public class CounterSignature
extends iaik.asn1.structures.AttributeValue
The Cryptographic Message Syntax (CMS) (RFC 5652)
specifies the CounterSignature
attribute to may be included as an unsigned attribute into a
SignerInfo
for counter signing (signing in serial) the signature
value of a SignerInfo included in a SignedData.
The value of a CounterSignature attribute itself is a SignerInfo:
CounterSignature ::= SignerInfo id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
Since being itself a SignerInfo, CounterSignature objects may be created and supplied
with attributes -- note, that the content-type attribute is not required since a
counter signature has no content type -- in similar way as done for ordinary
SignerInfos
. However, whereas signing and verifying of ordinary
SignerInfos usually is controlled from the SignedData(Stream) object they belong to,
an application explicitly has to call proper counterSign
or verify
methods thereby specifying the signature value
,
SignerInfo
or other CounterSignature
object to be counter signed, e.g.:
// the SignerInfo to be counter signed: SignerInfo signerInfo = ...; // the cert of the counter signer X509Certificate counterCert = ...; // the private key of the counter signer: PrivateKey counterKey = ...; // create a CounterSignature for the counter signer: CounterSignature counterSignature = new CounterSignature(new IssuerAndSerialNumber(counterCert), AlgorithmID.sha256, counterKey); ... // add any attributes, if required ... // now counter sign the SignerInfo counterSignature.counterSign(signerInfo); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; signerInfo.addUnsignedAttributes(unsignedAttributes); ...On the verification end get the CounterSignature unsigned attribute and call a proper
verify
method thereby specifying the signature value
,
SignerInfo
or other CounterSignature
object to be "counter" verified, e.g.:
// the SignerInfo parsed from a SignedData SignerInfo signerInfo = ...; // look for a CounterSignature attribute Attribute counterSignatureAttribute = signerInfo.getUnsignedAttribute(ObjectID.countersignature); if (counterSignatureAttribute != null) { // check for any included CounterSignature AttributeValue[] counterSignatures = counterSignatureAttribute.getAttributeValues(); System.out.println("This SignerInfo is counter signed from: "); // may have more than one values for (int j = 0; j < counterSignatures.length; j++) { CounterSignature counterSignature = (CounterSignature)counterSignatures[i]; try { if (counterSignature.verify(counterCert.getPublicKey(), signerInfo)) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } }
SignedData
,
SignedDataStream
,
SignerInfo
Modifier and Type | Field and Description |
---|---|
static iaik.asn1.ObjectID |
oid
The attributeType object identifier of the CMS CounterSignature attribute.
|
Constructor and Description |
---|
CounterSignature()
Default constructor.
|
CounterSignature(iaik.asn1.ASN1Object obj)
Creates a CMS
CounterSignature from an ASN1Object. |
CounterSignature(CertificateIdentifier signerIdentifier,
iaik.asn1.structures.AlgorithmID digestAlgorithm,
iaik.asn1.structures.AlgorithmID signatureAlgorithm,
java.security.PrivateKey privateKey)
Creates a new CounterSignature from given signerIdentifier,
and digestAlgorithm ID, signature algorithmID, and the
signer private key.
|
CounterSignature(CertificateIdentifier signerIdentifier,
iaik.asn1.structures.AlgorithmID digestAlgorithm,
java.security.PrivateKey privateKey)
Creates a new CounterSignature from given SignerIdentifier,
digestAlgorithm ID, and the counter signer private key.
|
Modifier and Type | Method and Description |
---|---|
void |
addSignedAttribute(iaik.asn1.structures.Attribute attribute)
Adds the given attribute to the set of signed attributes.
|
void |
addSignedAttributes(iaik.asn1.structures.Attribute[] attributes)
Adds the given attributes to the set of signed attributes.
|
void |
addUnsignedAttribute(iaik.asn1.structures.Attribute attribute)
Adds the given attribute to the set of unsigned attributes.
|
void |
addUnsignedAttributes(iaik.asn1.structures.Attribute[] attributes)
Adds the given attributes to the set of unsigned attributes.
|
void |
counterSign(byte[] signatureToBeCounterSigned)
Counter signs the given signature value.
|
void |
counterSign(CounterSignature counterSignature)
Counter signs the given CounterSignature.
|
void |
counterSign(SignerInfo signerInfo)
Counter signs the given SignerInfo.
