All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bouncycastle.tsp.TimeStampTokenGenerator Maven / Gradle / Ivy

There is a newer version: 2.0.0.0-RC3
Show newest version
package org.bouncycastle.tsp;

import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.SimpleTimeZone;

import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.LocaleUtil;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.ess.ESSCertID;
import org.bouncycastle.asn1.ess.ESSCertIDv2;
import org.bouncycastle.asn1.ess.SigningCertificate;
import org.bouncycastle.asn1.ess.SigningCertificateV2;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.tsp.Accuracy;
import org.bouncycastle.asn1.tsp.MessageImprint;
import org.bouncycastle.asn1.tsp.TSTInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuerSerial;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAttributeTableGenerationException;
import org.bouncycastle.cms.CMSAttributeTableGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.SignerInfoGenerator;
import org.bouncycastle.operator.DigestCalculator;
import org.bouncycastle.util.CollectionStore;
import org.bouncycastle.util.Store;

/**
 * Currently the class supports ESSCertID by if a digest calculator based on SHA1 is passed in, otherwise it uses
 * ESSCertIDv2. In the event you need to pass both types, you will need to override the SignedAttributeGenerator
 * for the SignerInfoGeneratorBuilder you are using. For the default for ESSCertIDv2 the code will look something
 * like the following:
 * 
 * final ESSCertID essCertid = new ESSCertID(certHashSha1, issuerSerial);
 * final ESSCertIDv2 essCertidV2 = new ESSCertIDv2(certHashSha256, issuerSerial);
 *
 * signerInfoGenBuilder.setSignedAttributeGenerator(new CMSAttributeTableGenerator()
 * {
 *     public AttributeTable getAttributes(Map parameters)
 *         throws CMSAttributeTableGenerationException
 *     {
 *         CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator();
 *
 *         AttributeTable table = attrGen.getAttributes(parameters);
 *
 *         table = table.add(PKCSObjectIdentifiers.id_aa_signingCertificate, new SigningCertificate(essCertid));
 *         table = table.add(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new SigningCertificateV2(essCertidV2));
 *
 *         return table;
 *     }
 * });
 * 
*/ public class TimeStampTokenGenerator { /** * Create time-stamps with a resolution of 1 second (the default). */ public static final int R_SECONDS = 0; /** * Create time-stamps with a resolution of 1 tenth of a second. */ public static final int R_TENTHS_OF_SECONDS = 1; /** * Create time-stamps with a resolution of 1 hundredth of a second. */ public static final int R_HUNDREDTHS_OF_SECONDS = 2; /** * @deprecated use R_HUNDREDTHS_OF_SECONDS - this field will be deleted!! */ public static final int R_MICROSECONDS = 2; /** * Create time-stamps with a resolution of 1 millisecond. */ public static final int R_MILLISECONDS = 3; private int resolution = R_SECONDS; private Locale locale = null; // default locale private int accuracySeconds = -1; private int accuracyMillis = -1; private int accuracyMicros = -1; boolean ordering = false; GeneralName tsa = null; private ASN1ObjectIdentifier tsaPolicyOID; private List certs = new ArrayList(); private List crls = new ArrayList(); private List attrCerts = new ArrayList(); private Map otherRevoc = new HashMap(); private SignerInfoGenerator signerInfoGen; /** * Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from * the signer's associated certificate using the sha1DigestCalculator. If alternate values are required * for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in, * otherwise a standard digest based value will be added. * * @param signerInfoGen the generator for the signer we are using. * @param digestCalculator calculator for to use for digest of certificate. * @param tsaPolicy tasPolicy to send. * @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated certificate for the signer, * @throws TSPException if the signer certificate cannot be processed. */ public TimeStampTokenGenerator( final SignerInfoGenerator signerInfoGen, DigestCalculator digestCalculator, ASN1ObjectIdentifier tsaPolicy) throws IllegalArgumentException, TSPException { this(signerInfoGen, digestCalculator, tsaPolicy, false); } /** * Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from * the signer's associated certificate using the sha1DigestCalculator. If alternate values are required * for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in, * otherwise a standard digest based value will be added. * * @param signerInfoGen the generator for the signer we are using. * @param digestCalculator calculator for to use for digest of certificate. * @param tsaPolicy tasPolicy to send. * @param isIssuerSerialIncluded should issuerSerial be included in the ESSCertIDs, true if yes, by default false. * @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated certificate for the signer, * @throws TSPException if