.setDirectSignature(hasNoSignedAttributes); + + return this; + } + + public JcaSignerInfoGeneratorBuilder setSignedAttributeGenerator(CMSAttributeTableGenerator signedGen) + { + builder.setSignedAttributeGenerator(signedGen); + + return this; + } + + public JcaSignerInfoGeneratorBuilder setUnsignedAttributeGenerator(CMSAttributeTableGenerator unsignedGen) + { + builder.setUnsignedAttributeGenerator(unsignedGen); + + return this; + } + + public SignerInfoGenerator build(ContentSigner contentSigner, X509CertificateHolder certHolder) + throws OperatorCreationException + { + return builder.build(contentSigner, certHolder); + } + + public SignerInfoGenerator build(ContentSigner contentSigner, byte[] keyIdentifier) + throws OperatorCreationException + { + return builder.build(contentSigner, keyIdentifier); + } + + public SignerInfoGenerator build(ContentSigner contentSigner, X509Certificate certificate) + throws OperatorCreationException, CertificateEncodingException + { + return this.build(contentSigner, new JcaX509CertificateHolder(certificate)); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerInfoVerifierBuilder.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerInfoVerifierBuilder.java new file mode 100644 index 00000000..a8058398 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSignerInfoVerifierBuilder.java @@ -0,0 +1,180 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Provider; +import java.security.PublicKey; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cms.CMSSignatureAlgorithmNameGenerator; +import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator; +import org.bouncycastle.cms.SignerInformationVerifier; +import org.bouncycastle.operator.ContentVerifierProvider; +import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.SignatureAlgorithmIdentifierFinder; +import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; + +public class JcaSignerInfoVerifierBuilder +{ + private Helper helper = new Helper(); + private DigestCalculatorProvider digestProvider; + private CMSSignatureAlgorithmNameGenerator sigAlgNameGen = new DefaultCMSSignatureAlgorithmNameGenerator(); + private SignatureAlgorithmIdentifierFinder sigAlgIDFinder = new DefaultSignatureAlgorithmIdentifierFinder(); + + public JcaSignerInfoVerifierBuilder(DigestCalculatorProvider digestProvider) + { + this.digestProvider = digestProvider; + } + + public JcaSignerInfoVerifierBuilder setProvider(Provider provider) + { + this.helper = new ProviderHelper(provider); + + return this; + } + + public JcaSignerInfoVerifierBuilder setProvider(String providerName) + { + this.helper = new NamedHelper(providerName); + + return this; + } + + /** + * Override the default signature algorithm name generator. + * + * @param sigAlgNameGen the algorithm name generator to use. + * @return the current builder. + */ + public JcaSignerInfoVerifierBuilder setSignatureAlgorithmNameGenerator(CMSSignatureAlgorithmNameGenerator sigAlgNameGen) + { + this.sigAlgNameGen = sigAlgNameGen; + + return this; + } + + public JcaSignerInfoVerifierBuilder setSignatureAlgorithmFinder(SignatureAlgorithmIdentifierFinder sigAlgIDFinder) + { + this.sigAlgIDFinder = sigAlgIDFinder; + + return this; + } + + public SignerInformationVerifier build(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new SignerInformationVerifier(sigAlgNameGen, sigAlgIDFinder, helper.createContentVerifierProvider(certHolder), digestProvider); + } + + public SignerInformationVerifier build(X509Certificate certificate) + throws OperatorCreationException + { + return new SignerInformationVerifier(sigAlgNameGen, sigAlgIDFinder, helper.createContentVerifierProvider(certificate), digestProvider); + } + + public SignerInformationVerifier build(PublicKey pubKey) + throws OperatorCreationException + { + return new SignerInformationVerifier(sigAlgNameGen, sigAlgIDFinder, helper.createContentVerifierProvider(pubKey), digestProvider); + } + + private class Helper + { + ContentVerifierProvider createContentVerifierProvider(PublicKey publicKey) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().build(publicKey); + } + + ContentVerifierProvider createContentVerifierProvider(X509Certificate certificate) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().build(certificate); + } + + ContentVerifierProvider createContentVerifierProvider(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new JcaContentVerifierProviderBuilder().build(certHolder); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().build(); + } + } + + private class NamedHelper + extends Helper + { + private final String providerName; + + public NamedHelper(String providerName) + { + this.providerName = providerName; + } + + ContentVerifierProvider createContentVerifierProvider(PublicKey publicKey) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(providerName).build(publicKey); + } + + ContentVerifierProvider createContentVerifierProvider(X509Certificate certificate) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(providerName).build(certificate); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().setProvider(providerName).build(); + } + + ContentVerifierProvider createContentVerifierProvider(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new JcaContentVerifierProviderBuilder().setProvider(providerName).build(certHolder); + } + } + + private class ProviderHelper + extends Helper + { + private final Provider provider; + + public ProviderHelper(Provider provider) + { + this.provider = provider; + } + + ContentVerifierProvider createContentVerifierProvider(PublicKey publicKey) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(provider).build(publicKey); + } + + ContentVerifierProvider createContentVerifierProvider(X509Certificate certificate) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(provider).build(certificate); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().setProvider(provider).build(); + } + + ContentVerifierProvider createContentVerifierProvider(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new JcaContentVerifierProviderBuilder().setProvider(provider).build(certHolder); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSimpleSignerInfoGeneratorBuilder.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSimpleSignerInfoGeneratorBuilder.java new file mode 100644 index 00000000..0de417aa --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSimpleSignerInfoGeneratorBuilder.java @@ -0,0 +1,202 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.PrivateKey; +import java.security.Provider; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import org.bouncycastle.asn1.cms.AttributeTable; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.cms.CMSAttributeTableGenerator; +import org.bouncycastle.cms.DefaultSignedAttributeTableGenerator; +import org.bouncycastle.cms.SignerInfoGenerator; +import org.bouncycastle.cms.SignerInfoGeneratorBuilder; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; + +/** + * Use this class if you are using a provider that has all the facilities you + * need. + * <p> + * For example: + * <pre> + * CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); + * ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(signKP.getPrivate()); + * + * gen.addSignerInfoGenerator( + * new JcaSignerInfoGeneratorBuilder( + * new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()) + * .build(sha1Signer, signCert)); + * </pre> + * becomes: + * <pre> + * CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); + * + * gen.addSignerInfoGenerator( + * new JcaSimpleSignerInfoGeneratorBuilder() + * .setProvider("BC") + * .build("SHA1withRSA", signKP.getPrivate(), signCert)); + * </pre> + */ +public class JcaSimpleSignerInfoGeneratorBuilder +{ + private Helper helper; + + private boolean hasNoSignedAttributes; + private CMSAttributeTableGenerator signedGen; + private CMSAttributeTableGenerator unsignedGen; + + public JcaSimpleSignerInfoGeneratorBuilder() + throws OperatorCreationException + { + this.helper = new Helper(); + } + + public JcaSimpleSignerInfoGeneratorBuilder setProvider(String providerName) + throws OperatorCreationException + { + this.helper = new NamedHelper(providerName); + + return this; + } + + public JcaSimpleSignerInfoGeneratorBuilder setProvider(Provider provider) + throws OperatorCreationException + { + this.helper = new ProviderHelper(provider); + + return this; + } + + /** + * If the passed in flag is true, the signer signature will be based on the data, not + * a collection of signed attributes, and no signed attributes will be included. + * + * @return the builder object + */ + public JcaSimpleSignerInfoGeneratorBuilder setDirectSignature(boolean hasNoSignedAttributes) + { + this.hasNoSignedAttributes = hasNoSignedAttributes; + + return this; + } + + public JcaSimpleSignerInfoGeneratorBuilder setSignedAttributeGenerator(CMSAttributeTableGenerator signedGen) + { + this.signedGen = signedGen; + + return this; + } + + /** + * set up a DefaultSignedAttributeTableGenerator primed with the passed in AttributeTable. + * + * @param attrTable table of attributes for priming generator + * @return this. + */ + public JcaSimpleSignerInfoGeneratorBuilder setSignedAttributeGenerator(AttributeTable