|
void |
decode(iaik.asn1.ASN1Object obj)
Decodes the given ASN.1
CounterSignature object for parsing
the internal structure. |
iaik.asn1.ObjectID |
getAttributeType()
Returns the OID identifying the CMS CounterSignature attribute type.
|
iaik.asn1.structures.AlgorithmID |
getDigestAlgorithm()
Returns the AlgorithmID of the message-digest algorithm that has
been used for digesting the content and any signed attributes.
|
SecurityProvider |
getSecurityProvider()
Gets the SecurityProvider installed for this CounterSignature.
|
iaik.asn1.structures.AlgorithmID |
getSignatureAlgorithm()
Returns the signature algorithm used for calculating the signature
and associated information with the signer private key.
|
byte[] |
getSignatureValue()
Returns the signature value.
|
iaik.asn1.structures.Attribute |
getSignedAttribute(iaik.asn1.ObjectID oid)
Returns the first signed attribute matching to the given ObjectID, if
included in this CounterSignature object.
|
iaik.asn1.structures.Attribute[] |
getSignedAttributes()
Returns a set of attributes that are signed by the signer.
|
iaik.asn1.structures.Attribute[] |
getSignedAttributes(iaik.asn1.ObjectID oid)
Returns all signed attributes matching to the given attribute type, if
included in this CounterSignature object.
|
iaik.asn1.structures.AttributeValue |
getSignedAttributeValue(iaik.asn1.ObjectID oid)
Returns the attribute value of a single valued signed attribute with the given type.
|
byte[] |
getSignedDigest()
Returns the message digest included in the signed attributes.
|
CertificateIdentifier |
getSignerIdentifier()
Returns information about the signer certificate.
|
SigningCertificate |
getSigningCertificateAttribute()
Gets the SigningCertificate attribute, if included.
|
SigningCertificateV2 |
getSigningCertificateV2Attribute()
Gets the SigningCertificateV2 attribute, if included.
|
iaik.asn1.structures.Attribute |
getUnsignedAttribute(iaik.asn1.ObjectID oid)
Returns the first unsigned attribute matching to the given ObjectID, if
included in this CounterSignature object.
|
iaik.asn1.structures.Attribute[] |
getUnsignedAttributes()
Returns a set of attributes that are not signed by the signer.
|
iaik.asn1.structures.Attribute[] |
getUnsignedAttributes(iaik.asn1.ObjectID oid)
Returns all unsigned attributes matching to the given attribute type, if
included in this CounterSignature object.
|
iaik.asn1.structures.AttributeValue |
getUnsignedAttributeValue(iaik.asn1.ObjectID oid)
Returns the attribute value of a single valued unsigned attribute with the given type.
|
int |
getVersion()
Returns the synatx version number (1 or 3).
|
boolean |
isSignerCertificate(iaik.x509.X509Certificate cert)
Checks whether the supplied certificate actually is the certificate
of the signer.
|
void |
removeSignedAttribute(iaik.asn1.ObjectID attributeType)
Removes all signed attributes with the given attribute type.
|
void |
removeUnsignedAttribute(iaik.asn1.ObjectID attributeType)
Removes all unsigned attributes with the given attribute type.
|
void |
setSecurityProvider(SecurityProvider securityProvider)
Sets the SecurityProvider for this CounterSignature.
|
void |
setSignatureValue(byte[] signatureValue)
Sets the signature value.
|
void |
setSignedAttributes(iaik.asn1.structures.Attribute[] attributes)
Sets a set of attributes to be signed along with the content
to be signed.
|
void |
setUnsignedAttributes(iaik.asn1.structures.Attribute[] attributes)
Sets a set of attributes that are not signed by the signer.
|
iaik.asn1.ASN1Object |
toASN1Object()
Returns this
CounterSignature as ASN1Object. |
java.lang.String |
toString()
Returns a string giving some information about this
CounterSignature object. |
java.lang.String |
toString(boolean detailed)
Returns a string giving some - if requested - detailed information
about this
CounterSignature object. |
boolean |
verify(java.security.PublicKey publicKey,
byte[] signatureThatWasCounterSigned)
Verifies the counter signature of the given signature value with the given public key.
|
boolean |
verify(java.security.PublicKey publicKey,
CounterSignature counterSignature)
Verifies the counter signature of the given CounterSiganture with the given public key.
|
boolean |
verify(java.security.PublicKey publicKey,
SignerInfo signerInfo)
Verifies the counter signature of the given SignerInfo with the given public key.
|
public static final iaik.asn1.ObjectID oid
public CounterSignature()
CounterSignature
object and sets the SignerInfo version number to 1, and the signature
algorithm ID to rsaEncryption.public CounterSignature(CertificateIdentifier signerIdentifier, iaik.asn1.structures.AlgorithmID digestAlgorithm, java.security.PrivateKey privateKey)
The signerIdentifier
identifies the signer certificate either
by issuer distinguished name and
issuer-specific serial number
or by SubjectKeyIdentifier
. The digestAlgorithm ID specifies the message digest
algorithm used for calculating the digest of the content and any signed
information. The private key is used for calculating the signature.
