All Downloads are FREE. Search and download functionalities are using the official Maven repository.

sun.security.pkcs.SignerInfo Maven / Gradle / Ivy

/*
 * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

package sun.security.pkcs;

import java.io.OutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.security.*;
import java.security.spec.PSSParameterSpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

import sun.security.provider.SHAKE256;
import sun.security.timestamp.TimestampToken;
import sun.security.util.*;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X500Name;
import sun.security.x509.KeyUsageExtension;

/**
 * A SignerInfo, as defined in PKCS#7's signedData type.
 *
 * @author Benjamin Renaud
 */
public class SignerInfo implements DerEncoder {

    private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
            DisabledAlgorithmConstraints.jarConstraints();

    BigInteger version;
    X500Name issuerName;
    BigInteger certificateSerialNumber;
    AlgorithmId digestAlgorithmId;
    AlgorithmId digestEncryptionAlgorithmId;
    byte[] encryptedDigest;
    Timestamp timestamp;
    private boolean hasTimestamp = true;
    private static final Debug debug = Debug.getInstance("jar");

    PKCS9Attributes authenticatedAttributes;
    PKCS9Attributes unauthenticatedAttributes;

    /**
     * A map containing the algorithms in this SignerInfo. This is used to
     * avoid checking algorithms to see if they are disabled more than once.
     * The key is the AlgorithmId of the algorithm, and the value is the name of
     * the field or attribute.
     */
    private Map algorithms = new HashMap<>();

    public SignerInfo(X500Name  issuerName,
                      BigInteger serial,
                      AlgorithmId digestAlgorithmId,
                      AlgorithmId digestEncryptionAlgorithmId,
                      byte[] encryptedDigest) {
        this(issuerName, serial, digestAlgorithmId, null,
                digestEncryptionAlgorithmId, encryptedDigest, null);
    }

    public SignerInfo(X500Name  issuerName,
                      BigInteger serial,
                      AlgorithmId digestAlgorithmId,
                      PKCS9Attributes authenticatedAttributes,
                      AlgorithmId digestEncryptionAlgorithmId,
                      byte[] encryptedDigest,
                      PKCS9Attributes unauthenticatedAttributes) {
        this.version = BigInteger.ONE;
        this.issuerName = issuerName;
        this.certificateSerialNumber = serial;
        this.digestAlgorithmId = digestAlgorithmId;
        this.authenticatedAttributes = authenticatedAttributes;
        this.digestEncryptionAlgorithmId = digestEncryptionAlgorithmId;
        this.encryptedDigest = encryptedDigest;
        this.unauthenticatedAttributes = unauthenticatedAttributes;
    }

    /**
     * Parses a PKCS#7 signer info.
     */
    public SignerInfo(DerInputStream derin)
        throws IOException, ParsingException
    {
        this(derin, false);
    }