attrTable) + { + this.signedGen = new DefaultSignedAttributeTableGenerator(attrTable); + + return this; + } + + public JcaSimpleSignerInfoGeneratorBuilder setUnsignedAttributeGenerator(CMSAttributeTableGenerator unsignedGen) + { + this.unsignedGen = unsignedGen; + + return this; + } + + public SignerInfoGenerator build(String algorithmName, PrivateKey privateKey, X509Certificate certificate) + throws OperatorCreationException, CertificateEncodingException + { + ContentSigner contentSigner = helper.createContentSigner(algorithmName, privateKey); + + return configureAndBuild().build(contentSigner, new JcaX509CertificateHolder(certificate)); + } + + public SignerInfoGenerator build(String algorithmName, PrivateKey privateKey, byte[] keyIdentifier) + throws OperatorCreationException, CertificateEncodingException + { + ContentSigner contentSigner = helper.createContentSigner(algorithmName, privateKey); + + return configureAndBuild().build(contentSigner, keyIdentifier); + } + + private SignerInfoGeneratorBuilder configureAndBuild() + throws OperatorCreationException + { + SignerInfoGeneratorBuilder infoGeneratorBuilder = new SignerInfoGeneratorBuilder(helper.createDigestCalculatorProvider()); + + infoGeneratorBuilder.setDirectSignature(hasNoSignedAttributes); + infoGeneratorBuilder.setSignedAttributeGenerator(signedGen); + infoGeneratorBuilder.setUnsignedAttributeGenerator(unsignedGen); + + return infoGeneratorBuilder; + } + + private class Helper + { + ContentSigner createContentSigner(String algorithm, PrivateKey privateKey) + throws OperatorCreationException + { + return new JcaContentSignerBuilder(algorithm).build(privateKey); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().build(); + } + } + + private class NamedHelper + extends Helper + { + private final String providerName; + + public NamedHelper(String providerName) + { + this.providerName = providerName; + } + + ContentSigner createContentSigner(String algorithm, PrivateKey privateKey) + throws OperatorCreationException + { + return new JcaContentSignerBuilder(algorithm).setProvider(providerName).build(privateKey); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().setProvider(providerName).build(); + } + } + + private class ProviderHelper + extends Helper + { + private final Provider provider; + + public ProviderHelper(Provider provider) + { + this.provider = provider; + } + + ContentSigner createContentSigner(String algorithm, PrivateKey privateKey) + throws OperatorCreationException + { + return new JcaContentSignerBuilder(algorithm).setProvider(provider).build(privateKey); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().setProvider(provider).build(); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSimpleSignerInfoVerifierBuilder.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSimpleSignerInfoVerifierBuilder.java new file mode 100644 index 00000000..441f27d2 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaSimpleSignerInfoVerifierBuilder.java @@ -0,0 +1,150 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Provider; +import java.security.PublicKey; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator; +import org.bouncycastle.cms.SignerInformationVerifier; +import org.bouncycastle.operator.ContentVerifierProvider; +import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; +import org.bouncycastle.operator.DigestCalculatorProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; + +public class JcaSimpleSignerInfoVerifierBuilder +{ + private Helper helper = new Helper(); + + public JcaSimpleSignerInfoVerifierBuilder setProvider(Provider provider) + { + this.helper = new ProviderHelper(provider); + + return this; + } + + public JcaSimpleSignerInfoVerifierBuilder setProvider(String providerName) + { + this.helper = new NamedHelper(providerName); + + return this; + } + + public SignerInformationVerifier build(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new SignerInformationVerifier(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), helper.createContentVerifierProvider(certHolder), helper.createDigestCalculatorProvider()); + } + + public SignerInformationVerifier build(X509Certificate certificate) + throws OperatorCreationException + { + return new SignerInformationVerifier(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), helper.createContentVerifierProvider(certificate), helper.createDigestCalculatorProvider()); + } + + public SignerInformationVerifier build(PublicKey pubKey) + throws OperatorCreationException + { + return new SignerInformationVerifier(new DefaultCMSSignatureAlgorithmNameGenerator(), new DefaultSignatureAlgorithmIdentifierFinder(), helper.createContentVerifierProvider(pubKey), helper.createDigestCalculatorProvider()); + } + + private class Helper + { + ContentVerifierProvider createContentVerifierProvider(PublicKey publicKey) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().build(publicKey); + } + + ContentVerifierProvider createContentVerifierProvider(X509Certificate certificate) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().build(certificate); + } + + ContentVerifierProvider createContentVerifierProvider(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new JcaContentVerifierProviderBuilder().build(certHolder); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().build(); + } + } + + private class NamedHelper + extends Helper + { + private final String providerName; + + public NamedHelper(String providerName) + { + this.providerName = providerName; + } + + ContentVerifierProvider createContentVerifierProvider(PublicKey publicKey) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(providerName).build(publicKey); + } + + ContentVerifierProvider createContentVerifierProvider(X509Certificate certificate) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(providerName).build(certificate); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().setProvider(providerName).build(); + } + + ContentVerifierProvider createContentVerifierProvider(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new JcaContentVerifierProviderBuilder().setProvider(providerName).build(certHolder); + } + } + + private class ProviderHelper + extends Helper + { + private final Provider provider; + + public ProviderHelper(Provider provider) + { + this.provider = provider; + } + + ContentVerifierProvider createContentVerifierProvider(PublicKey publicKey) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(provider).build(publicKey); + } + + ContentVerifierProvider createContentVerifierProvider(X509Certificate certificate) + throws OperatorCreationException + { + return new JcaContentVerifierProviderBuilder().setProvider(provider).build(certificate); + } + + DigestCalculatorProvider createDigestCalculatorProvider() + throws OperatorCreationException + { + return new JcaDigestCalculatorProviderBuilder().setProvider(provider).build(); + } + + ContentVerifierProvider createContentVerifierProvider(X509CertificateHolder certHolder) + throws OperatorCreationException, CertificateException + { + return new JcaContentVerifierProviderBuilder().setProvider(provider).build(certHolder); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaX509CertSelectorConverter.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaX509CertSelectorConverter.java new file mode 100644 index 00000000..86f59f69 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcaX509CertSelectorConverter.java @@ -0,0 +1,24 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.cert.X509CertSelector; + +import org.bouncycastle.cms.KeyTransRecipientId; +import org.bouncycastle.cms.SignerId; + +public class JcaX509CertSelectorConverter + extends org.bouncycastle.cert.selector.jcajce.JcaX509CertSelectorConverter +{ + public JcaX509CertSelectorConverter() + { + } + + public X509CertSelector getCertSelector(KeyTransRecipientId recipientId) + { + return doConversion(recipientId.getIssuer(), recipientId.getSerialNumber(), recipientId.getSubjectKeyIdentifier()); + } + + public X509CertSelector getCertSelector(SignerId signerId) + { + return doConversion(signerId.getIssuer(), signerId.getSerialNumber(), signerId.getSubjectKeyIdentifier()); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java new file mode 100644 index 00000000..bb9e0648 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceAlgorithmIdentifierConverter.java @@ -0,0 +1,69 @@ +package org.bouncycastle.cms.jcajce; + + +import java.io.IOException; +import java.security.AlgorithmParameters; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.Provider; +import java.security.SecureRandom; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; + +public class JceAlgorithmIdentifierConverter +{ + private EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + private SecureRandom random; + + public JceAlgorithmIdentifierConverter() + { + } + + public JceAlgorithmIdentifierConverter setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + public JceAlgorithmIdentifierConverter setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + public AlgorithmParameters getAlgorithmParameters(AlgorithmIdentifier algorithmIdentifier) + throws CMSException + { + ASN1Encodable parameters = algorithmIdentifier.getParameters(); + + if (parameters == null) + { + return null; + } + + try + { + AlgorithmParameters params = helper.createAlgorithmParameters(algorithmIdentifier.getAlgorithm()); + + params.init(parameters.toASN1Primitive().getEncoded(), "ASN.1"); + + return params; + } + catch (NoSuchAlgorithmException e) + { + throw new CMSException("can't find parameters for algorithm", e); + } + catch (IOException e) + { + throw new CMSException("can't parse parameters", e); + } + catch (NoSuchProviderException e) + { + throw new CMSException("can't find provider for algorithm", e); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java new file mode 100644 index 00000000..89d2c650 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSContentEncryptorBuilder.java @@ -0,0 +1,162 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.security.AlgorithmParameters; +import java.security.GeneralSecurityException; +import java.security.Provider; +import java.security.SecureRandom; +import java.util.HashMap; +import java.util.Map; + +import javax.crypto.Cipher; +import javax.crypto.CipherOutputStream; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSAlgorithm; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.OutputEncryptor; +import org.bouncycastle.operator.jcajce.JceGenericKey; +import org.bouncycastle.util.Integers; + +public class JceCMSContentEncryptorBuilder +{ + private static Map keySizes = new HashMap(); + + static + { + keySizes.put(CMSAlgorithm.AES128_CBC, Integers.valueOf(128)); + keySizes.put(CMSAlgorithm.AES192_CBC, Integers.valueOf(192)); + keySizes.put(CMSAlgorithm.AES256_CBC, Integers.valueOf(256)); + + keySizes.put(CMSAlgorithm.CAMELLIA128_CBC, Integers.valueOf(128)); + keySizes.put(CMSAlgorithm.CAMELLIA192_CBC, Integers.valueOf(192)); + keySizes.put(CMSAlgorithm.CAMELLIA256_CBC, Integers.valueOf(256)); + } + + private static int getKeySize(ASN1ObjectIdentifier oid) + { + Integer size = (Integer)keySizes.get(oid); + + if (size != null) + { + return size.intValue(); + } + + return -1; + } + + private final ASN1ObjectIdentifier encryptionOID; + private final int keySize; + + private EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + private SecureRandom random; + + public JceCMSContentEncryptorBuilder(ASN1ObjectIdentifier encryptionOID) + { + this(encryptionOID, getKeySize(encryptionOID)); + } + + public JceCMSContentEncryptorBuilder(ASN1ObjectIdentifier encryptionOID, int keySize) + { + this.encryptionOID = encryptionOID; + this.keySize = keySize; + } + + public JceCMSContentEncryptorBuilder setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + public JceCMSContentEncryptorBuilder setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + public JceCMSContentEncryptorBuilder setSecureRandom(SecureRandom random) + { + this.random = random; + + return this; + } + + public OutputEncryptor build() + throws CMSException + { + return new CMSOutputEncryptor(encryptionOID, keySize, random); + } + + private class CMSOutputEncryptor + implements OutputEncryptor + { + private SecretKey encKey; + private AlgorithmIdentifier algorithmIdentifier; + private Cipher cipher; + + CMSOutputEncryptor(ASN1ObjectIdentifier encryptionOID, int keySize, SecureRandom random) + throws CMSException + { + KeyGenerator keyGen = helper.createKeyGenerator(encryptionOID); + + if (random == null) + { + random = new SecureRandom(); + } + + if (keySize < 0) + { + keyGen.init(random); + } + else + { + keyGen.init(keySize, random); + } + + cipher = helper.createCipher(encryptionOID); + encKey = keyGen.generateKey(); + AlgorithmParameters params = helper.generateParameters(encryptionOID, encKey, random); + + try + { + cipher.init(Cipher.ENCRYPT_MODE, encKey, params, random); + } + catch (GeneralSecurityException e) + { + throw new CMSException("unable to initialize cipher: " + e.getMessage(), e); + } + + // + // If params are null we try and second guess on them as some providers don't provide + // algorithm parameter generation explicity but instead generate them under the hood. + // + if (params == null) + { + params = cipher.getParameters(); + } + + algorithmIdentifier = helper.getAlgorithmIdentifier(encryptionOID, params); + } + + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return algorithmIdentifier; + } + + public OutputStream getOutputStream(OutputStream dOut) + { + return new CipherOutputStream(dOut, cipher); + } + + public GenericKey getKey() + { + return new JceGenericKey(algorithmIdentifier, encKey); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSMacCalculatorBuilder.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSMacCalculatorBuilder.java new file mode 100644 index 00000000..d6ba1609 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceCMSMacCalculatorBuilder.java @@ -0,0 +1,155 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.security.AlgorithmParameterGenerator; +import java.security.AlgorithmParameters; +import java.security.GeneralSecurityException; +import java.security.Provider; +import java.security.SecureRandom; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.KeyGenerator; +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.RC2ParameterSpec; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.jcajce.io.MacOutputStream; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.MacCalculator; +import org.bouncycastle.operator.jcajce.JceGenericKey; + +public class JceCMSMacCalculatorBuilder +{ + private final ASN1ObjectIdentifier macOID; + private final int keySize; + + private EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + private SecureRandom random; + + public JceCMSMacCalculatorBuilder(ASN1ObjectIdentifier macOID) + { + this(macOID, -1); + } + + public JceCMSMacCalculatorBuilder(ASN1ObjectIdentifier macOID, int keySize) + { + this.macOID = macOID; + this.keySize = keySize; + } + + public JceCMSMacCalculatorBuilder setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + public JceCMSMacCalculatorBuilder setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + public JceCMSMacCalculatorBuilder setSecureRandom(SecureRandom random) + { + this.random = random; + + return this; + } + + public MacCalculator build() + throws CMSException + { + return new CMSMacCalculator(macOID, keySize, random); + } + + private class CMSMacCalculator + implements MacCalculator + { + private SecretKey encKey; + private AlgorithmIdentifier algorithmIdentifier; + private Mac mac; + private SecureRandom random; + + CMSMacCalculator(ASN1ObjectIdentifier macOID, int keySize, SecureRandom random) + throws CMSException + { + KeyGenerator keyGen = helper.createKeyGenerator(macOID); + + if (random == null) + { + random = new SecureRandom(); + } + + this.random = random; + + if (keySize < 0) + { + keyGen.init(random); + } + else + { + keyGen.init(keySize, random); + } + + encKey = keyGen.generateKey(); + + AlgorithmParameterSpec paramSpec = generateParameterSpec(macOID, encKey); + + algorithmIdentifier = helper.getAlgorithmIdentifier(macOID, paramSpec); + mac = helper.createContentMac(encKey, algorithmIdentifier); + } + + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return algorithmIdentifier; + } + + public OutputStream getOutputStream() + { + return new MacOutputStream(mac); + } + + public byte[] getMac() + { + return mac.doFinal(); + } + + public GenericKey getKey() + { + return new JceGenericKey(algorithmIdentifier, encKey); + } + + protected AlgorithmParameterSpec generateParameterSpec(ASN1ObjectIdentifier macOID, SecretKey encKey) + throws CMSException + { + try + { + if (macOID.equals(PKCSObjectIdentifiers.RC2_CBC)) + { + byte[] iv = new byte[8]; + + random.nextBytes(iv); + + return new RC2ParameterSpec(encKey.getEncoded().length * 8, iv); + } + + AlgorithmParameterGenerator pGen = helper.createAlgorithmParameterGenerator(macOID); + + AlgorithmParameters p = pGen.generateParameters(); + + return p.getParameterSpec(IvParameterSpec.class); + } + catch (GeneralSecurityException e) + { + return null; + } + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKAuthenticatedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKAuthenticatedRecipient.java new file mode 100644 index 00000000..eb73555d --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKAuthenticatedRecipient.java @@ -0,0 +1,61 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.security.Key; + +import javax.crypto.Mac; +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.jcajce.io.MacOutputStream; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.MacCalculator; +import org.bouncycastle.operator.jcajce.JceGenericKey; + + +/** + * the KeyTransRecipientInformation class for a recipient who has been sent a secret + * key encrypted using their public key that needs to be used to + * extract the message. + */ +public class JceKEKAuthenticatedRecipient + extends JceKEKRecipient +{ + public JceKEKAuthenticatedRecipient(SecretKey recipientKey) + { + super(recipientKey); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentMacAlgorithm, byte[] encryptedContentEncryptionKey) + throws CMSException + { + final Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentMacAlgorithm, encryptedContentEncryptionKey); + + final Mac dataMac = contentHelper.createContentMac(secretKey, contentMacAlgorithm); + + return new