PKCS7.java revision 3990
3990N/A * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * PKCS7 as defined in RSA Laboratories PKCS7 Technical Note. Profile 0N/A * Supports only <tt>SignedData</tt> ContentInfo 0N/A * type, where to the type of data signed is plain Data. 0N/A * For signedData, <tt>crls</tt>, <tt>attributes</tt> and 0N/A * PKCS#6 Extended Certificates are not supported. 0N/A * @author Benjamin Renaud 0N/A // the ASN.1 members for a signedData (and other) contentTypes 0N/A private boolean oldStyle =
false;
// Is this JDK1.1.x-style? 0N/A * Unmarshals a PKCS7 block from its encoded form, parsing the 0N/A * encoded bytes from the InputStream. 0N/A * @param in an input stream holding at least one PKCS7 block. 0N/A * @exception ParsingException on parsing errors. 0N/A * @exception IOException on other errors. 0N/A * Unmarshals a PKCS7 block from its encoded form, parsing the 0N/A * encoded bytes from the DerInputStream. 0N/A * @param derin a DerInputStream holding at least one PKCS7 block. 0N/A * @exception ParsingException on parsing errors. 0N/A * Unmarshals a PKCS7 block from its encoded form, parsing the 0N/A * @param bytes the encoded bytes. 0N/A * @exception ParsingException on parsing errors. 0N/A "Unable to parse the encoded bytes");
0N/A * Parses a PKCS#7 block. 0N/A // try new (i.e., JDK1.2) style 0N/A // try old (i.e., JDK1.1.x) style 0N/A * Parses a PKCS#7 block. 0N/A * @param derin the ASN.1 encoding of the PKCS#7 block. 0N/A * @param oldStyle flag indicating whether or not the given PKCS#7 block 0N/A * is encoded according to JDK1.1.x. 0N/A // This is for backwards compatibility with JDK 1.1.x 0N/A * Construct an initialized PKCS7 block. 0N/A * @param digestAlgorithmIds the message digest algorithm identifiers. 0N/A * @param contentInfo the content information. 0N/A * @param certificates an array of X.509 certificates. 2346N/A * @param crls an array of CRLs 0N/A * @param signerInfos an array of signer information. 0N/A // digestAlgorithmIds 0N/A for (
int i =
0; i <
len; i++) {
0N/A * check if certificates (implicit tag) are provided 0N/A * (certificates are OPTIONAL) 0N/A for (
int i =
0; i <
len; i++) {
0N/A // check if crls (implicit tag) are provided (crls are OPTIONAL) 0N/A for (
int i =
0; i <
len; i++) {
0N/A for (
int i =
0; i <
len; i++) {
0N/A * Parses an old-style SignedData encoding (for backwards 0N/A * compatibility with JDK1.1.x). 0N/A // digestAlgorithmIds 0N/A for (
int i =
0; i <
len; i++) {
0N/A for (
int i =
0; i <
len; i++) {
0N/A // crls are ignored. 0N/A for (
int i =
0; i <
len; i++) {
0N/A * Encodes the signed data to an output stream. 0N/A * @param out the output stream to write the encoded data to. 0N/A * @exception IOException on encoding errors. 0N/A * Encodes the signed data to a DerOutputStream. 0N/A * @param out the DerOutputStream to write the encoded data to. 0N/A * @exception IOException on encoding errors. 0N/A // digestAlgorithmIds 0N/A // certificates (optional) 0N/A // cast to X509CertImpl[] since X509CertImpl implements DerEncoder 0N/A // Add the certificate set (tagged with [0] IMPLICIT) 0N/A // to the signed data 2346N/A // cast to X509CRLImpl[] since X509CRLImpl implements DerEncoder 2346N/A // Add the CRL set (tagged with [1] IMPLICIT) 0N/A // making it a signed data block 0N/A // making it a content info sequence 0N/A // writing out the contentInfo sequence 3990N/A * Verifying signed data using an external chunked data source. 3990N/A // if there are authenticate attributes, feed data chunks to 3990N/A // the message digest. In this case, pv.md is not null 3990N/A // first, check content type 3990N/A return null;
// contentType does not match, bad SignerInfo 3990N/A // now, check message digest 3990N/A // put together digest algorithm and encryption algorithm 3990N/A // to form signing algorithm 3990N/A // Workaround: sometimes the encryptionAlgname is actually 3990N/A +
"critical extension(s)");
3990N/A // Make sure that if the usage of the key in the certificate is 3990N/A // restricted, it can be used for digital signatures. 3990N/A // XXX We may want to check for additional extensions in the 3990N/A // We don't care whether or not this extension was marked 3990N/A // critical in the certificate. 3990N/A // We're interested only in its value (i.e., the bits set) 3990N/A // and treat the extension as critical. 3990N/A // if there are authenticate attributes, get the message 3990N/A // digest and compare it with the digest of data 3990N/A // now, check message digest 3990N/A // message digest attribute matched 3990N/A // the data actually signed is the DER encoding of 3990N/A // the authenticated attributes (tagged with 3990N/A // the "SET OF" tag, not 0xA0). 0N/A * This verifies a given SignerInfo. 0N/A * @param info the signer information. 0N/A * @param bytes the DER encoded content information. 0N/A * @exception NoSuchAlgorithmException on unrecognized algorithms. 0N/A * @exception SignatureException on signature handling errors. 0N/A * Returns all signerInfos which self-verify. 0N/A * @param bytes the DER encoded content information. 0N/A * @exception NoSuchAlgorithmException on unrecognized algorithms. 0N/A * @exception SignatureException on signature handling errors. 0N/A * Returns all signerInfos which self-verify. 0N/A * @exception NoSuchAlgorithmException on unrecognized algorithms. 0N/A * @exception SignatureException on signature handling errors. 0N/A * Returns the version number of this PKCS7 block. 0N/A * @return the version or null if version is not specified 0N/A * for the content type. 0N/A * Returns the message digest algorithms specified in this PKCS7 block. 0N/A * @return the array of Digest Algorithms or null if none are specified 0N/A * for the content type. 0N/A * Returns the content information specified in this PKCS7 block. 0N/A * Returns the X.509 certificates listed in this PKCS7 block. 0N/A * @return a clone of the array of X.509 certificates or null if 0N/A * none are specified for the content type. 0N/A * Returns the X.509 crls listed in this PKCS7 block. 0N/A * @return a clone of the array of X.509 crls or null if none 0N/A * are specified for the content type. 0N/A * Returns the signer's information specified in this PKCS7 block. 0N/A * @return the array of Signer Infos or null if none are specified 0N/A * for the content type. 0N/A * Returns the X.509 certificate listed in this PKCS7 block 0N/A * which has a matching serial number and Issuer name, or 0N/A * null if one is not found. 0N/A * @param serial the serial number of the certificate to retrieve. 0N/A * @param issuerName the Distinguished Name of the Issuer. 0N/A * Populate array of Issuer DNs from certificates and convert 0N/A * each Principal to type X500Name if necessary. 0N/A // must extract the original encoded form of DN for 0N/A // subsequent name comparison checks (converting to a 0N/A // String and back to an encoded DN could cause the 0N/A // types of String attribute values to be changed) 0N/A // error generating X500Name object from the cert's 0N/A // issuer DN, leave name as is. 0N/A * Returns the PKCS7 block in a printable string form. 0N/A out +=
"PKCS7 :: digest AlgorithmIds: \n";
0N/A out +=
"PKCS7 :: certificates: \n";
0N/A out +=
"PKCS7 :: signer infos: \n";
0N/A * Returns true if this is a JDK1.1.x-style PKCS#7 block, and false