it.trento.comune.j4sign.cms

Class ExternalSignatureSignerInfoGenerator

java.lang.Object

it.trento.comune.j4sign.cms.ExternalSignatureSignerInfoGenerator

public class ExternalSignatureSignerInfoGenerator
extends java.lang.Object

An org.bouncycastle.asn1.cms.SignerInfo generator, where encryption operations are kept external.

The class is a reimplementation of the original nested org.bouncycastle.cms.CMSSignedDataGenerator$SignerInf class.
The key methods are getBytesToSign(DERObjectIdentifier, CMSProcessable, String), which calculates the bytes to digest and encrypt externally, and setSignedBytes(byte[]) which stores the result. Actually the generate() method (defined package private) is used only in ExternalSignatureCMSSignedDataGenerator.generate(CMSProcessable, boolean) .

For an usage example, see ExternalSignatureCMSSignedDataGenerator and CLITest.

Version:

$Revision: 1.7 $ $Date: 2013/12/23 15:34:37 $

Author:

Roberto Resoli

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
(package private) static class	ExternalSignatureSignerInfoGenerator.DigOutputStream Class wrapping a MessageDigest update in form of an output stream.

Field Summary

Fields

Modifier and Type	Field and Description
(package private) java.security.cert.X509Certificate	cert The signer certificate, needed to extract IssuerAndSerialNumber CMS information.
(package private) java.lang.String	digestOID Digesting algorithm OID.
(package private) java.lang.String	encOID Encryption algorithm OID.
(package private) org.bouncycastle.asn1.cms.AttributeTable	sAttr The externally set 'authenticated attributes' to be signed, other than contentType, messageDigest, signingTime; currently not used (no setter method).
(package private) org.bouncycastle.asn1.ASN1Set	signedAttr The set of authenticated attributes, calculated in getBytesToSign(DERObjectIdentifier, CMSProcessable, String) method, that will be externally signed.
(package private) byte[]	signedBytes The (externally) encrypted digest of getBytesToSign(DERObjectIdentifier, CMSProcessable, String). * This has to be set, along cert, before calling generate().
(package private) org.bouncycastle.asn1.cms.AttributeTable	unsAttr The externally set attributes NOT to be signed; currently not used (no setter method).
(package private) org.bouncycastle.asn1.ASN1Set	unsignedAttr The set of authenticated attributes, calculated in getBytesToSign(DERObjectIdentifier, CMSProcessable, String) method, that will NOT be signed.

Constructor Summary

Constructors

Constructor and Description
ExternalSignatureSignerInfoGenerator(java.lang.String digestOID, java.lang.String encOID) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
private org.bouncycastle.asn1.cms.Attribute	buildSigningCertificateV2Attribute(java.lang.String sigProvider) Builds the SignerCertificateV2 attribute according to RFC2634(Enhanced Security Services (ESS)) + RFC5035(ESS Update: AddingCertID Algorithm Agility).
private byte[]	doDigest(org.bouncycastle.cms.CMSProcessable content, java.lang.String sigProvider)
(package private) org.bouncycastle.asn1.cms.SignerInfo	generate() Generates the SignerInfo CMS structure information for a single signer.
byte[]	getBytesToSign(org.bouncycastle.asn1.DERObjectIdentifier contentType, byte[] hash, java.util.Date signingDate, java.lang.String sigProvider) Calculates the bytes to be externally signed (digested and encrypted with signer private key).
byte[]	getBytesToSign(org.bouncycastle.asn1.DERObjectIdentifier contentType, org.bouncycastle.cms.CMSProcessable content, java.lang.String sigProvider) Calculates the bytes to be externally signed (digested and encrypted with signer private key).
byte[]	getBytesToSign(org.bouncycastle.asn1.DERObjectIdentifier contentType, java.util.Date signingTime, org.bouncycastle.cms.CMSProcessable content, java.lang.String sigProvider) Calculates the bytes to be externally signed (digested and encrypted with signer private key).
java.security.cert.X509Certificate	getCertificate() Gets the signer certificate.
(package private) java.lang.String	getDigestAlgName() Return the digest algorithm using one of the standard JCA string representations rather the the algorithm identifier (if possible).
(package private) java.lang.String	getDigestAlgOID()
(package private) byte[]	getDigestAlgParams()
(package private) java.lang.String	getEncryptionAlgName() Return the digest encryption algorithm using one of the standard JCA string representations rather the the algorithm identifier (if possible).
(package private) java.lang.String	getEncryptionAlgOID()
(package private) org.bouncycastle.asn1.cms.AttributeTable	getSignedAttributes()
(package private) org.bouncycastle.asn1.cms.AttributeTable	getUnsignedAttributes()
void	setCertificate(java.security.cert.X509Certificate c) Sets the signer certificate.
void	setSignedBytes(byte[] signedBytes)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

cert

java.security.cert.X509Certificate cert

The signer certificate, needed to extract IssuerAndSerialNumber CMS information. This has to be set, along signedBytes, before calling generate().