RecipientOperator(new MacCalculator() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentMacAlgorithm; + } + + public GenericKey getKey() + { + return new JceGenericKey(contentMacAlgorithm, secretKey); + } + + public OutputStream getOutputStream() + { + return new MacOutputStream(dataMac); + } + + public byte[] getMac() + { + return dataMac.doFinal(); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKEnvelopedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKEnvelopedRecipient.java new file mode 100644 index 00000000..a7293794 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKEnvelopedRecipient.java @@ -0,0 +1,43 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.InputStream; +import java.security.Key; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.operator.InputDecryptor; + +public class JceKEKEnvelopedRecipient + extends JceKEKRecipient +{ + public JceKEKEnvelopedRecipient(SecretKey recipientKey) + { + super(recipientKey); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentEncryptionAlgorithm, byte[] encryptedContentEncryptionKey) + throws CMSException + { + Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentEncryptionAlgorithm, encryptedContentEncryptionKey); + + final Cipher dataCipher = contentHelper.createContentCipher(secretKey, contentEncryptionAlgorithm); + + return new RecipientOperator(new InputDecryptor() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentEncryptionAlgorithm; + } + + public InputStream getInputStream(InputStream dataOut) + { + return new CipherInputStream(dataOut, dataCipher); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java new file mode 100644 index 00000000..a01e2799 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipient.java @@ -0,0 +1,95 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Key; +import java.security.Provider; + +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.KEKRecipient; +import org.bouncycastle.operator.OperatorException; +import org.bouncycastle.operator.SymmetricKeyUnwrapper; + +public abstract class JceKEKRecipient + implements KEKRecipient +{ + private SecretKey recipientKey; + + protected EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + protected EnvelopedDataHelper contentHelper = helper; + + public JceKEKRecipient(SecretKey recipientKey) + { + this.recipientKey = recipientKey; + } + + /** + * Set the provider to use for key recovery and content processing. + * + * @param provider provider to use. + * @return this recipient. + */ + public JceKEKRecipient setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + this.contentHelper = helper; + + return this; + } + + /** + * Set the provider to use for key recovery and content processing. + * + * @param providerName the name of the provider to use. + * @return this recipient. + */ + public JceKEKRecipient setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + this.contentHelper = helper; + + return this; + } + + /** + * Set the provider to use for content processing. + * + * @param provider the provider to use. + * @return this recipient. + */ + public JceKEKRecipient setContentProvider(Provider provider) + { + this.contentHelper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + /** + * Set the provider to use for content processing. + * + * @param providerName the name of the provider to use. + * @return this recipient. + */ + public JceKEKRecipient setContentProvider(String providerName) + { + this.contentHelper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier contentEncryptionAlgorithm, byte[] encryptedContentEncryptionKey) + throws CMSException + { + SymmetricKeyUnwrapper unwrapper = helper.createSymmetricUnwrapper(keyEncryptionAlgorithm, recipientKey); + + try + { + return helper.getJceKey(contentEncryptionAlgorithm.getAlgorithm(), unwrapper.generateUnwrappedKey(contentEncryptionAlgorithm, encryptedContentEncryptionKey)); + } + catch (OperatorException e) + { + throw new CMSException("exception unwrapping key: " + e.getMessage(), e); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipientInfoGenerator.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipientInfoGenerator.java new file mode 100644 index 00000000..15ec8ffd --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKEKRecipientInfoGenerator.java @@ -0,0 +1,45 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Provider; +import java.security.SecureRandom; + +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.cms.KEKIdentifier; +import org.bouncycastle.cms.KEKRecipientInfoGenerator; +import org.bouncycastle.operator.jcajce.JceSymmetricKeyWrapper; + +public class JceKEKRecipientInfoGenerator + extends KEKRecipientInfoGenerator +{ + public JceKEKRecipientInfoGenerator(KEKIdentifier kekIdentifier, SecretKey keyEncryptionKey) + { + super(kekIdentifier, new JceSymmetricKeyWrapper(keyEncryptionKey)); + } + + public JceKEKRecipientInfoGenerator(byte[] keyIdentifier, SecretKey keyEncryptionKey) + { + this(new KEKIdentifier(keyIdentifier, null, null), keyEncryptionKey); + } + + public JceKEKRecipientInfoGenerator setProvider(Provider provider) + { + ((JceSymmetricKeyWrapper)this.wrapper).setProvider(provider); + + return this; + } + + public JceKEKRecipientInfoGenerator setProvider(String providerName) + { + ((JceSymmetricKeyWrapper)this.wrapper).setProvider(providerName); + + return this; + } + + public JceKEKRecipientInfoGenerator setSecureRandom(SecureRandom random) + { + ((JceSymmetricKeyWrapper)this.wrapper).setSecureRandom(random); + + return this; + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeAuthenticatedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeAuthenticatedRecipient.java new file mode 100644 index 00000000..d231f56f --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeAuthenticatedRecipient.java @@ -0,0 +1,57 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.security.Key; +import java.security.PrivateKey; + +import javax.crypto.Mac; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.jcajce.io.MacOutputStream; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.MacCalculator; +import org.bouncycastle.operator.jcajce.JceGenericKey; + +public class JceKeyAgreeAuthenticatedRecipient + extends JceKeyAgreeRecipient +{ + public JceKeyAgreeAuthenticatedRecipient(PrivateKey recipientKey) + { + super(recipientKey); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentMacAlgorithm, SubjectPublicKeyInfo senderPublicKey, ASN1OctetString userKeyingMaterial, byte[] encryptedContentKey) + throws CMSException + { + final Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentMacAlgorithm, senderPublicKey, userKeyingMaterial, encryptedContentKey); + + final Mac dataMac = contentHelper.createContentMac(secretKey, contentMacAlgorithm); + + return new RecipientOperator(new MacCalculator() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentMacAlgorithm; + } + + public GenericKey getKey() + { + return new JceGenericKey(contentMacAlgorithm, secretKey); + } + + public OutputStream getOutputStream() + { + return new MacOutputStream(dataMac); + } + + public byte[] getMac() + { + return dataMac.doFinal(); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeEnvelopedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeEnvelopedRecipient.java new file mode 100644 index 00000000..fe647d7d --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeEnvelopedRecipient.java @@ -0,0 +1,45 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.InputStream; +import java.security.Key; +import java.security.PrivateKey; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.operator.InputDecryptor; + +public class JceKeyAgreeEnvelopedRecipient + extends JceKeyAgreeRecipient +{ + public JceKeyAgreeEnvelopedRecipient(PrivateKey recipientKey) + { + super(recipientKey); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentEncryptionAlgorithm, SubjectPublicKeyInfo senderPublicKey, ASN1OctetString userKeyingMaterial, byte[] encryptedContentKey) + throws CMSException + { + Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentEncryptionAlgorithm, senderPublicKey, userKeyingMaterial, encryptedContentKey); + + final Cipher dataCipher = contentHelper.createContentCipher(secretKey, contentEncryptionAlgorithm); + + return new RecipientOperator(new InputDecryptor() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentEncryptionAlgorithm; + } + + public InputStream getInputStream(InputStream dataOut) + { + return new CipherInputStream(dataOut, dataCipher); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipient.java new file mode 100644 index 00000000..8c41f914 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipient.java @@ -0,0 +1,184 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.PublicKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.X509EncodedKeySpec; + +import javax.crypto.Cipher; +import javax.crypto.KeyAgreement; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.cms.ecc.MQVuserKeyingMaterial; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cms.CMSEnvelopedGenerator; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.KeyAgreeRecipient; +import org.bouncycastle.jce.spec.MQVPrivateKeySpec; +import org.bouncycastle.jce.spec.MQVPublicKeySpec; + +public abstract class JceKeyAgreeRecipient + implements KeyAgreeRecipient +{ + private PrivateKey recipientKey; + protected EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + protected EnvelopedDataHelper contentHelper = helper; + + public JceKeyAgreeRecipient(PrivateKey recipientKey) + { + this.recipientKey = recipientKey; + } + + /** + * Set the provider to use for key recovery and content processing. + * + * @param provider provider to use. + * @return this recipient. + */ + public JceKeyAgreeRecipient setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + this.contentHelper = helper; + + return this; + } + + /** + * Set the provider to use for key recovery and content processing. + * + * @param providerName the name of the provider to use. + * @return this recipient. + */ + public JceKeyAgreeRecipient setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + this.contentHelper = helper; + + return this; + } + + /** + * Set the provider to use for content processing. If providerName is null a "no provider" search will be + * used to satisfy getInstance calls. + * + * @param provider the provider to use. + * @return this recipient. + */ + public JceKeyAgreeRecipient setContentProvider(Provider provider) + { + this.contentHelper = CMSUtils.createContentHelper(provider); + + return this; + } + + /** + * Set the provider to use for content processing. If providerName is null a "no provider" search will be + * used to satisfy getInstance calls. + * + * @param providerName the name of the provider to use. + * @return this recipient. + */ + public JceKeyAgreeRecipient setContentProvider(String providerName) + { + this.contentHelper = CMSUtils.createContentHelper(providerName); + + return this; + } + + private SecretKey calculateAgreedWrapKey(AlgorithmIdentifier keyEncAlg, ASN1ObjectIdentifier wrapAlg, + PublicKey senderPublicKey, ASN1OctetString userKeyingMaterial, PrivateKey receiverPrivateKey) + throws CMSException, GeneralSecurityException, IOException + { + String agreeAlg = keyEncAlg.getAlgorithm().getId(); + + if (agreeAlg.equals(CMSEnvelopedGenerator.ECMQV_SHA1KDF)) + { + byte[] ukmEncoding = userKeyingMaterial.getOctets(); + MQVuserKeyingMaterial ukm = MQVuserKeyingMaterial.getInstance( + ASN1Primitive.fromByteArray(ukmEncoding)); + + SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo( + getPrivateKeyAlgorithmIdentifier(), + ukm.getEphemeralPublicKey().getPublicKey().getBytes()); + + X509EncodedKeySpec pubSpec = new X509EncodedKeySpec(pubInfo.getEncoded()); + KeyFactory fact = helper.createKeyFactory(keyEncAlg.getAlgorithm()); + PublicKey ephemeralKey = fact.generatePublic(pubSpec); + + senderPublicKey = new MQVPublicKeySpec(senderPublicKey, ephemeralKey); + receiverPrivateKey = new MQVPrivateKeySpec(receiverPrivateKey, receiverPrivateKey); + } + + KeyAgreement agreement = helper.createKeyAgreement(keyEncAlg.getAlgorithm()); + + agreement.init(receiverPrivateKey); + agreement.doPhase(senderPublicKey, true); + + return agreement.generateSecret(wrapAlg.getId()); + } + + private Key unwrapSessionKey(ASN1ObjectIdentifier wrapAlg, SecretKey agreedKey, ASN1ObjectIdentifier contentEncryptionAlgorithm, byte[] encryptedContentEncryptionKey) + throws CMSException, InvalidKeyException, NoSuchAlgorithmException + { + Cipher keyCipher = helper.createCipher(wrapAlg); + keyCipher.init(Cipher.UNWRAP_MODE, agreedKey); + return keyCipher.unwrap(encryptedContentEncryptionKey, helper.getBaseCipherName(contentEncryptionAlgorithm), Cipher.SECRET_KEY); + } + + protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier contentEncryptionAlgorithm, SubjectPublicKeyInfo senderKey, ASN1OctetString userKeyingMaterial, byte[] encryptedContentEncryptionKey) + throws CMSException + { + try + { + ASN1ObjectIdentifier wrapAlg = + AlgorithmIdentifier.getInstance(keyEncryptionAlgorithm.getParameters()).getAlgorithm(); + + X509EncodedKeySpec pubSpec = new X509EncodedKeySpec(senderKey.getEncoded()); + KeyFactory fact = helper.createKeyFactory(keyEncryptionAlgorithm.getAlgorithm()); + PublicKey senderPublicKey = fact.generatePublic(pubSpec); + + SecretKey agreedWrapKey = calculateAgreedWrapKey(keyEncryptionAlgorithm, wrapAlg, + senderPublicKey, userKeyingMaterial, recipientKey); + + return unwrapSessionKey(wrapAlg, agreedWrapKey, contentEncryptionAlgorithm.getAlgorithm(), encryptedContentEncryptionKey); + } + catch (NoSuchAlgorithmException e) + { + throw new CMSException("can't find algorithm.", e); + } + catch (InvalidKeyException e) + { + throw new CMSException("key invalid in message.", e); + } + catch (InvalidKeySpecException e) + { + throw new CMSException("originator key spec invalid.", e); + } + catch (NoSuchPaddingException e) + { + throw new CMSException("required padding not supported.", e); + } + catch (Exception e) + { + throw new CMSException("originator key invalid.", e); + } + } + + public AlgorithmIdentifier getPrivateKeyAlgorithmIdentifier() + { + return PrivateKeyInfo.getInstance(recipientKey.getEncoded()).getPrivateKeyAlgorithm(); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientId.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientId.java new file mode 100644 index 00000000..56911bec --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientId.java @@ -0,0 +1,23 @@ +package org.bouncycastle.cms.jcajce; + +import java.math.BigInteger; +import java.security.cert.X509Certificate; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.cms.KeyAgreeRecipientId; + +public class JceKeyAgreeRecipientId + extends KeyAgreeRecipientId +{ + public JceKeyAgreeRecipientId(X509Certificate certificate) + { + this(certificate.getIssuerX500Principal(), certificate.getSerialNumber()); + } + + public JceKeyAgreeRecipientId(X500Principal issuer, BigInteger serialNumber) + { + super(X500Name.getInstance(issuer.getEncoded()), serialNumber); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientInfoGenerator.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientInfoGenerator.java new file mode 100644 index 00000000..583ede2d --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyAgreeRecipientInfoGenerator.java @@ -0,0 +1,215 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.GeneralSecurityException; +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.PrivateKey; +import java.security.Provider; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.security.interfaces.ECPublicKey; +import java.security.spec.ECParameterSpec; +import java.util.ArrayList; +import java.util.List; + +import javax.crypto.Cipher; +import javax.crypto.KeyAgreement; +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.cms.KeyAgreeRecipientIdentifier; +import org.bouncycastle.asn1.cms.RecipientEncryptedKey; +import org.bouncycastle.asn1.cms.RecipientKeyIdentifier; +import org.bouncycastle.asn1.cms.ecc.MQVuserKeyingMaterial; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cms.CMSAlgorithm; +import org.bouncycastle.cms.CMSEnvelopedGenerator; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.KeyAgreeRecipientInfoGenerator; +import org.bouncycastle.jce.spec.MQVPrivateKeySpec; +import org.bouncycastle.jce.spec.MQVPublicKeySpec; +import org.bouncycastle.operator.GenericKey; + +public class JceKeyAgreeRecipientInfoGenerator + extends KeyAgreeRecipientInfoGenerator +{ + private List recipientIDs = new ArrayList(); + private List recipientKeys = new ArrayList(); + private PublicKey senderPublicKey; + private PrivateKey senderPrivateKey; + + private EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + private SecureRandom random; + private KeyPair ephemeralKP; + + public JceKeyAgreeRecipientInfoGenerator(ASN1ObjectIdentifier keyAgreementOID, PrivateKey senderPrivateKey, PublicKey senderPublicKey, ASN1ObjectIdentifier keyEncryptionOID) + { + super(keyAgreementOID, SubjectPublicKeyInfo.getInstance(senderPublicKey.getEncoded()), keyEncryptionOID); + + this.senderPublicKey = senderPublicKey; + this.senderPrivateKey = senderPrivateKey; + } + + public JceKeyAgreeRecipientInfoGenerator setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + public JceKeyAgreeRecipientInfoGenerator setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + public JceKeyAgreeRecipientInfoGenerator setSecureRandom(SecureRandom random) + { + this.random = random; + + return this; + } + + /** + * Add a recipient based on the passed in certificate's public key and its issuer and serial number. + * + * @param recipientCert recipient's certificate + * @return the current instance. + * @throws CertificateEncodingException if the necessary data cannot be extracted from the certificate. + */ + public JceKeyAgreeRecipientInfoGenerator addRecipient(X509Certificate recipientCert) + throws CertificateEncodingException + { + recipientIDs.add(new KeyAgreeRecipientIdentifier(CMSUtils.getIssuerAndSerialNumber(recipientCert))); + recipientKeys.add(recipientCert.getPublicKey()); + + return this; + } + + /** + * Add a recipient identified by the passed in subjectKeyID and the for the passed in public key. + * + * @param subjectKeyID identifier actual recipient will use to match the private key. + * @param publicKey the public key for encrypting the secret key. + * @return the current instance. + * @throws CertificateEncodingException + */ + public JceKeyAgreeRecipientInfoGenerator