    /**
     * Parses a PKCS#7 signer info.
     *
     * 

This constructor is used only for backwards compatibility with * PKCS#7 blocks that were generated using JDK1.1.x. * * @param derin the ASN.1 encoding of the signer info. * @param oldStyle flag indicating whether or not the given signer info * is encoded according to JDK1.1.x. */ public SignerInfo(DerInputStream derin, boolean oldStyle) throws IOException, ParsingException { // version version = derin.getBigInteger(); // issuerAndSerialNumber DerValue[] issuerAndSerialNumber = derin.getSequence(2); if (issuerAndSerialNumber.length != 2) { throw new ParsingException("Invalid length for IssuerAndSerialNumber"); } byte[] issuerBytes = issuerAndSerialNumber[0].toByteArray(); issuerName = new X500Name(new DerValue(DerValue.tag_Sequence, issuerBytes)); certificateSerialNumber = issuerAndSerialNumber[1].getBigInteger(); // digestAlgorithmId DerValue tmp = derin.getDerValue(); digestAlgorithmId = AlgorithmId.parse(tmp); // authenticatedAttributes if (oldStyle) { // In JDK1.1.x, the authenticatedAttributes are always present, // encoded as an empty Set (Set of length zero) derin.getSet(0); } else { // check if set of auth attributes (implicit tag) is provided // (auth attributes are OPTIONAL) if ((byte)(derin.peekByte()) == (byte)0xA0) { authenticatedAttributes = new PKCS9Attributes(derin); } } // digestEncryptionAlgorithmId - little RSA naming scheme - // signature == encryption... tmp = derin.getDerValue(); digestEncryptionAlgorithmId = AlgorithmId.parse(tmp); // encryptedDigest encryptedDigest = derin.getOctetString(); // unauthenticatedAttributes if (oldStyle) { // In JDK1.1.x, the unauthenticatedAttributes are always present, // encoded as an empty Set (Set of length zero) derin.getSet(0); } else { // check if set of unauth attributes (implicit tag) is provided // (unauth attributes are OPTIONAL) if (derin.available() != 0 && (byte)(derin.peekByte()) == (byte)0xA1) { unauthenticatedAttributes = new PKCS9Attributes(derin, true);// ignore unsupported attrs } } // all done if (derin.available() != 0) { throw new ParsingException("extra data at the end"); } // verify CMSAlgorithmProtection checkCMSAlgorithmProtection(); } // CMSAlgorithmProtection verification as described in RFC 6211 private void checkCMSAlgorithmProtection() throws IOException { if (authenticatedAttributes == null) { return; } PKCS9Attribute ap = authenticatedAttributes.getAttribute( PKCS9Attribute.CMS_ALGORITHM_PROTECTION_OID); if (ap == null) { return; } DerValue dv = new DerValue((byte[])ap.getValue()); DerInputStream data = dv.data(); AlgorithmId d = AlgorithmId.parse(data.getDerValue()); DerValue ds = data.getDerValue(); if (data.available() > 0) { throw new IOException("Unknown field in CMSAlgorithmProtection"); } if (!ds.isContextSpecific((byte)1)) { throw new IOException("No signature algorithm in CMSAlgorithmProtection"); } AlgorithmId s = AlgorithmId.parse(ds.withTag(DerValue.tag_Sequence)); if (!s.equals(digestEncryptionAlgorithmId) || !d.equals(digestAlgorithmId)) { throw new IOException("CMSAlgorithmProtection check failed"); } } public void encode(DerOutputStream out) throws IOException { derEncode(out); } /** * DER encode this object onto an output stream. * Implements the {@code DerEncoder} interface. * * @param out * the output stream on which to write the DER encoding. * * @exception IOException on encoding error. */ public void derEncode(OutputStream out) throws IOException { DerOutputStream seq = new DerOutputStream(); seq.putInteger(version); DerOutputStream issuerAndSerialNumber = new DerOutputStream(); issuerName.encode(issuerAndSerialNumber); issuerAndSerialNumber.putInteger(certificateSerialNumber); seq.write(DerValue.tag_Sequence, issuerAndSerialNumber); digestAlgorithmId.encode(seq); // encode authenticated attributes if there are any if (authenticatedAttributes != null) authenticatedAttributes.encode((byte)0xA0, seq); digestEncryptionAlgorithmId.encode(seq); seq.putOctetString(encryptedDigest); // encode unauthenticated attributes if there are any if (unauthenticatedAttributes != null) unauthenticatedAttributes.encode((byte)0xA1, seq); DerOutputStream tmp = new DerOutputStream(); tmp.write(DerValue.tag_Sequence, seq); out.write(tmp.toByteArray()); } /* * Returns the (user) certificate pertaining to this SignerInfo. */ public X509Certificate getCertificate(PKCS7 block) throws IOException { return block.getCertificate(certificateSerialNumber, issuerName); } /* * Returns the certificate chain