signedBytes

byte[] signedBytes

The (externally) encrypted digest of getBytesToSign(DERObjectIdentifier, CMSProcessable, String). * This has to be set, along cert, before calling generate().

digestOID

java.lang.String digestOID

Digesting algorithm OID.

encOID

java.lang.String encOID

Encryption algorithm OID.

sAttr

org.bouncycastle.asn1.cms.AttributeTable sAttr

The externally set 'authenticated attributes' to be signed, other than contentType, messageDigest, signingTime;
currently not used (no setter method).

unsAttr

org.bouncycastle.asn1.cms.AttributeTable unsAttr

The externally set attributes NOT to be signed;
currently not used (no setter method).

signedAttr

org.bouncycastle.asn1.ASN1Set signedAttr

The set of authenticated attributes, calculated in getBytesToSign(DERObjectIdentifier, CMSProcessable, String) method,
that will be externally signed.

unsignedAttr

org.bouncycastle.asn1.ASN1Set unsignedAttr

The set of authenticated attributes, calculated in getBytesToSign(DERObjectIdentifier, CMSProcessable, String) method,
that will NOT be signed.

Constructor Detail

ExternalSignatureSignerInfoGenerator

public ExternalSignatureSignerInfoGenerator(java.lang.String digestOID,
                                    java.lang.String encOID)

Constructor.

Parameters:

digestOID - the digesting algorithm OID

encOID - the encryption algorithm OID

Method Detail

getCertificate

public java.security.cert.X509Certificate getCertificate()

Gets the signer certificate.

Returns:

the signer certificate.

setCertificate

public void setCertificate(java.security.cert.X509Certificate c)

Sets the signer certificate.

Parameters:

c - the X509 certificate corresponding to the private key used to sign.

getDigestAlgOID

java.lang.String getDigestAlgOID()

Returns:

the digesting OID string.

getDigestAlgParams

byte[] getDigestAlgParams()

Returns:

the digesting algorithm parameters; currently returns null.

getEncryptionAlgOID

java.lang.String getEncryptionAlgOID()

Returns:

the encryption OID string.

getSignedAttributes

org.bouncycastle.asn1.cms.AttributeTable getSignedAttributes()

Returns:

the externally set authenticated attributes; currently null.

getUnsignedAttributes

org.bouncycastle.asn1.cms.AttributeTable getUnsignedAttributes()

Returns:

the externally set not authenticated attributes; currently null.

getDigestAlgName

java.lang.String getDigestAlgName()

Return the digest algorithm using one of the standard JCA string representations rather the the algorithm identifier (if possible).

getEncryptionAlgName

java.lang.String getEncryptionAlgName()

Return the digest encryption algorithm using one of the standard JCA string representations rather the the algorithm identifier (if possible).

generate

org.bouncycastle.asn1.cms.SignerInfo generate()
                                        throws java.security.cert.CertificateEncodingException,
                                               java.io.IOException

Generates the SignerInfo CMS structure information for a single signer. This method has to be called after setting cert signedBytes.

Returns:

the org.bouncycastle.asn1.cms.SignerInfo object for a signer.

Throws:

java.security.cert.CertificateEncodingException

java.io.IOException

doDigest

private byte[] doDigest(org.bouncycastle.cms.CMSProcessable content,
              java.lang.String sigProvider)
                 throws java.security.NoSuchAlgorithmException,
                        java.security.NoSuchProviderException,
                        java.io.IOException,
                        org.bouncycastle.cms.CMSException

Throws:

java.security.NoSuchAlgorithmException

java.security.NoSuchProviderException

java.io.IOException

org.bouncycastle.cms.CMSException

getBytesToSign

public byte[] getBytesToSign(org.bouncycastle.asn1.DERObjectIdentifier contentType,
                    java.util.Date signingTime,
                    org.bouncycastle.cms.CMSProcessable content,
                    java.lang.String sigProvider)
                      throws java.io.IOException,
                             java.security.SignatureException,
                             java.security.InvalidKeyException,
                             java.security.NoSuchProviderException,
                             java.security.NoSuchAlgorithmException,
                             java.security.cert.CertificateEncodingException,
                             org.bouncycastle.cms.CMSException

Calculates the bytes to be externally signed (digested and encrypted with signer private key).
see: getBytesToSign(DERObjectIdentifier contentType, byte[] hash, Date signingDate, String sigProvider)

Parameters:

contentType - the org.bouncycastle.asn1.DERObjectIdentifier of the content.

content - the content to be signed.

content - the content to be signed.

signingTime - The time of the signature; if null, the current system date will be used.