When using this constructor, the signature is calculated with the PKCS#1
rsaEncryption method.
signerIdentifier
- information about the counter signer certificate.digestAlgorithm
- the AlgorithmID of the message-digest algorithmprivateKey
- the counter signer private key to be used for signingjava.lang.IllegalArgumentException
- if the supplied signerIdentifier is not a
SubjectKeyID or IssuerAndSerialNumberpublic CounterSignature(CertificateIdentifier signerIdentifier, iaik.asn1.structures.AlgorithmID digestAlgorithm, iaik.asn1.structures.AlgorithmID signatureAlgorithm, java.security.PrivateKey privateKey)
The signerIdentifier
identifies the signer certificate either
by issuer distinguished name and
issuer-specific serial number
or by SubjectKeyIdentifier
. The digestAlgorithm ID specifies the message digest
algorithm used for calculating the digest of the content and any signed
information. The private key is used for calculating the signature with
the given signature algorithm.
signerIdentifier
- information about the counter igner certificate.digestAlgorithm
- the AlgorithmID of the message-digest algorithmsignatureAlgorithm
- the algorithm to be used for signature calculationprivateKey
- the counter signer private key to be used for signingpublic CounterSignature(iaik.asn1.ASN1Object obj) throws iaik.asn1.CodingException
CounterSignature
from an ASN1Object.
The ASN1Object supplied to this constructor represents an
already exisiting CounterSignature
object that may
have been created by calling toASN1Object
.
obj
- the CMS CounterSignature as ASN1Objectiaik.asn1.CodingException
- if the object can not be parsedpublic void setSecurityProvider(SecurityProvider securityProvider)
This method allows to explicitly set a SecurityProvider for this CounterSignature. If no explicit SecurityProvider is set, the default system wide installed SecurityProvider will be used for the required cryptographic operations.
This class may use the following method(s) of the SecurityProvider
, which may be overriden by an application, if required:
calculateSignatureFromSignedAttributes()
to calculate the signature value from the encoding of the signed attributes
calculateSignatureFromHash()
to calculate the signature value from the message hash
getHash()
as may be required for cert hash calculation when querying for included SigningCertificate
attributes
securityProvider
- the SecurityProvider to be setpublic SecurityProvider getSecurityProvider()
This class uses the following method(s) of the SecurityProvider
, which may be overriden by an application, if required:
calculateSignatureFromSignedAttributes()
to calculate the signature value from the encoding of the signed attributes
calculateSignatureFromHash()
to calculate the signature value from the message hash
getHash()
as may be required for cert hash calculation when querying for included SigningCertificate
or SigningCertificateV2
attributes
set
for this object,
the default system wide installed SecurityProvider will be used for the required cryptographic
operations. However, this method will return null
if it does not have its own
SecurityProvider.null
if
this object does not have its own SecurityProviderpublic void decode(iaik.asn1.ASN1Object obj) throws iaik.asn1.CodingException
CounterSignature
object for parsing
the internal structure.
This method internally is called when creating a CMS SignerInfo
object from an already existing CounterSignature
object,
supplied as ASN1Object.
