/*
* This file is part of rockframework.
*
* rockframework is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* rockframework is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>;.
*/
package br.net.woodstock.rockframework.security.sign.impl;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.CMSSignerDigestMismatchException;
import org.bouncycastle.cms.DefaultCMSSignatureAlgorithmNameGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationVerifier;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.operator.ContentVerifierProvider;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DigestCalculatorProvider;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.SignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.CollectionStore;
import br.net.woodstock.rockframework.core.RockFrameworkLogger;
import br.net.woodstock.rockframework.security.cert.util.Certificates;
import br.net.woodstock.rockframework.security.digest.DigestType;
import br.net.woodstock.rockframework.security.digest.Digester;
import br.net.woodstock.rockframework.security.digest.impl.BasicDigester;
import br.net.woodstock.rockframework.security.util.BouncyCastleProviderHelper;
abstract class BouncyCastleSignerHelper {
private BouncyCastleSignerHelper() {
//
}
public static DigestType getDigestTypeFromOid(final String oid) {
if (PKCSObjectIdentifiers.md2.getId().equals(oid)) {
return DigestType.MD2;
}
if (PKCSObjectIdentifiers.md5.getId().equals(oid)) {
return DigestType.MD5;
}
if (OIWObjectIdentifiers.idSHA1.getId().equals(oid)) {
return DigestType.SHA1;
}
if (NISTObjectIdentifiers.id_sha256.getId().equals(oid)) {
return DigestType.SHA_256;
}
if (NISTObjectIdentifiers.id_sha384.getId().equals(oid)) {
return DigestType.SHA_384;
}
if (NISTObjectIdentifiers.id_sha512.getId().equals(oid)) {
return DigestType.SHA_512;
}
return null;
}
@SuppressWarnings("rawtypes")
public static boolean verifySignature(final SignerInformation signerInformation, final CollectionStore certificatesStore, final byte[] data, final boolean detached) throws IOException, CMSException, OperatorCreationException {
Collection collection = certificatesStore.getMatches(null);
boolean verified = true;
if (!collection.isEmpty()) {
Object obj = collection.iterator().next(); // Only first cert
Certificate cert = null;
if (obj instanceof Certificate) {
cert = (Certificate) obj;
} else if (obj instanceof X509CertificateHolder) {
X509CertificateHolder holder = (X509CertificateHolder) obj;
cert = Certificates.get(holder.getEncoded());
} else {
RockFrameworkLogger.getLogger().warn("Unhandled certificate from store '" + obj.getClass().getCanonicalName() + "'");
}
if (cert != null) {
SignerInformationVerifier signerInformationVerifier = null;
if (detached) {
JcaSimpleSignerInfoVerifierBuilder builder = new JcaSimpleSignerInfoVerifierBuilder();
builder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
signerInformationVerifier = builder.build((X509Certificate) cert);
} else {
JcaContentVerifierProviderBuilder jcaContentVerifierProviderBuilder = new JcaContentVerifierProviderBuilder();
jcaContentVerifierProviderBuilder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
ContentVerifierProvider contentVerifierProvider = jcaContentVerifierProviderBuilder.build((X509Certificate) cert);
JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
digestCalculatorProviderBuilder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
SignatureAlgorithmIdentifierFinder signatureAlgorithmIdentifierFinder = new DefaultSignatureAlgorithmIdentifierFinder();
CMSSignatureAlgorithmNameGenerator signatureAlgorithmNameGenerator = new DefaultCMSSignatureAlgorithmNameGenerator();
signerInformationVerifier = new SignerInformationVerifier(signatureAlgorithmNameGenerator, signatureAlgorithmIdentifierFinder, contentVerifierProvider, digestCalculatorProvider);
}
try {
verified = signerInformation.verify(signerInformationVerifier);
} catch (CMSSignerDigestMismatchException e) {
RockFrameworkLogger.getLogger().debug(e.getMessage(), e);
verified = false;
}
if ((!detached) && (verified)) {
byte[] contentDigest = signerInformation.getContentDigest();
AlgorithmIdentifier algorithmOID = signerInformation.getDigestAlgorithmID();
DigestType type = BouncyCastleSignerHelper.getDigestTypeFromOid(algorithmOID.getAlgorithm().getId());
Digester digester = new BasicDigester(type);
byte[] dataDigest = digester.digest(data);
if (!MessageDigest.isEqual(contentDigest, dataDigest)) {
verified = false;
}
}
}
}
return verified;
}
}