Returns:

a byte[] containing the raw bytes to be signed.

Throws:

java.io.IOException

java.security.SignatureException

java.security.InvalidKeyException

java.security.NoSuchProviderException

java.security.NoSuchAlgorithmException

java.security.cert.CertificateEncodingException

org.bouncycastle.cms.CMSException

getBytesToSign

public byte[] getBytesToSign(org.bouncycastle.asn1.DERObjectIdentifier contentType,
                    org.bouncycastle.cms.CMSProcessable content,
                    java.lang.String sigProvider)
                      throws java.io.IOException,
                             java.security.SignatureException,
                             java.security.InvalidKeyException,
                             java.security.NoSuchProviderException,
                             java.security.NoSuchAlgorithmException,
                             java.security.cert.CertificateEncodingException,
                             org.bouncycastle.cms.CMSException

Calculates the bytes to be externally signed (digested and encrypted with signer private key).
see: getBytesToSign(DERObjectIdentifier contentType, byte[] hash, Date signingDate, String sigProvider)

Parameters:

contentType - the org.bouncycastle.asn1.DERObjectIdentifier of the content.

content - the content to be signed.

sigProvider - the cryptographic provider to use for calculating the digest of the content.

Returns:

a byte[] containing the raw bytes to be signed.

Throws:

java.io.IOException

java.security.SignatureException

java.security.InvalidKeyException

java.security.NoSuchProviderException

java.security.NoSuchAlgorithmException

java.security.cert.CertificateEncodingException

org.bouncycastle.cms.CMSException

getBytesToSign

public byte[] getBytesToSign(org.bouncycastle.asn1.DERObjectIdentifier contentType,
                    byte[] hash,
                    java.util.Date signingDate,
                    java.lang.String sigProvider)
                      throws java.io.IOException,
                             java.security.SignatureException,
                             java.security.InvalidKeyException,
                             java.security.NoSuchProviderException,
                             java.security.NoSuchAlgorithmException,
                             java.security.cert.CertificateEncodingException,
                             org.bouncycastle.cms.CMSException

Calculates the bytes to be externally signed (digested and encrypted with signer private key).
The bytes are the DER encoding of authenticated attributes; the current implementation includes this attributes:

• content Type
of the provided content.
• message Digest
of the content, calculated in this method with the algorithm specified in the class constructor.
• signing Time. Note that time (internally stored as UTC) should be presented to the signer BEFORE applying the external signature procedure.
  This time has not to be confused with a thirdy part (Certification Authority) certified timestamp ("Marcatura Temporale" in italian terminology); for the italian digital signature law this attribute is not mandatory and could be omitted. Nevertheless, the italian law states also that the signature is valid if the certificate is not expired nor suspended at the time of signature. So an indication of signing time is (in my opinion) however useful.

Parameters:

contentType - the org.bouncycastle.asn1.DERObjectIdentifier of the content.

hash - the content hash.

sigProvider - the cryptographic provider to use for calculating the digest of the content.

Returns:

a byte[] containing the raw bytes to be signed.

Throws:

java.io.IOException

java.security.SignatureException

java.security.InvalidKeyException

java.security.NoSuchProviderException

java.security.NoSuchAlgorithmException

java.security.cert.CertificateEncodingException

org.bouncycastle.cms.CMSException

buildSigningCertificateV2Attribute

private org.bouncycastle.asn1.cms.Attribute buildSigningCertificateV2Attribute(java.lang.String sigProvider)
                                                                        throws java.security.NoSuchAlgorithmException,
                                                                               java.security.NoSuchProviderException,
                                                                               java.security.cert.CertificateEncodingException,
                                                                               java.io.IOException

Builds the SignerCertificateV2 attribute according to RFC2634(Enhanced Security Services (ESS)) + RFC5035(ESS Update: AddingCertID Algorithm Agility).
This signed attribute is mandatory for CAdES-BES (ETSI TS 101 733) compliancy.

Parameters:

sigProvider - the provider to use for digest calculation.

Returns:

the SignerCertificateV2 attribute calculated from to the current certificate and digest algorithm.

Throws:

java.security.NoSuchAlgorithmException

java.security.NoSuchProviderException

java.security.cert.CertificateEncodingException

java.io.IOException

setSignedBytes

public void setSignedBytes(byte[] signedBytes)

Parameters:

signedBytes - The signedBytes to set.