the signer certificate cannot be processed. */ public TimeStampTokenGenerator( final SignerInfoGenerator signerInfoGen, DigestCalculator digestCalculator, ASN1ObjectIdentifier tsaPolicy, boolean isIssuerSerialIncluded) throws IllegalArgumentException, TSPException { this.signerInfoGen = signerInfoGen; this.tsaPolicyOID = tsaPolicy; if (!signerInfoGen.hasAssociatedCertificate()) { throw new IllegalArgumentException("SignerInfoGenerator must have an associated certificate"); } X509CertificateHolder assocCert = signerInfoGen.getAssociatedCertificate(); TSPUtil.validateCertificate(assocCert); try { OutputStream dOut = digestCalculator.getOutputStream(); dOut.write(assocCert.getEncoded()); dOut.close(); if (digestCalculator.getAlgorithmIdentifier().getAlgorithm().equals(OIWObjectIdentifiers.idSHA1)) { final ESSCertID essCertid = new ESSCertID(digestCalculator.getDigest(), isIssuerSerialIncluded ? new IssuerSerial(new GeneralNames(new GeneralName(assocCert.getIssuer())), assocCert.getSerialNumber()) : null); this.signerInfoGen = new SignerInfoGenerator(signerInfoGen, new CMSAttributeTableGenerator() { public AttributeTable getAttributes(Map parameters) throws CMSAttributeTableGenerationException { AttributeTable table = signerInfoGen.getSignedAttributeTableGenerator().getAttributes(parameters); if (table.get(PKCSObjectIdentifiers.id_aa_signingCertificate) == null) { return table.add(PKCSObjectIdentifiers.id_aa_signingCertificate, new SigningCertificate(essCertid)); } return table; } }, signerInfoGen.getUnsignedAttributeTableGenerator()); } else { AlgorithmIdentifier digAlgID = new AlgorithmIdentifier(digestCalculator.getAlgorithmIdentifier().getAlgorithm()); final ESSCertIDv2 essCertid = new ESSCertIDv2(digAlgID, digestCalculator.getDigest(), isIssuerSerialIncluded ? new IssuerSerial(new GeneralNames(new GeneralName(assocCert.getIssuer())), new ASN1Integer(assocCert.getSerialNumber())) : null); this.signerInfoGen = new SignerInfoGenerator(signerInfoGen, new CMSAttributeTableGenerator() { public AttributeTable getAttributes(Map parameters) throws CMSAttributeTableGenerationException { AttributeTable table = signerInfoGen.getSignedAttributeTableGenerator().getAttributes(parameters); if (table.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2) == null) { return table.add(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new SigningCertificateV2(essCertid)); } return table; } }, signerInfoGen.getUnsignedAttributeTableGenerator()); } } catch (IOException e) { throw new TSPException("Exception processing certificate.", e); } } /** * Add the store of X509 Certificates to the generator. * * @param certStore a Store containing X509CertificateHolder objects */ public void addCertificates( Store certStore) { certs.addAll(certStore.getMatches(null)); } /** * * @param crlStore a Store containing X509CRLHolder objects. */ public void addCRLs( Store crlStore) { crls.addAll(crlStore.getMatches(null)); } /** * * @param attrStore a Store containing X509AttributeCertificate objects. */ public void addAttributeCertificates( Store attrStore) { attrCerts.addAll(attrStore.getMatches(null)); } /** * Add a Store of otherRevocationData to the CRL set to be included with the generated TimeStampToken. * * @param otherRevocationInfoFormat the OID specifying the format of the otherRevocationInfo data. * @param otherRevocationInfos a Store of otherRevocationInfo data to add. */ public void addOtherRevocationInfo( ASN1ObjectIdentifier otherRevocationInfoFormat, Store otherRevocationInfos) { otherRevoc.put(otherRevocationInfoFormat, otherRevocationInfos.getMatches(null)); } /** * Set the resolution of the time stamp - R_SECONDS (the default), R_TENTH_OF_SECONDS, R_MICROSECONDS, R_MILLISECONDS * * @param resolution resolution of timestamps to be produced. */ public void setResolution(int resolution) { this.resolution = resolution; } /** * Set a Locale for time creation - you may need to use this if the default locale * doesn't use a Gregorian calender so that the GeneralizedTime produced is compatible with other ASN.1 implementations. * * @param locale a locale to use for converting system time into a GeneralizedTime. */ public void setLocale(Locale locale) { this.locale = locale; } public void setAccuracySeconds(int accuracySeconds) { this.accuracySeconds = accuracySeconds; } public void setAccuracyMillis(int accuracyMillis) { this.accuracyMillis = accuracyMillis; } public void setAccuracyMicros(int accuracyMicros) { this.accuracyMicros = accuracyMicros; } public void setOrdering(boolean ordering) { this.ordering = ordering; } public void setTSA(GeneralName tsa) { this.tsa = tsa; } /** * Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime. * * @param request the originating request. * @param serialNumber serial number for the TimeStampToken * @param genTime token generation time. * @return a TimeStampToken * @throws TSPException */ public TimeStampToken generate( TimeStampRequest request, BigInteger serialNumber, Date