addRecipient(byte[] subjectKeyID, PublicKey publicKey) + throws CertificateEncodingException + { + recipientIDs.add(new KeyAgreeRecipientIdentifier(new RecipientKeyIdentifier(subjectKeyID))); + recipientKeys.add(publicKey); + + return this; + } + + public ASN1Sequence generateRecipientEncryptedKeys(AlgorithmIdentifier keyAgreeAlgorithm, AlgorithmIdentifier keyEncryptionAlgorithm, GenericKey contentEncryptionKey) + throws CMSException + { + init(keyAgreeAlgorithm.getAlgorithm()); + + PrivateKey senderPrivateKey = this.senderPrivateKey; + + ASN1ObjectIdentifier keyAgreementOID = keyAgreeAlgorithm.getAlgorithm(); + + if (keyAgreementOID.getId().equals(CMSEnvelopedGenerator.ECMQV_SHA1KDF)) + { + senderPrivateKey = new MQVPrivateKeySpec( + senderPrivateKey, ephemeralKP.getPrivate(), ephemeralKP.getPublic()); + } + + ASN1EncodableVector recipientEncryptedKeys = new ASN1EncodableVector(); + for (int i = 0; i != recipientIDs.size(); i++) + { + PublicKey recipientPublicKey = (PublicKey)recipientKeys.get(i); + KeyAgreeRecipientIdentifier karId = (KeyAgreeRecipientIdentifier)recipientIDs.get(i); + + if (keyAgreementOID.getId().equals(CMSEnvelopedGenerator.ECMQV_SHA1KDF)) + { + recipientPublicKey = new MQVPublicKeySpec(recipientPublicKey, recipientPublicKey); + } + + try + { + // Use key agreement to choose a wrap key for this recipient + KeyAgreement keyAgreement = helper.createKeyAgreement(keyAgreementOID); + keyAgreement.init(senderPrivateKey, random); + keyAgreement.doPhase(recipientPublicKey, true); + SecretKey keyEncryptionKey = keyAgreement.generateSecret(keyEncryptionAlgorithm.getAlgorithm().getId()); + + // Wrap the content encryption key with the agreement key + Cipher keyEncryptionCipher = helper.createCipher(keyEncryptionAlgorithm.getAlgorithm()); + + keyEncryptionCipher.init(Cipher.WRAP_MODE, keyEncryptionKey, random); + + byte[] encryptedKeyBytes = keyEncryptionCipher.wrap(helper.getJceKey(contentEncryptionKey)); + + ASN1OctetString encryptedKey = new DEROctetString(encryptedKeyBytes); + + recipientEncryptedKeys.add(new RecipientEncryptedKey(karId, encryptedKey)); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot perform agreement step: " + e.getMessage(), e); + } + } + + return new DERSequence(recipientEncryptedKeys); + } + + protected ASN1Encodable getUserKeyingMaterial(AlgorithmIdentifier keyAgreeAlg) + throws CMSException + { + init(keyAgreeAlg.getAlgorithm()); + + if (ephemeralKP != null) + { + return new MQVuserKeyingMaterial( + createOriginatorPublicKey(SubjectPublicKeyInfo.getInstance(ephemeralKP.getPublic().getEncoded())), null); + } + + return null; + } + + private void init(ASN1ObjectIdentifier keyAgreementOID) + throws CMSException + { + if (random == null) + { + random = new SecureRandom(); + } + + if (keyAgreementOID.equals(CMSAlgorithm.ECMQV_SHA1KDF)) + { + if (ephemeralKP == null) + { + try + { + ECParameterSpec ecParamSpec = ((ECPublicKey)senderPublicKey).getParams(); + + KeyPairGenerator ephemKPG = helper.createKeyPairGenerator(keyAgreementOID); + + ephemKPG.initialize(ecParamSpec, random); + + ephemeralKP = ephemKPG.generateKeyPair(); + } + catch (InvalidAlgorithmParameterException e) + { + throw new CMSException( + "cannot determine MQV ephemeral key pair parameters from public key: " + e); + } + } + } + } +}
\ No newline at end of file diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransAuthenticatedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransAuthenticatedRecipient.java new file mode 100644 index 00000000..f15aadb0 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransAuthenticatedRecipient.java @@ -0,0 +1,60 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.security.Key; +import java.security.PrivateKey; + +import javax.crypto.Mac; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.jcajce.io.MacOutputStream; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.MacCalculator; + + +/** + * the KeyTransRecipientInformation class for a recipient who has been sent a secret + * key encrypted using their public key that needs to be used to + * extract the message. + */ +public class JceKeyTransAuthenticatedRecipient + extends JceKeyTransRecipient +{ + public JceKeyTransAuthenticatedRecipient(PrivateKey recipientKey) + { + super(recipientKey); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentMacAlgorithm, byte[] encryptedContentEncryptionKey) + throws CMSException + { + final Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentMacAlgorithm, encryptedContentEncryptionKey); + + final Mac dataMac = contentHelper.createContentMac(secretKey, contentMacAlgorithm); + + return new RecipientOperator(new MacCalculator() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentMacAlgorithm; + } + + public GenericKey getKey() + { + return new GenericKey(secretKey); + } + + public OutputStream getOutputStream() + { + return new MacOutputStream(dataMac); + } + + public byte[] getMac() + { + return dataMac.doFinal(); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransEnvelopedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransEnvelopedRecipient.java new file mode 100644 index 00000000..1bc0188f --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransEnvelopedRecipient.java @@ -0,0 +1,43 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.InputStream; +import java.security.Key; +import java.security.PrivateKey; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.operator.InputDecryptor; + +public class JceKeyTransEnvelopedRecipient + extends JceKeyTransRecipient +{ + public JceKeyTransEnvelopedRecipient(PrivateKey recipientKey) + { + super(recipientKey); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentEncryptionAlgorithm, byte[] encryptedContentEncryptionKey) + throws CMSException + { + Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentEncryptionAlgorithm, encryptedContentEncryptionKey); + + final Cipher dataCipher = contentHelper.createContentCipher(secretKey, contentEncryptionAlgorithm); + + return new RecipientOperator(new InputDecryptor() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentEncryptionAlgorithm; + } + + public InputStream getInputStream(InputStream dataIn) + { + return new CipherInputStream(dataIn, dataCipher); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java new file mode 100644 index 00000000..788af8d5 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipient.java @@ -0,0 +1,132 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Key; +import java.security.PrivateKey; +import java.security.Provider; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.KeyTransRecipient; +import org.bouncycastle.operator.OperatorException; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; + +public abstract class JceKeyTransRecipient + implements KeyTransRecipient +{ + private PrivateKey recipientKey; + + protected EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + protected EnvelopedDataHelper contentHelper = helper; + protected Map extraMappings = new HashMap(); + + public JceKeyTransRecipient(PrivateKey recipientKey) + { + this.recipientKey = recipientKey; + } + + /** + * Set the provider to use for key recovery and content processing. + * + * @param provider provider to use. + * @return this recipient. + */ + public JceKeyTransRecipient setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + this.contentHelper = helper; + + return this; + } + + /** + * Set the provider to use for key recovery and content processing. + * + * @param providerName the name of the provider to use. + * @return this recipient. + */ + public JceKeyTransRecipient setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + this.contentHelper = helper; + + return this; + } + + /** + * Internally algorithm ids are converted into cipher names using a lookup table. For some providers + * the standard lookup table won't work. Use this method to establish a specific mapping from an + * algorithm identifier to a specific algorithm. + * <p> + * For example: + * <pre> + * unwrapper.setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption, "RSA"); + * </pre> + * </p> + * @param algorithm OID of algorithm in recipient. + * @param algorithmName JCE algorithm name to use. + * @return the current Recipient. + */ + public JceKeyTransRecipient setAlgorithmMapping(ASN1ObjectIdentifier algorithm, String algorithmName) + { + extraMappings.put(algorithm, algorithmName); + + return this; + } + + /** + * Set the provider to use for content processing. If providerName is null a "no provider" search will be + * used to satisfy getInstance calls. + * + * @param provider the provider to use. + * @return this recipient. + */ + public JceKeyTransRecipient setContentProvider(Provider provider) + { + this.contentHelper = CMSUtils.createContentHelper(provider); + + return this; + } + + /** + * Set the provider to use for content processing. If providerName is null a "no provider" search will be + * used to satisfy getInstance calls. + * + * @param providerName the name of the provider to use. + * @return this recipient. + */ + public JceKeyTransRecipient setContentProvider(String providerName) + { + this.contentHelper = CMSUtils.createContentHelper(providerName); + + return this; + } + + protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier encryptedKeyAlgorithm, byte[] encryptedEncryptionKey) + throws CMSException + { + JceAsymmetricKeyUnwrapper unwrapper = helper.createAsymmetricUnwrapper(keyEncryptionAlgorithm, recipientKey); + + if (!extraMappings.isEmpty()) + { + for (Iterator it = extraMappings.keySet().iterator(); it.hasNext();) + { + ASN1ObjectIdentifier algorithm = (ASN1ObjectIdentifier)it.next(); + + unwrapper.setAlgorithmMapping(algorithm, (String)extraMappings.get(algorithm)); + } + } + + try + { + return helper.getJceKey(encryptedKeyAlgorithm.getAlgorithm(), unwrapper.generateUnwrappedKey(encryptedKeyAlgorithm, encryptedEncryptionKey)); + } + catch (OperatorException e) + { + throw new CMSException("exception unwrapping key: " + e.getMessage(), e); + } + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientId.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientId.java new file mode 100644 index 00000000..8b44817b --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientId.java @@ -0,0 +1,57 @@ +package org.bouncycastle.cms.jcajce; + +import java.math.BigInteger; +import java.security.cert.X509Certificate; + +import javax.security.auth.x500.X500Principal; + +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.cms.KeyTransRecipientId; + +public class JceKeyTransRecipientId + extends KeyTransRecipientId +{ + /** + * Construct a recipient id based on the issuer, serial number and subject key identifier (if present) of the passed in + * certificate. + * + * @param certificate certificate providing the issue and serial number and subject key identifier. + */ + public JceKeyTransRecipientId(X509Certificate certificate) + { + super(convertPrincipal(certificate.getIssuerX500Principal()), certificate.getSerialNumber(), CMSUtils.getSubjectKeyId(certificate)); + } + + /** + * Construct a recipient id based on the provided issuer and serial number.. + * + * @param issuer the issuer to use. + * @param serialNumber the serial number to use. + */ + public JceKeyTransRecipientId(X500Principal issuer, BigInteger serialNumber) + { + super(convertPrincipal(issuer), serialNumber); + } + + /** + * Construct a recipient id based on the provided issuer, serial number, and subjectKeyId.. + * + * @param issuer the issuer to use. + * @param serialNumber the serial number to use. + * @param subjectKeyId the subject key ID to use. + */ + public JceKeyTransRecipientId(X500Principal issuer, BigInteger serialNumber, byte[] subjectKeyId) + { + super(convertPrincipal(issuer), serialNumber, subjectKeyId); + } + + private static X500Name convertPrincipal(X500Principal issuer) + { + if (issuer == null) + { + return null; + } + + return X500Name.getInstance(issuer.getEncoded()); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java new file mode 100644 index 00000000..73733c79 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JceKeyTransRecipientInfoGenerator.java @@ -0,0 +1,62 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.Provider; +import java.security.PublicKey; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.cms.IssuerAndSerialNumber; +import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; +import org.bouncycastle.cms.KeyTransRecipientInfoGenerator; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyWrapper; + +public class JceKeyTransRecipientInfoGenerator + extends KeyTransRecipientInfoGenerator +{ + public JceKeyTransRecipientInfoGenerator(X509Certificate recipientCert) + throws CertificateEncodingException + { + super(new IssuerAndSerialNumber(new JcaX509CertificateHolder(recipientCert).toASN1Structure()), new JceAsymmetricKeyWrapper(recipientCert.getPublicKey())); + } + + public JceKeyTransRecipientInfoGenerator(byte[] subjectKeyIdentifier, PublicKey publicKey) + { + super(subjectKeyIdentifier, new JceAsymmetricKeyWrapper(publicKey)); + } + + public JceKeyTransRecipientInfoGenerator setProvider(String providerName) + { + ((JceAsymmetricKeyWrapper)this.wrapper).setProvider(providerName); + + return this; + } + + public JceKeyTransRecipientInfoGenerator setProvider(Provider provider) + { + ((JceAsymmetricKeyWrapper)this.wrapper).setProvider(provider); + + return this; + } + + /** + * Internally algorithm ids are converted into cipher names using a lookup table. For some providers + * the standard lookup table won't work. Use this method to establish a specific mapping from an + * algorithm identifier to a specific algorithm. + * <p> + * For example: + * <pre> + * unwrapper.setAlgorithmMapping(PKCSObjectIdentifiers.rsaEncryption, "RSA"); + * </pre> + * </p> + * @param algorithm OID of algorithm in recipient. + * @param algorithmName JCE algorithm name to use. + * @return the current RecipientInfoGenerator. + */ + public JceKeyTransRecipientInfoGenerator setAlgorithmMapping(ASN1ObjectIdentifier algorithm, String algorithmName) + { + ((JceAsymmetricKeyWrapper)this.wrapper).setAlgorithmMapping(algorithm, algorithmName); + + return this; + } +}
\ No newline at end of file diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordAuthenticatedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordAuthenticatedRecipient.java new file mode 100644 index 00000000..ba873d25 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordAuthenticatedRecipient.java @@ -0,0 +1,54 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.security.Key; + +import javax.crypto.Mac; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.jcajce.io.MacOutputStream; +import org.bouncycastle.operator.GenericKey; +import org.bouncycastle.operator.MacCalculator; +import org.bouncycastle.operator.jcajce.JceGenericKey; + +public class JcePasswordAuthenticatedRecipient + extends JcePasswordRecipient +{ + public JcePasswordAuthenticatedRecipient(char[] password) + { + super(password); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentMacAlgorithm, byte[] derivedKey, byte[] encryptedContentEncryptionKey) + throws CMSException + { + final Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentMacAlgorithm, derivedKey, encryptedContentEncryptionKey); + + final Mac dataMac = helper.createContentMac(secretKey, contentMacAlgorithm); + + return new RecipientOperator(new MacCalculator() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentMacAlgorithm; + } + + public GenericKey getKey() + { + return new JceGenericKey(contentMacAlgorithm, secretKey); + } + + public OutputStream getOutputStream() + { + return new MacOutputStream(dataMac); + } + + public byte[] getMac() + { + return dataMac.doFinal(); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordEnvelopedRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordEnvelopedRecipient.java new file mode 100644 index 00000000..be741db4 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordEnvelopedRecipient.java @@ -0,0 +1,42 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.InputStream; +import java.security.Key; + +import javax.crypto.Cipher; +import javax.crypto.CipherInputStream; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.RecipientOperator; +import org.bouncycastle.operator.InputDecryptor; + +public class JcePasswordEnvelopedRecipient + extends JcePasswordRecipient +{ + public JcePasswordEnvelopedRecipient(char[] password) + { + super(password); + } + + public RecipientOperator getRecipientOperator(AlgorithmIdentifier keyEncryptionAlgorithm, final AlgorithmIdentifier contentEncryptionAlgorithm, byte[] derivedKey, byte[] encryptedContentEncryptionKey) + throws CMSException + { + Key secretKey = extractSecretKey(keyEncryptionAlgorithm, contentEncryptionAlgorithm, derivedKey, encryptedContentEncryptionKey); + + final Cipher dataCipher = helper.createContentCipher(secretKey, contentEncryptionAlgorithm); + + return new RecipientOperator(new InputDecryptor() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return contentEncryptionAlgorithm; + } + + public InputStream getInputStream(InputStream dataOut) + { + return new CipherInputStream(dataOut, dataCipher); + } + }); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordRecipient.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordRecipient.java new file mode 100644 index 00000000..432e2cd2 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordRecipient.java @@ -0,0 +1,82 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.GeneralSecurityException; +import java.security.Key; +import java.security.Provider; + +import javax.crypto.Cipher; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.PasswordRecipient; + +/** + * the RecipientInfo class for a recipient who has been sent a message + * encrypted using a password. + */ +public abstract class JcePasswordRecipient + implements PasswordRecipient +{ + private int schemeID = PasswordRecipient.PKCS5_SCHEME2_UTF8; + protected EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + private char[] password; + + JcePasswordRecipient( + char[] password) + { + this.password = password; + } + + public JcePasswordRecipient setPasswordConversionScheme(int schemeID) + { + this.schemeID = schemeID; + + return this; + } + + public JcePasswordRecipient setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + public JcePasswordRecipient setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + protected Key extractSecretKey(AlgorithmIdentifier keyEncryptionAlgorithm, AlgorithmIdentifier contentEncryptionAlgorithm, byte[] derivedKey, byte[] encryptedContentEncryptionKey) + throws CMSException + { + Cipher keyEncryptionCipher = helper.createRFC3211Wrapper(keyEncryptionAlgorithm.getAlgorithm()); + + try + { + IvParameterSpec ivSpec = new IvParameterSpec(ASN1OctetString.getInstance(keyEncryptionAlgorithm.getParameters()).getOctets()); + + keyEncryptionCipher.init(Cipher.UNWRAP_MODE, new SecretKeySpec(derivedKey, keyEncryptionCipher.getAlgorithm()), ivSpec); + + return keyEncryptionCipher.unwrap(encryptedContentEncryptionKey, contentEncryptionAlgorithm.getAlgorithm().getId(), Cipher.SECRET_KEY); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot process content encryption key: " + e.getMessage(), e); + } + } + + public int getPasswordConversionScheme() + { + return schemeID; + } + + public char[] getPassword() + { + return password; + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordRecipientInfoGenerator.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordRecipientInfoGenerator.java new file mode 100644 index 00000000..501da7a8 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/JcePasswordRecipientInfoGenerator.java @@ -0,0 +1,61 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.GeneralSecurityException; +import java.security.Key; +import java.security.Provider; + +import javax.crypto.Cipher; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.ASN1OctetString; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.PasswordRecipientInfoGenerator; +import org.bouncycastle.operator.GenericKey; + +public class JcePasswordRecipientInfoGenerator + extends PasswordRecipientInfoGenerator +{ + private EnvelopedDataHelper helper = new EnvelopedDataHelper(new DefaultJcaJceExtHelper()); + + public JcePasswordRecipientInfoGenerator(ASN1ObjectIdentifier kekAlgorithm, char[] password) + { + super(kekAlgorithm, password); + } + + public JcePasswordRecipientInfoGenerator setProvider(Provider provider) + { + this.helper = new EnvelopedDataHelper(new ProviderJcaJceExtHelper(provider)); + + return this; + } + + public JcePasswordRecipientInfoGenerator setProvider(String providerName) + { + this.helper = new EnvelopedDataHelper(new NamedJcaJceExtHelper(providerName)); + + return this; + } + + public byte[] generateEncryptedBytes(AlgorithmIdentifier keyEncryptionAlgorithm, byte[] derivedKey, GenericKey contentEncryptionKey) + throws CMSException + { + Key contentEncryptionKeySpec = helper.getJceKey(contentEncryptionKey); + Cipher keyEncryptionCipher = helper.createRFC3211Wrapper(keyEncryptionAlgorithm.getAlgorithm()); + + try + { + IvParameterSpec ivSpec = new IvParameterSpec(ASN1OctetString.getInstance(keyEncryptionAlgorithm.getParameters()).getOctets()); + + keyEncryptionCipher.init(Cipher.WRAP_MODE, new SecretKeySpec(derivedKey, keyEncryptionCipher.getAlgorithm()), ivSpec); + + return keyEncryptionCipher.wrap(contentEncryptionKeySpec); + } + catch (GeneralSecurityException e) + { + throw new CMSException("cannot process content encryption key: " + e.getMessage(), e); + } + } +}
\ No newline at end of file diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/NamedJcaJceExtHelper.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/NamedJcaJceExtHelper.java new file mode 100644 index 00000000..cd9a5991 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/NamedJcaJceExtHelper.java @@ -0,0 +1,31 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.PrivateKey; + +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jcajce.NamedJcaJceHelper; +import org.bouncycastle.operator.SymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceSymmetricKeyUnwrapper; + +class NamedJcaJceExtHelper + extends NamedJcaJceHelper + implements JcaJceExtHelper +{ + public NamedJcaJceExtHelper(String providerName) + { + super(providerName); + } + + public JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey) + { + return new JceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey).setProvider(providerName); + } + + public SymmetricKeyUnwrapper createSymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, SecretKey keyEncryptionKey) + { + return new JceSymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey).setProvider(providerName); + } +}
\ No newline at end of file diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/ProviderJcaJceExtHelper.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/ProviderJcaJceExtHelper.java new file mode 100644 index 00000000..8bbad0f1 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/ProviderJcaJceExtHelper.java @@ -0,0 +1,32 @@ +package org.bouncycastle.cms.jcajce; + +import java.security.PrivateKey; +import java.security.Provider; + +import javax.crypto.SecretKey; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jcajce.ProviderJcaJceHelper; +import org.bouncycastle.operator.SymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceAsymmetricKeyUnwrapper; +import org.bouncycastle.operator.jcajce.JceSymmetricKeyUnwrapper; + +class ProviderJcaJceExtHelper + extends ProviderJcaJceHelper + implements JcaJceExtHelper +{ + public ProviderJcaJceExtHelper(Provider provider) + { + super(provider); + } + + public JceAsymmetricKeyUnwrapper createAsymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, PrivateKey keyEncryptionKey) + { + return new JceAsymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey).setProvider(provider); + } + + public SymmetricKeyUnwrapper createSymmetricUnwrapper(AlgorithmIdentifier keyEncryptionAlgorithm, SecretKey keyEncryptionKey) + { + return new JceSymmetricKeyUnwrapper(keyEncryptionAlgorithm, keyEncryptionKey).setProvider(provider); + } +}
\ No newline at end of file diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibCompressor.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibCompressor.java new file mode 100644 index 00000000..53da722b --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibCompressor.java @@ -0,0 +1,24 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.OutputStream; +import java.util.zip.DeflaterOutputStream; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.operator.OutputCompressor; + +public class ZlibCompressor + implements OutputCompressor +{ + private static final String ZLIB = "1.2.840.113549.1.9.16.3.8"; + + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return new AlgorithmIdentifier(new ASN1ObjectIdentifier(ZLIB)); + } + + public OutputStream getOutputStream(OutputStream comOut) + { + return new DeflaterOutputStream(comOut); + } +} diff --git a/pkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java b/pkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java new file mode 100644 index 00000000..107a0ef6 --- /dev/null +++ b/pkix/src/main/java/org/bouncycastle/cms/jcajce/ZlibExpanderProvider.java @@ -0,0 +1,113 @@ +package org.bouncycastle.cms.jcajce; + +import java.io.FilterInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.util.zip.InflaterInputStream; + +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.operator.InputExpander; +import org.bouncycastle.operator.InputExpanderProvider; +import org.bouncycastle.util.io.StreamOverflowException; + +public class ZlibExpanderProvider + implements InputExpanderProvider +{ + private final long limit; + + public ZlibExpanderProvider() + { + this.limit = -1; + } + + /** + * Create a provider which caps the number of expanded bytes that can be produced when the + * compressed stream is parsed. + * + * @param limit max number of bytes allowed in an expanded stream. + */ + public ZlibExpanderProvider(long limit) + { + this.limit = limit; + } + + public InputExpander get(final AlgorithmIdentifier algorithm) + { + return new InputExpander() + { + public AlgorithmIdentifier getAlgorithmIdentifier() + { + return algorithm; + } + + public InputStream getInputStream(InputStream comIn) + { + InputStream s = new InflaterInputStream(comIn); + if (limit >= 0) + { + s = new LimitedInputStream(s, limit); + } + return s; + } + }; + } + + private static class LimitedInputStream + extends FilterInputStream + { + private long remaining; + + public LimitedInputStream(InputStream input, long limit) + { + super(input); + + this.remaining = limit; + } + + public int read() + throws IOException + { + // Only a single 'extra' byte will ever be read + if (remaining >= 0) + { + int b = super.in.read(); + if (b < 0 || --remaining >= 0) + { + return b; + } + } + + throw new StreamOverflowException("expanded byte limit exceeded"); + } + + public int read(byte[] buf, int off, int len) + throws IOException + { + if (len < 1) + { + // This will give correct exceptions/returns for strange lengths + return super.read(buf, off, len); + } + + if (remaining < 1) + { + // Will either return EOF or throw exception + read(); + return -1; + } + + /* + * Limit the underlying request to 'remaining' bytes. This ensures the + * caller will see the full 'limit' bytes before getting an exception. + * Also, only one extra byte will ever be read. + */ + int actualLen = (remaining > len ? len : (int)remaining); + int numRead = super.in.read(buf, off, actualLen); + if (numRead > 0) + { + remaining -= numRead; + } + return numRead; + } + } +} |