pertaining to this SignerInfo. */ public ArrayList getCertificateChain(PKCS7 block) throws IOException { X509Certificate userCert; userCert = block.getCertificate(certificateSerialNumber, issuerName); if (userCert == null) return null; ArrayList certList = new ArrayList<>(); certList.add(userCert); X509Certificate[] pkcsCerts = block.getCertificates(); if (pkcsCerts == null || userCert.getSubjectX500Principal().equals(userCert.getIssuerX500Principal())) { return certList; } Principal issuer = userCert.getIssuerX500Principal(); int start = 0; while (true) { boolean match = false; int i = start; while (i < pkcsCerts.length) { if (issuer.equals(pkcsCerts[i].getSubjectX500Principal())) { // next cert in chain found certList.add(pkcsCerts[i]); // if selected cert is self-signed, we're done // constructing the chain if (pkcsCerts[i].getSubjectX500Principal().equals( pkcsCerts[i].getIssuerX500Principal())) { start = pkcsCerts.length; } else { issuer = pkcsCerts[i].getIssuerX500Principal(); X509Certificate tmpCert = pkcsCerts[start]; pkcsCerts[start] = pkcsCerts[i]; pkcsCerts[i] = tmpCert; start++; } match = true; break; } else { i++; } } if (!match) break; } return certList; } /* Returns null if verify fails, this signerInfo if verify succeeds. */ SignerInfo verify(PKCS7 block, byte[] data) throws NoSuchAlgorithmException, SignatureException { try { Timestamp timestamp = null; try { timestamp = getTimestamp(); } catch (Exception e) { // Log exception and continue. This allows for the case // where, if there are no other errors, the code is // signed but w/o a timestamp. if (debug != null) { debug.println("Unexpected exception while getting" + " timestamp: " + e); } } ContentInfo content = block.getContentInfo(); if (data == null) { data = content.getContentBytes(); } String digestAlgName = digestAlgorithmId.getName(); algorithms.put(digestAlgorithmId, "SignerInfo digestAlgorithm field"); byte[] dataSigned; // if there are authenticate attributes, get the message // digest and compare it with the digest of data if (authenticatedAttributes == null) { dataSigned = data; } else { // first, check content type ObjectIdentifier contentType = (ObjectIdentifier) authenticatedAttributes.getAttributeValue( PKCS9Attribute.CONTENT_TYPE_OID); if (contentType == null || !contentType.equals(content.contentType)) return null; // contentType does not match, bad SignerInfo // now, check message digest byte[] messageDigest = (byte[]) authenticatedAttributes.getAttributeValue( PKCS9Attribute.MESSAGE_DIGEST_OID); if (messageDigest == null) // fail if there is no message digest return null; byte[] computedMessageDigest; if (digestAlgName.equals("SHAKE256") || digestAlgName.equals("SHAKE256-LEN")) { if (digestAlgName.equals("SHAKE256-LEN")) { int v = new DerValue(digestAlgorithmId .getEncodedParams()).getInteger(); if (v != 512) { throw new SignatureException( "Unsupported id-shake256-" + v); } } var md = new SHAKE256(64); md.update(data, 0, data.length); computedMessageDigest = md.digest(); } else { MessageDigest md = MessageDigest.getInstance(digestAlgName); computedMessageDigest = md.digest(data); } if (!MessageDigest.isEqual(messageDigest, computedMessageDigest)) { return null; } // message digest attribute matched // digest of original data // the data actually signed is the DER encoding of // the authenticated attributes (tagged with // the "SET OF" tag, not 0xA0). dataSigned = authenticatedAttributes.getDerEncoding(); } // put together digest algorithm and encryption algorithm // to form signing algorithm. See makeSigAlg for details. String sigAlgName = makeSigAlg( digestAlgorithmId, digestEncryptionAlgorithmId, authenticatedAttributes == null); KnownOIDs oid = KnownOIDs.findMatch(sigAlgName); if (oid != null) { AlgorithmId sigAlgId = new AlgorithmId(ObjectIdentifier.of(oid), digestEncryptionAlgorithmId.getParameters()); algorithms.put(sigAlgId, "SignerInfo digestEncryptionAlgorithm field"); } X509Certificate cert = getCertificate(block); if (cert == null) { return null; } PublicKey key = cert.getPublicKey(); if (cert.hasUnsupportedCriticalExtension()) { throw new SignatureException("Certificate has unsupported " + "critical extension(s)"); } // Make sure that if the usage of the key in the certificate is // restricted, it can be used for digital signatures. // XXX We may want to check for additional extensions in the // future. boolean[] keyUsageBits = cert.getKeyUsage(); if (keyUsageBits != null) { KeyUsageExtension keyUsage; try { // We don't care whether or not