obj
- the CMS CounterSignature as ASN1Objectiaik.asn1.CodingException
- if the object can not be parsedpublic iaik.asn1.ASN1Object toASN1Object() throws iaik.asn1.CodingException
CounterSignature
as ASN1Object.iaik.asn1.CodingException
- if the ASN1Object could not be createdpublic iaik.asn1.ObjectID getAttributeType()
getAttributeType
in class iaik.asn1.structures.AttributeValue
public void setSignedAttributes(iaik.asn1.structures.Attribute[] attributes)
attributes
- a set of attributes to be signed along with the content
to be signed.java.lang.IllegalArgumentException
- if the given attributes contain a ContentType attribute
(not allowed for CounterSignatures)public void addSignedAttributes(iaik.asn1.structures.Attribute[] attributes)
attributes
- the attributes to be added to the signed attributesjava.lang.IllegalArgumentException
- if the given attributes contain a ContentType attribute
(not allowed for CounterSignatures)public void addSignedAttribute(iaik.asn1.structures.Attribute attribute)
attribute
- the attribute to be added to the signed attributesjava.lang.IllegalArgumentException
- if the given attribute is a ContentType attribute
(not allowed for CounterSignatures)public void removeSignedAttribute(iaik.asn1.ObjectID attributeType)
attributeType
- the OID identifying the attribute to be removedpublic SigningCertificate getSigningCertificateAttribute() throws CMSException
null
if
not includedCMSException
- if an error occurs while parsing for the
SigningCertificate attributepublic SigningCertificateV2 getSigningCertificateV2Attribute() throws CMSException
null
if
not includedCMSException
- if an error occurs while parsing for the
SigningCertificateV2 attributepublic byte[] getSignedDigest() throws CMSException
null
if not presentCMSException
public void setUnsignedAttributes(iaik.asn1.structures.Attribute[] attributes)
attributes
- a set of attributes that are not signed by the signerpublic void addUnsignedAttributes(iaik.asn1.structures.Attribute[] attributes)
attributes
- the attributes to be added to the unsigned attributespublic void addUnsignedAttribute(iaik.asn1.structures.Attribute attribute)
attribute
- the attribute to be added to the unsigned attributespublic void removeUnsignedAttribute(iaik.asn1.ObjectID attributeType)
attributeType
- the OID identifying the attribute to be removedpublic int getVersion()
public CertificateIdentifier getSignerIdentifier()
The information is returned as CertificateIdentifier
object specifying the signer certificate either
by issuer distinguished name and
issuer-specific serial number
or by SubjectKeyIdentifier
.
public boolean isSignerCertificate(iaik.x509.X509Certificate cert) throws CMSException
This method first checks if the the signerIdentifier of this CounterSignature
identifies the supplied certificate via IssuerAndSerialNumber or
SubjectKeyIdentifier. If this check is successful, this method then looks
if the SigningCertificate
and/or the SigningCertificateV2
are
present and identify the given certificate as cert of the signer. If both
SigningCertificate attributes are present this method accepts the
given certificate as signer certificate only if it is identified by
both SigningCertificate attributes.
cert
- the certificate to be checked of being the one of the signertrue
if the supplied certificate is the signer
certificate, false
if notCMSException
- if the check cannot be completed because an error occurs
when parsing the SigningCertificate or SigningCertificate attribute
or a hash algorithm (required for calculating the cert hash) is not
supported by the installed cryptographic providerspublic iaik.asn1.structures.AlgorithmID getDigestAlgorithm()
public iaik.asn1.structures.Attribute[] getSignedAttributes()
public iaik.asn1.structures.Attribute getSignedAttribute(iaik.asn1.ObjectID oid)
null
if there is no attribute for the given OID.public iaik.asn1.structures.Attribute[] getSignedAttributes(iaik.asn1.ObjectID oid)
oid
- the attribute type to look fornull
if there is no attribute for the given OID.public iaik.asn1.structures.AttributeValue getSignedAttributeValue(iaik.asn1.ObjectID oid) throws CMSException
This method provides the possibility to immediately access the value of an
attribute with the given type. This method may be used for getting the value
of the first included attribute of requested type or -- more appropriate --
the only one value of a single valued signed attribute of requested type. In this way,
this method can be seen as an alternative to method getSignedAttribute
for providing immediate access to the attribute value, e.g.:
SigningCertificate signingCertificate = (SigningCertificate)counterSignature.getSignedAttributeValue(Signingcertificate.oid); if (signingCertificate != null) { ... }
oid
- the object identifier representing the type of the attribute for which to get the valuenull
if no attribute of given type is includedCMSException
- if the ASN.1 representation of the attribute value cannot be parsedpublic iaik.asn1.structures.AlgorithmID getSignatureAlgorithm()
public byte[] getSignatureValue()
public void setSignatureValue(byte[] signatureValue)
signatureValue
- the signature value, calculated from outsidepublic iaik.asn1.structures.Attribute[] getUnsignedAttributes()
public iaik.asn1.structures.Attribute getUnsignedAttribute(iaik.asn1.ObjectID oid)
null
if there is no attribute for the given OID.public iaik.asn1.structures.Attribute[] getUnsignedAttributes(iaik.asn1.ObjectID oid)
oid
- the attribute type to look fornull
