it.trento.comune.j4sign.cms

Class ExternalSignatureCMSSignedDataGenerator

java.lang.Object

it.trento.comune.j4sign.cms.ExternalSignatureCMSSignedDataGenerator

public class ExternalSignatureCMSSignedDataGenerator
extends java.lang.Object

A class for generating a CMS (PKCS#7) signature message, where encryption procedure is kept external.

This enables the use of cryptographic tokens, such as Smart Cards, where private key is not extractable and encryption has to be done on the token.

This has also the effect of completely separate the digest encryption process from the message encapsulation. This is useful in signing environments, such as applets, where is desirable to avoid the wheight of the provider and cms library classes. See SimpleSignApplet

ExternalSignatureCMSSignedDataGenerator is an alternative implementation of org.bouncycastle.cms.CMSSignedDataGenerator.
Alternative implementation has been preferred to subclassing, because the signer info generator inner class has been promoted to the indipendent ExternalSignatureSignerInfoGenerator.

Here follows an example of usage; for a complete example, see CLITestsource code.

 
   ExternalSignatureCMSSignedDataGenerator gen = new ExternalSignatureCMSSignedDataGenerator();
                        
   //ExternalSignatureSignerInfoGenerator encapsulates SignerInfos,
   //and is used in generate(org.bouncycastle.cms.CMSProcessable, boolean) method.
  
   ExternalSignatureSignerInfoGenerator signerGenerator = new ExternalSignatureSignerInfoGenerator(
                                                                CMSSignedDataGenerator.DIGEST_MD5,
                                                                CMSSignedDataGenerator.ENCRYPTION_RSA);
   try {
       //Obtain bytes to sign; 
       //note that this implementation includes a timestamp
       //as an authenticated attribute, then bytesToSign is every time different, 
       //even if signing the same data.
       //The timestamp should be notified and accepted by the signer along data to sign
       //BEFORE he applies encryption with his private key.
       //The timestamp is used during verification to check that signature time is 
       //in signing certificate validity time range.
  
       byte[] bytesToSign = signerGenerator.getBytesToSign(PKCSObjectIdentifiers.data, msg, "BC");
                                                                
       // Digest generation. Digest algorithm must match the one passed to ExternalSignatureSignerInfoGenerator
       // constructor above (MD5, in this case).
       MessageDigest md = MessageDigest.getInstance("MD5");
       md.update(bytesToSign);
       byte[] digest = md.digest();
                                        
       byte[] signedBytes = null;  //will contain encripted digest
       byte[] certBytes = null; //will contain DER encoded certificate
  
       //Digest encryption and signer certificate retrieval (using a PKCS11 token, for example)
       // Encryption algorithm must match the one passed to ExternalSignatureSignerInfoGenerator
       // constructor above (RSA, in this case).
                           .
                           .    
                           .
  
       if ((certBytes != null) && (signedBytes != null)) {
                        
           //build java Certificate object. 
           java.security.cert.CertificateFactory cf = 
                               java.security.cert.CertificateFactory.getInstance("X.509");
           java.io.ByteArrayInputStream bais = new java.io.ByteArrayInputStream(certBytes);
           java.security.cert.X509Certificate javaCert = 
                                        (java.security.cert.X509Certificate) cf.generateCertificate(bais);
                                                                                        
           //pass encrypted digest and certificate to the SignerInfo generator
           signerGenerator.setCertificate(javaCert);
           signerGenerator.setSignedBytes(signedBytes);
 
           //pass the signer info generator to the cms generator
           gen.addSignerInf(signerGenerator);
                                                                
           //generating a cert store with signer certificate into.
           //The store could contain also the root certificate and CRLS
           ArrayList certList = new ArrayList();
           certList.add(javaCert);
                        CertStore store = CertStore.getInstance("Collection",
                                                   new CollectionCertStoreParameters(certList), 
                                                   "BC");
           //pass cert store to the cms generator
           gen.addCertificatesAndCRLs(store);
                
           //Finally, generate CMS message.
           CMSSignedData s = gen.generate(msg, true);
       }
    } catch (Exception ex) {
            ...Exception mangement ...
    }
 

Version:

$Revision: 1.6 $ $Date: 2014/07/01 15:35:42 $

Author:

Roberto Resoli

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.ArrayList	certs The set of certificates useful for this message.
private java.util.ArrayList	crls Certificate Revocation Lists to include in CMS message.
private java.util.ArrayList	signerInfs The repository of ExternalSignatureSignerInfoGeneratorobjects, one for signer.