genTime) throws TSPException { return generate(request, serialNumber, genTime, null); } /** * Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime. * * @param request the originating request. * @param serialNumber serial number for the TimeStampToken * @param genTime token generation time. * @param additionalExtensions extra extensions to be added to the response token. * @return a TimeStampToken * @throws TSPException */ public TimeStampToken generate( TimeStampRequest request, BigInteger serialNumber, Date genTime, Extensions additionalExtensions) throws TSPException { AlgorithmIdentifier algID = request.getMessageImprintAlgID(); MessageImprint messageImprint = new MessageImprint(algID, request.getMessageImprintDigest()); Accuracy accuracy = null; if (accuracySeconds > 0 || accuracyMillis > 0 || accuracyMicros > 0) { ASN1Integer seconds = null; if (accuracySeconds > 0) { seconds = new ASN1Integer(accuracySeconds); } ASN1Integer millis = null; if (accuracyMillis > 0) { millis = new ASN1Integer(accuracyMillis); } ASN1Integer micros = null; if (accuracyMicros > 0) { micros = new ASN1Integer(accuracyMicros); } accuracy = new Accuracy(seconds, millis, micros); } ASN1Boolean derOrdering = null; if (ordering) { derOrdering = ASN1Boolean.getInstance(ordering); } ASN1Integer nonce = null; if (request.getNonce() != null) { nonce = new ASN1Integer(request.getNonce()); } ASN1ObjectIdentifier tsaPolicy = tsaPolicyOID; if (request.getReqPolicy() != null) { tsaPolicy = request.getReqPolicy(); } Extensions respExtensions = request.getExtensions(); if (additionalExtensions != null) { ExtensionsGenerator extGen = new ExtensionsGenerator(); if (respExtensions != null) { for (Enumeration en = respExtensions.oids(); en.hasMoreElements(); ) { extGen.addExtension(respExtensions.getExtension(ASN1ObjectIdentifier.getInstance(en.nextElement()))); } } for (Enumeration en = additionalExtensions.oids(); en.hasMoreElements(); ) { extGen.addExtension(additionalExtensions.getExtension(ASN1ObjectIdentifier.getInstance(en.nextElement()))); } respExtensions = extGen.generate(); } ASN1GeneralizedTime timeStampTime; if (resolution == R_SECONDS) { timeStampTime = (locale == null) ? new ASN1GeneralizedTime(genTime) : new ASN1GeneralizedTime(genTime, locale); } else { timeStampTime = createGeneralizedTime(genTime); } TSTInfo tstInfo = new TSTInfo(tsaPolicy, messageImprint, new ASN1Integer(serialNumber), timeStampTime, accuracy, derOrdering, nonce, tsa, respExtensions); try { CMSSignedDataGenerator signedDataGenerator = new CMSSignedDataGenerator(); if (request.getCertReq()) { // TODO: do we need to check certs non-empty? signedDataGenerator.addCertificates(new CollectionStore(certs)); signedDataGenerator.addAttributeCertificates(new CollectionStore(attrCerts)); } signedDataGenerator.addCRLs(new CollectionStore(crls)); if (!otherRevoc.isEmpty()) { for (Iterator it = otherRevoc.keySet().iterator(); it.hasNext();) { ASN1ObjectIdentifier format = (ASN1ObjectIdentifier)it.next(); signedDataGenerator.addOtherRevocationInfo(format, new CollectionStore((Collection)otherRevoc.get(format))); } } signedDataGenerator.addSignerInfoGenerator(signerInfoGen); byte[] derEncodedTSTInfo = tstInfo.getEncoded(ASN1Encoding.DER); CMSSignedData signedData = signedDataGenerator.generate(new CMSProcessableByteArray(PKCSObjectIdentifiers.id_ct_TSTInfo, derEncodedTSTInfo), true); return new TimeStampToken(signedData); } catch (CMSException cmsEx) { throw new TSPException("Error generating time-stamp token", cmsEx); } catch (IOException e) { throw new TSPException("Exception encoding info", e); } } // we need to produce a correct DER encoding GeneralizedTime here as the BC ASN.1 library doesn't handle this properly yet. private ASN1GeneralizedTime createGeneralizedTime(Date time) throws TSPException { String format = "yyyyMMddHHmmss.SSS"; SimpleDateFormat dateF = (locale == null) ? new SimpleDateFormat(format, LocaleUtil.EN_Locale) : new SimpleDateFormat(format, locale); dateF.setTimeZone(new SimpleTimeZone(0, "Z")); StringBuilder sBuild = new StringBuilder(dateF.format(time)); int dotIndex = sBuild.indexOf("."); if (dotIndex < 0) { // came back in seconds only, just return sBuild.append("Z"); return new ASN1GeneralizedTime(sBuild.toString()); } // trim to resolution switch (resolution) { case R_TENTHS_OF_SECONDS: if (sBuild.length() > dotIndex + 2) { sBuild.delete(dotIndex + 2, sBuild.length()); } break; case R_HUNDREDTHS_OF_SECONDS: if (sBuild.length() > dotIndex + 3) { sBuild.delete(dotIndex + 3, sBuild.length()); } break; case R_MILLISECONDS: // do nothing break; default: throw new TSPException("unknown time-stamp resolution: " + resolution); } // remove trailing zeros while (sBuild.charAt(sBuild.length() - 1) == '0') { sBuild.deleteCharAt(sBuild.length() - 1); } if (sBuild.length() - 1 == dotIndex) { sBuild.deleteCharAt(sBuild.length() - 1); } sBuild.append("Z"); return new ASN1GeneralizedTime(sBuild.toString()); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy