iaik.cms
Class SignedData

java.lang.Object
  iaik.cms.SignedDataStream
      iaik.cms.SignedData

All Implemented Interfaces:

EncodeListener, Content, ContentStream, EOFListener, java.util.EventListener

public class SignedData
extends SignedDataStream
implements Content

This class represents the non-stream implementation of the CMS content type SignedData.

Each CMS content type is associated with a specific object identifier, derived from PKCS#7:

 pkcs-7 OBJECT IDENTIFIER ::=
   { iso(1) member-body(2) US(840) rsadsi(113549)
       pkcs(1) 7 }
 

The object identifier for the SignedData content type is defined as:

signedData OBJECT IDENTIFIER ::= { pkcs-7 2 }

which corresponds to the OID string "1.2.840.113549.1.7.2".

The Cryptographic Message Syntax (CMS) (RFC 5652) specifies the SignedData content type for providing a syntax for building digital signatures. Content of any type may be signed by any number of signers in parallel. For each signer, a signature is computed on the content (and any additional authenticating information) and -- together with some signer-specific information -- collected into a SignerInfo object. Finally all created SignerInfo objects are collected together with the content for forming a SignedData structure.

This class implements the SignedData structure resulting from the last step described above. The SignedData type is defined as ASN.1 SEQUENCE type containing the following components (see RFC 5652):

 SignedData ::= SEQUENCE {
   version CMSVersion,
   digestAlgorithms DigestAlgorithmIdentifiers,
   encapContentInfo EncapsulatedContentInfo,
   certificates [0] IMPLICIT CertificateSet OPTIONAL,
   crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
   signerInfos SignerInfos }

 

 DigestAlgorithmIdentifiers ::= SET OF DigestAlgorithmIdentifier
 

 CertificateSet ::= SET OF CertificateChoices

 CertificateChoices ::= CHOICE {
   certificate Certificate,
   extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
   v1AttrCert [1] IMPLICIT AttributeCertificateV1,       -- Obsolete
   v2AttrCert [2] IMPLICIT AttributeCertificateV2,
   other [3] IMPLICIT OtherCertificateFormat }

   OtherCertificateFormat ::= SEQUENCE {
     otherCertFormat OBJECT IDENTIFIER,
     otherCert ANY DEFINED BY otherCertFormat }
 

 RevocationInfoChoices ::= SET OF RevocationInfoChoice

 RevocationInfoChoice ::= CHOICE {
   crl CertificateList,
   other [1] IMPLICIT OtherRevocationInfoFormat }

 OtherRevocationInfoFormat ::= SEQUENCE {
   otherRevInfoFormat OBJECT IDENTIFIER,
   otherRevInfo ANY DEFINED BY otherRevInfoFormat }
 

 SignerInfos ::= SET OF SignerInfo
 

The digestAlgorithms field contains the object identifiers of the message digest algorithms used by the several signers for digesting the content that is supplied in the contentInfo field. The optional certificates field shall contain certificate chains for all the signers of the signerInfos field; attribute certificates or other certificates maybe included. The optional crls field may supply information (e.g. by means of X.509 crls or other revocation infos) about the revocation status of the certificates specified in the certificates field. And finally, the signerInfos field collects per-signer information for all parciticipated signers including the signer-specific digital signatures of the content.

If there are no signers on the content, the signed-data content type may be used for disseminating certificates and certificate-revocation lists.

For more information see RFC 5652.

When creating a SignedData object for the content to be signed by using the SignedData(byte[] content, int mode) constructor, the transimission mode has to be specified. You may use an alternative constructor for additionally specifying the content type of the inherent EncapsulatedContentInfo; default is id-data. If the mode is set to SignedData.IMPLICIT the content data will be included in the SignedData message to be transmitted, but it will be not included if the mode is set to SignedData.EXPLICIT. However, in both cases the content data has to be supplied when creating the SignedData object, because it is needed for the digest computation:

 byte[] data = ...;
 SignedData signed_data = new SignedData(data, SignedData.IMPLICIT);
 

respectively

 SignedData signed_data = new SignedData(data, SignedData.EXPLICIT);
 

In contrast to the stream-variant of the CMS SignedData type (implemented by the SignedDataStream class), where explicit and implicit mode require a different proceeding, both cases may be handled in the same way, when using the non-stream variant. In this way, the steps of creating a SignedData object and preparing it for transmission can be summarized in the following way (to simplify matters, we will assume not to include certificate revocation lists):

1. Create a new SignedData object thereby supplying the content data to be signed and specifying the transmission mode to be used (either SignedData.IMPLICIT or SignedData.EXPLICIT):

        byte[] data = ...;
        int mode = ...;
        SignedData signed_data = new SignedData(data, mode);
        

2. Set the certificates of all the signers by calling the setCertificates method. The certificates are supplied as array of X509Certificates an shall contain chains from a known top-level CA to all the signers in the SignerInfo field:

        signed_data.setCertificates(certificates);
        

3. For each participated signer, create a SignerInfo object, optionally supply it with attributes, and add it to the SignedData structure by calling the addSignerInfo method:

        SignerInfo signer1 = ...;
        signed_data.addSignerInfo(signer1);
        SignerInfo signer2 = ...;
        signed_data.addSignerInfo(signer2);
         ...
        

   You alternatively may collectively add all signers by utilizing the setSignerInfos method.
   When actually adding a SignerInfo the digest computation is performed on the content for the digest algorithm of the SignerInfo.

4. Prepare the SignedData object for transmission by transforming it into an ASN1Object or immediately BER encoding it. The former is done by calling the toASN1Object method, the latter by using the getEncoded method:

        ASN1Object obj = signed_data.toASN1Object();
        

   respectively

        byte[] encoding = signed_data.getEncoded();
        

   You alternatively may use a proper writeTo method of the parent SignedDataStream class for immediately encoding this SignedData object to an output stream. When using writeTo in implicit mode, you additionally have the possibility of specifying a particular blockSize for forcing an indefinite constructed encoding of the inherent content data bytes, instead of of the default definite primitive encoding, e.g:

        0x24 0x80
                  0x04 0x02 0x01 0xAB
                  0x04 0x02 0x23 0x7F
                  0x04 0x01 0xCA
        0x00 0x00 
        

   instead of:

        0x04 0x05 0x01 0xAB 0x23 0x7F 0xCA
        

   for encoding the five data bytes 0x01 0xAB 0x23 0x7F 0xCA. Of course, in practice block based encoding makes only sense when specifying a bigger block size (e.g. 4096 -- or even more -- to encode the data in blocks of 4096 bytes).

Unlike the procedure of newly creating a SignedData object to be transmitted, even when using this non-stream implementation of the SignedData content type, it has to be distinguished between IMPLICIT and EXPLICIT mode when parsing a received SignedData message.
When operating in IMPLICIT mode, the content data is included in the received SignedData object, and so the parsing immediately may be performed when creating a SignedData object from the BER encoded SignedData object by calling the SignedData(InputStream is) constructor.
On the other side, when the content data has been transmitted outside the SignedData message (EXPLICIT mode) there are two alternative ways for parsing the SignedData and verifying the signature(s):

• If the hash algorithms are known in advance (e.g. when parsing an S/MIME multipart/signed message), the SignedData(byte[] content, AlgorithmID[] hashAlgorithms) constructor may be used for initializing the new SignedData object with content data and hash algorithms to be used for digest computation; and the decoding has to be performed explicitly by calling the decode method. The initialization is necessary for computing the digests on the content data for the digest algorithms of all participated signers. Later, during signature verification the digest value computation is finished and the results are used for checking the signatures with the public key(s) of the signer(s).
• If both -- SignedData encoding and content data -- are accessible at the same time, the SignedData object may be created in the same way as in IMPLICIT mode by using the SignedDataStream(InputStream is) constructor, and the content data maybe supplied by calling method setInputStream. As above the content data is required for hash computation initialization.

All further steps are the same for implicit and explicit mode, and so the proceeding necessary for parsing a received SignedData message and verifying the signatures may be summarized as follows:

1. If the BER encoded SignedData object represents an implicit SignedData object, use the SignedData(InputStream is) constructor for creating a SignedData object and implicitly parsing the the supplied ASN.1 structure:

        SignedData signedData = new SignedData(encoded_stream);
        

   On the other hand, if the BER encoding represents an explicit SignedData object, use one of the following alternatives:
   • (a) Use the SignedData(byte[] content, AlgorithmID[] hashAlgorithms) constructor for initializing a new SignedData object with content data and digest algorithms for hash computation, and subsequently explicitly perform the decoding by means of the decode method (assuming that SHA-256 is been used as hash algorithm):

              AlgorithmID[] algIDs = { AlgorithmID.sha256 };
              SignedData signedData = new SignedData(content_data, algIDs);
              signedData.decode(encoded_stream);
              

   • (b)Create the SignedData in the same way as in implicit mode by using the SignedData(InputStream is) constructor and subsequently supply the content data (transmitted by other means) by calling method setContent:

              SignedData signedData = new SignedData(encoded_stream);
              signedData.setContent(content_data);
              

2. Get the SignerInfos from the SignedData object and perform the signature verification:

        // get the signer infos
        SignerInfo[] signerInfos = signed_data.getSignerInfos();
        // verify the signatures
        int numberOfSignerInfos = signer_infos.length;
        if (numberOfSignerInfos == 0) {
          System.out.println("Warning: Unsigned message (no SignerInfo included)!");
        } else {
          for (int i = 0; i < numberOfSignerInfos; i++) {
            try {
              // verify the signature for SignerInfo at index i
              X509Certificate signer_cert = signed_data.verify(i);
              // if the signature is OK the certificate of the signer is returned
              System.out.println("Signature OK from signer: "+signer_cert.getSubjectDN());
            } catch (SignatureException ex) {
              // if the signature is not OK a SignatureException is thrown
              System.out.println("Signature ERROR from signer: "+signed_data.getCertificate(signerInfos[i].getSignerIdentifier()).getSubjectDN());
            }
          }  
        }  
        

3. In implicit mode, get the content data from the SignedData object:

        byte[] data = signedData.getContent();
        

The simple example above verifies the correctness of the signature value(s) and dumps the result to System.out. In practice an application will require some more sophisticated error processing.

For handling large amounts of data, the parent SignedDataStream class should be used.

See Also:

Content, ContentInfo, SignerInfo, SignedDataStream

Field Summary

Fields inherited from class iaik.cms.SignedDataStream

blockSize_, certSet_, contentType_, crls_, EXPLICIT, IMPLICIT, inputStream_, mode_, securityProvider_, signerInfos_, thisObject_, version_

Constructor Summary

protected	SignedData() Default constructor for dynamic object creation in ContentInfo.
	SignedData(ASN1Object obj) Creates a CMS SignedData from an ASN1Object.
	SignedData(ASN1Object obj, SecurityProvider securityProvider) Creates a CMS SignedData from an ASN1Object.
	SignedData(byte[] content, AlgorithmID[] hashAlgorithms) Creates a new SignedData from a byte array holding the content that has been transmitted by other means, and an array specifying the hash algorithms to be used for digesting.
	SignedData(byte[] content, AlgorithmID[] hashAlgorithms, SecurityProvider securityProvider) Creates a new SignedData from a byte array holding the content that has been transmitted by other means, and an array specifying the hash algorithms to be used for digesting.
	SignedData(byte[] content, int mode) Creates a SignedData object from a byte array containing the content data to be signed.
	SignedData(byte[] content, ObjectID contentType, int mode) Creates a SignedData object from a byte array containing the content data to be signed.
	SignedData(java.io.InputStream is) Creates a new SignedData from a BER encoded SignedData object which is read from the given InputStream.
	SignedData(java.io.InputStream is, SecurityProvider securityProvider) Creates a new SignedData from a BER encoded SignedData object which is read from the given InputStream.
	SignedData(ObjectID contentType) Creates a new SignedData object without any content.