this extension was marked // critical in the certificate. // We're interested only in its value (i.e., the bits set) // and treat the extension as critical. keyUsage = new KeyUsageExtension(keyUsageBits); } catch (IOException ioe) { throw new SignatureException("Failed to parse keyUsage " + "extension"); } boolean digSigAllowed = keyUsage.get(KeyUsageExtension.DIGITAL_SIGNATURE); boolean nonRepuAllowed = keyUsage.get(KeyUsageExtension.NON_REPUDIATION); if (!digSigAllowed && !nonRepuAllowed) { throw new SignatureException("Key usage restricted: " + "cannot be used for " + "digital signatures"); } } Signature sig = Signature.getInstance(sigAlgName); AlgorithmParameters ap = digestEncryptionAlgorithmId.getParameters(); try { SignatureUtil.initVerifyWithParam(sig, key, SignatureUtil.getParamSpec(sigAlgName, ap)); } catch (ProviderException | InvalidAlgorithmParameterException | InvalidKeyException e) { throw new SignatureException(e.getMessage(), e); } sig.update(dataSigned); if (sig.verify(encryptedDigest)) { return this; } } catch (IOException e) { throw new SignatureException("Error verifying signature", e); } return null; } /** * Derives the signature algorithm name from the digest algorithm * and the encryption algorithm inside a PKCS7 SignerInfo. * * The digest algorithm is in the form "DIG", and the encryption * algorithm can be in any of the 3 forms: * * 1. Old style key algorithm like RSA, DSA, EC, this method returns * DIGwithKEY. * 2. New style signature algorithm in the form of HASHwithKEY, this * method returns DIGwithKEY. Please note this is not HASHwithKEY. * 3. Modern signature algorithm like RSASSA-PSS and EdDSA, this method * returns the signature algorithm itself but ensures digAlgId is * compatible with the algorithm as described in RFC 4056 and 8419. * * @param digAlgId the digest algorithm * @param encAlgId the encryption algorithm * @param directSign whether the signature is calculated on the content * directly. This makes difference for Ed448. */ public static String makeSigAlg(AlgorithmId digAlgId, AlgorithmId encAlgId, boolean directSign) throws NoSuchAlgorithmException { String encAlg = encAlgId.getName(); switch (encAlg) { case "RSASSA-PSS": PSSParameterSpec spec = (PSSParameterSpec) SignatureUtil.getParamSpec(encAlg, encAlgId.getParameters()); if (!AlgorithmId.get(spec.getDigestAlgorithm()).equals(digAlgId)) { throw new NoSuchAlgorithmException("Incompatible digest algorithm"); } return encAlg; case "Ed25519": if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.sha512)) { throw new NoSuchAlgorithmException("Incompatible digest algorithm"); } return encAlg; case "Ed448": if (directSign) { if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256)) { throw new NoSuchAlgorithmException("Incompatible digest algorithm"); } } else { if (!digAlgId.equals(SignatureUtil.EdDSADigestAlgHolder.shake256$512)) { throw new NoSuchAlgorithmException("Incompatible digest algorithm"); } } return encAlg; default: String digAlg = digAlgId.getName(); String keyAlg = SignatureUtil.extractKeyAlgFromDwithE(encAlg); if (keyAlg == null) { // The encAlg used to be only the key alg keyAlg = encAlg; } if (digAlg.startsWith("SHA-")) { digAlg = "SHA" + digAlg.substring(4); } if (keyAlg.equals("EC")) keyAlg = "ECDSA"; return digAlg + "with" + keyAlg; } } /* Verify the content of the pkcs7 block. */ SignerInfo verify(PKCS7 block) throws NoSuchAlgorithmException, SignatureException { return verify(block, null); } public BigInteger getVersion() { return version; } public X500Name getIssuerName() { return issuerName; } public BigInteger getCertificateSerialNumber() { return certificateSerialNumber; } public AlgorithmId getDigestAlgorithmId() { return digestAlgorithmId; } public PKCS9Attributes getAuthenticatedAttributes() { return authenticatedAttributes; } public AlgorithmId getDigestEncryptionAlgorithmId() { return digestEncryptionAlgorithmId; } public byte[] getEncryptedDigest() { return encryptedDigest; } public PKCS9Attributes getUnauthenticatedAttributes() { return unauthenticatedAttributes; } /** * Returns the timestamp PKCS7 data unverified. * @return a PKCS7 object */ public PKCS7 getTsToken() throws IOException { if (unauthenticatedAttributes == null) { return null; } PKCS9Attribute tsTokenAttr = unauthenticatedAttributes.getAttribute( PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID); if (tsTokenAttr == null) { return null; } return new PKCS7((byte[])tsTokenAttr.getValue()); } /* * Extracts a timestamp from a PKCS7 