Constructor Summary

Constructors

Constructor and Description
ExternalSignatureCMSSignedDataGenerator()

Method Summary

Methods

Modifier and Type	Method and Description
void	addCertificatesAndCRLs(java.security.cert.CertStore certStore) add the certificates and CRLs contained in the given CertStore to the pool that will be included in the encoded signature block.
void	addSignerInf(ExternalSignatureSignerInfoGenerator si) adds all the information necessary to build the org.bouncycastle.asn1.cms.SignerInfo about a signer.
(package private) static org.bouncycastle.asn1.ASN1Set	createBerSetFromList(java.util.List derObjects)
org.bouncycastle.cms.CMSSignedData	generate(org.bouncycastle.cms.CMSProcessable content, boolean encapsulate) generate a CMS Signed Data object using the previously passed ExternalSignatureSignerInfoGenerator objects; if encapsulate is true a copy of the message will be included in the signature.
private org.bouncycastle.asn1.x509.AlgorithmIdentifier	makeAlgId(java.lang.String oid, byte[] params) internally used to generate asn.1 Algorithm Identifiers form string OIDs and parameters.
private org.bouncycastle.asn1.DERObject	makeObj(byte[] encoding) Used internally by makeAlgId(String, byte[])

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

certs

private java.util.ArrayList certs

The set of certificates useful for this message. This could include besides sign certificate for verifying signature, the Certification Authority root certificate and, in between, those necessary to complete certification path.

crls

private java.util.ArrayList crls

Certificate Revocation Lists to include in CMS message. The actual implementation of org.bouncycastle.cms.SignerInformation class dos not use CRLS in signature verification.

signerInfs

private java.util.ArrayList signerInfs

The repository of ExternalSignatureSignerInfoGeneratorobjects, one for signer. In the regular org.bouncycastle.cms.CMSSignedDataGenerator the base type was the nested SignerInf class.

Constructor Detail

ExternalSignatureCMSSignedDataGenerator

public ExternalSignatureCMSSignedDataGenerator()

Method Detail

addCertificatesAndCRLs

public void addCertificatesAndCRLs(java.security.cert.CertStore certStore)
                            throws java.security.cert.CertStoreException,
                                   org.bouncycastle.cms.CMSException

add the certificates and CRLs contained in the given CertStore to the pool that will be included in the encoded signature block.

Note: this assumes the CertStore will support null in the get methods.

Parameters:

certStore -

Throws:

java.security.cert.CertStoreException

org.bouncycastle.cms.CMSException

makeObj

private org.bouncycastle.asn1.DERObject makeObj(byte[] encoding)
                                         throws java.io.IOException

Used internally by makeAlgId(String, byte[])

Throws:

java.io.IOException

makeAlgId

private org.bouncycastle.asn1.x509.AlgorithmIdentifier makeAlgId(java.lang.String oid,
                                                       byte[] params)
                                                          throws java.io.IOException

internally used to generate asn.1 Algorithm Identifiers form string OIDs and parameters.

Parameters:

oid - The ObjectIdentifier as String.

params - Eventual algorithm parameters; null if no parameter is required.

Returns:

the org.bouncycastle.asn1.x509.AlgoriyhmIdentifier for the given OIDs and parameters.

Throws:

java.io.IOException

addSignerInf

public void addSignerInf(ExternalSignatureSignerInfoGenerator si)

adds all the information necessary to build the org.bouncycastle.asn1.cms.SignerInfo about a signer.

Parameters:

si - - the ExternalSignatureSignerInfoGeneratorobject that ownes informations about a single signer.

generate

public org.bouncycastle.cms.CMSSignedData generate(org.bouncycastle.cms.CMSProcessable content,
                                          boolean encapsulate)
                                            throws java.security.NoSuchAlgorithmException,
                                                   java.security.NoSuchProviderException,
                                                   org.bouncycastle.cms.CMSException,
                                                   java.security.InvalidAlgorithmParameterException,
                                                   java.security.cert.CertStoreException

generate a CMS Signed Data object using the previously passed ExternalSignatureSignerInfoGenerator objects; if encapsulate is true a copy of the message will be included in the signature.

Throws:

java.security.NoSuchAlgorithmException

java.security.NoSuchProviderException

org.bouncycastle.cms.CMSException

java.security.InvalidAlgorithmParameterException

java.security.cert.CertStoreException

createBerSetFromList

static org.bouncycastle.asn1.ASN1Set createBerSetFromList(java.util.List derObjects)