if there is no attribute for the given OID.public iaik.asn1.structures.AttributeValue getUnsignedAttributeValue(iaik.asn1.ObjectID oid) throws CMSException
This method provides the possibility to immediately access the value of an unsigned
attribute with the given type. This method may be used for getting the value
of the first included unsigned attribute of requested type or -- more appropriate --
the only one value of a single valued unsigned attribute of requested type. In this way,
this method can be seen as an alternative to method getUnsignedAttribute
for providing immediate access to the attribute value, e.g.:
SigningTime signingTime = (SigningTime)counterSignature.getUnsignedAttributeValue(SigningTime.oid); if (signingTime != null) { ... }
oid
- the object identifier representing the type of the attribute for which to get the valuenull
if no attribute of given type is includedCMSException
- if the ASN.1 representation of the attribute value cannot be parsedpublic java.lang.String toString()
CounterSignature
object.toString
in class iaik.asn1.structures.AttributeValue
public java.lang.String toString(boolean detailed)
CounterSignature
object.detailed
- - whether or not to give detailed informationpublic void counterSign(SignerInfo signerInfo) throws java.security.SignatureException
... counterSignature.counterSign(signerInfo); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; signerInfo.addUnsignedAttributes(unsignedAttributes); ...Please note that one single CounterSignature object only can sign one single signature. So do not repeatedly call this method for signing more than one signatures; rather create a new CounterSignature object for any new signature to be counter signed.
signerInfo
- the SignerInfo to be counter signedjava.security.SignatureException
- if signing fails for some reasonpublic void counterSign(CounterSignature counterSignature) throws java.security.SignatureException
This method may be used for counter signing another CounterSognature. After counter signing the CounterSignature you must explicitly set the CounterSignature attribute, e.g.:
... counterSignature.counterSign(firstCounterSignature); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; firstCounterSignature.addUnsignedAttributes(unsignedAttributes); ...Please note that one single CounterSignature object only can sign one single signature. So do not repeatedly call this method for signing more than one signatures; rather create a new CounterSignature object for any new signature to be counter signed.
counterSignature
- the CounterSignature to be counter signedjava.security.SignatureException
- if signing fails for some reasonpublic void counterSign(byte[] signatureToBeCounterSigned) throws java.security.SignatureException
... counterSignature.counterSign(signerInfo.getSignatureValue()); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; signerInfo.addUnsignedAttributes(unsignedAttributes); ...Please note that one single CounterSignature object only can sign one single signature. So do not repeatedly call this method for signing more than one signatures; rather create a new CounterSignature object for any new signature to be counter signed.
signatureToBeCounterSigned
- the signature value to be counter signedjava.security.SignatureException
- if signing fails for some reasonpublic boolean verify(java.security.PublicKey publicKey, SignerInfo signerInfo) throws java.security.SignatureException
The given SignerInfo represents the SignerInfo that has been counter signed, e.g.:
try { if (counterSignature.verify(counterCert.getPublicKey(), signerInfo)) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); }
publicKey
- the public key of the counter signersignerInfo
- SignerInfo the SignerInfo that has been counter signedtrue
if the signature verifies, false
if notjava.security.SignatureException
- signature verification process failspublic boolean verify(java.security.PublicKey publicKey, CounterSignature counterSignature) throws java.security.SignatureException
CounterSignatures may be applied recursively, i.e. one CounterSignature may be counter signed by another. The given CounterSignature represents the CounterSignature that has been counter signed, e.g.:
try { if (counterSignature.verify(counterCert.getPublicKey(), counterSignature)) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); }
publicKey
- the public key of the counter signercounterSignature
- CounterSignature the CounterSignature that has been counter signedtrue
if the signature verifies, false
if notjava.security.SignatureException
- signature verification process failspublic boolean verify(java.security.PublicKey publicKey, byte[] signatureThatWasCounterSigned) throws java.security.SignatureException
The given signature value may be the one of the SignerInfo that has been counter signed, e.g.:
try { if (counterSignature.verify(counterCert.getPublicKey(), signerInfo.getSignatureValue())) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); }
publicKey
- the public key of the counter signersignatureThatWasCounterSigned
- the siganture that has been counter signedtrue
if the signature verifies, false
if notjava.security.SignatureException
- if the signature verification process fails for some reasonInvalidContentHashException
- if the signature verification process fails because the
content hash does not match to value of the included MessageDigest
attributeInvalidContentTypeException
- if the signed attributes contain a ContentType attribute
(not allowed for CounterSignature)