SignerInfo. * * Examines the signer's unsigned attributes for a * {@code signatureTimestampToken} attribute. If present, * then it is parsed to extract the date and time at which the * timestamp was generated. * * @param info A signer information element of a PKCS 7 block. * * @return A timestamp token or null if none is present. * @throws IOException if an error is encountered while parsing the * PKCS7 data. * @throws NoSuchAlgorithmException if an error is encountered while * verifying the PKCS7 object. * @throws SignatureException if an error is encountered while * verifying the PKCS7 object. * @throws CertificateException if an error is encountered while generating * the TSA's certpath. */ public Timestamp getTimestamp() throws IOException, NoSuchAlgorithmException, SignatureException, CertificateException { if (timestamp != null || !hasTimestamp) return timestamp; PKCS7 tsToken = getTsToken(); if (tsToken == null) { hasTimestamp = false; return null; } // Extract the content (an encoded timestamp token info) byte[] encTsTokenInfo = tsToken.getContentInfo().getData(); // Extract the signer (the Timestamping Authority) // while verifying the content SignerInfo[] tsa = tsToken.verify(encTsTokenInfo); if (tsa == null || tsa.length == 0) { throw new SignatureException("Unable to verify timestamp"); } // Expect only one signer ArrayList chain = tsa[0].getCertificateChain(tsToken); CertificateFactory cf = CertificateFactory.getInstance("X.509"); CertPath tsaChain = cf.generateCertPath(chain); // Create a timestamp token info object TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo); // Check that the signature timestamp applies to this signature verifyTimestamp(tsTokenInfo); algorithms.putAll(tsa[0].algorithms); // Create a timestamp object timestamp = new Timestamp(tsTokenInfo.getDate(), tsaChain); return timestamp; } /* * Check that the signature timestamp applies to this signature. * Match the hash present in the signature timestamp token against the hash * of this signature. */ private void verifyTimestamp(TimestampToken token) throws NoSuchAlgorithmException, SignatureException { AlgorithmId digestAlgId = token.getHashAlgorithm(); algorithms.put(digestAlgId, "TimestampToken digestAlgorithm field"); MessageDigest md = MessageDigest.getInstance(digestAlgId.getName()); if (!MessageDigest.isEqual(token.getHashedMessage(), md.digest(encryptedDigest))) { throw new SignatureException("Signature timestamp (#" + token.getSerialNumber() + ") generated on " + token.getDate() + " is inapplicable"); } if (debug != null) { debug.println(); debug.println("Detected signature timestamp (#" + token.getSerialNumber() + ") generated on " + token.getDate()); debug.println(); } } public String toString() { HexDumpEncoder hexDump = new HexDumpEncoder(); String out = ""; out += "Signer Info for (issuer): " + issuerName + "\n"; out += "\tversion: " + Debug.toHexString(version) + "\n"; out += "\tcertificateSerialNumber: " + Debug.toHexString(certificateSerialNumber) + "\n"; out += "\tdigestAlgorithmId: " + digestAlgorithmId + "\n"; if (authenticatedAttributes != null) { out += "\tauthenticatedAttributes: " + authenticatedAttributes + "\n"; } out += "\tdigestEncryptionAlgorithmId: " + digestEncryptionAlgorithmId + "\n"; out += "\tencryptedDigest: " + "\n" + hexDump.encodeBuffer(encryptedDigest) + "\n"; if (unauthenticatedAttributes != null) { out += "\tunauthenticatedAttributes: " + unauthenticatedAttributes + "\n"; } return out; } /** * Verify all of the algorithms in the array of SignerInfos against the * constraints in the jdk.jar.disabledAlgorithms security property. * * @param infos array of SignerInfos * @param params constraint parameters * @param name the name of the signer's PKCS7 file * @return a set of algorithms that passed the checks and are not disabled */ public static Set verifyAlgorithms(SignerInfo[] infos, JarConstraintsParameters params, String name) throws SignatureException { Map algorithms = new HashMap<>(); for (SignerInfo info : infos) { algorithms.putAll(info.algorithms); } Set enabledAlgorithms = new HashSet<>(); try { for (Map.Entry algorithm : algorithms.entrySet()) { params.setExtendedExceptionMsg(name, algorithm.getValue()); AlgorithmId algId = algorithm.getKey(); JAR_DISABLED_CHECK.permits(algId.getName(), algId.getParameters(), params); enabledAlgorithms.add(algId.getName()); } } catch (CertPathValidatorException e) { throw new SignatureException(e); } return enabledAlgorithms; } }





© 2015 - 2025 Weber Informatics LLC | Privacy Policy