Method Summary

void	addDigestAlgorithm(AlgorithmID digestAlg) Adds a digest algorithm.
void	addSignerInfo(SignerInfo signerInfo) Adds a SignerInfo object to this SignedData.
void	decode(ASN1Object obj) Decodes the SignedData supplied as ASN1Object.
void	decode(java.io.InputStream is) Reads and decodes the a BER encoded SignedData from the given input stream.
byte[]	getContent() Returns the content.
byte[]	getEncoded() Returns the BER encoding of this SignedData object as byte array.
java.io.InputStream	getInputStream() Returns an InputStream from which the contents of this object can be read.
void	setContent(byte[] content) Sets the content to sign/verify.
void	setInputStream(java.io.InputStream is) Sets the InputStream which holds the content to sign/verify.
protected ASN1Object	toASN1Object(int blockSize) Returns this SignedData as ASN1Object.
java.lang.String	toString(boolean detailed) Returns a string giving some - if requested - detailed information about this SignedData object.

Methods inherited from class iaik.cms.SignedDataStream

addCertificates, addCRLs, addSDSEncodeListener, clearSignatures, encodeCalled, getAttributeCertificates, getBlockSize, getCertificate, getCertificates, getCertificates, getCertificateSet, getContentType, getCRLs, getDigestAlgorithms, getEncapsulatedContentType, getMessageDigest, getMode, getRevocationInfoChoices, getSecurityProvider, getSignedDigest, getSignerInfo, getSignerInfo, getSignerInfoIndex, getSignerInfos, getVersion, getX509Certificates, notifyEOF, removeMessageDigest, removeSignerInfo, setBlockSize, setCertificates, setCertificateSet, setCRLs, setMessageDigest, setRevocationInfoChoices, setSDSEncodeListener, setSecurityProvider, setSignerInfos, toASN1Object, toString, verify, verify, verify, writeTo, writeTo

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface iaik.cms.ContentStream

getBlockSize, getContentType, setBlockSize, toASN1Object

Constructor Detail

SignedData

protected SignedData()

Default constructor for dynamic object creation in ContentInfo. The block size is set to -1 to enforce definite primitive encoding.

SignedData

public SignedData(ObjectID contentType)

Creates a new SignedData object without any content. The content value to be signed has to be of the given content type and has to be supplied by other means.

Parameters:

contentType - the contentType of the data

SignedData

public SignedData(byte[] content,
                  int mode)

Creates a SignedData object from a byte array containing the content data to be signed. The given mode specifies the way the content data is transmitted. If the mode is SignedData.IMPLICIT, the content data is included in the SignedData message to be transmitted. If the mode is SignedData.EXPLICIT, the content data is not included in the SignedData object. The content type of the inherent EncapsulatedContentInfo is set to CMS id-data.

Parameters:

content - the content data to be signed

mode - IMPLICIT if the message shall be included in the BER encoding, EXPLICIT otherwise

SignedData

public SignedData(byte[] content,
                  ObjectID contentType,
                  int mode)

Creates a SignedData object from a byte array containing the content data to be signed. The given mode specifies the way the content data is transmitted. If the mode is SignedData.IMPLICIT, the content data is included in the SignedData message to be transmitted. If the mode is SignedData.EXPLICIT, the content data is not included in the SignedData object.

Use this constructor for signing content having any other type than CMS (PKCS#7) id-data. In such cases typically the given byte array will supply the BER encoding of a particular content object to be signed. The PKIX Time Stamp protocol, for instance, defines a TSTInfo structure to be signed by using a CMS SignedData object. Assuming a Java class implementing the TSTInfo type it may be prepared for being signed with the SignedData type in a way similar to:

 TSTInfo tstInfo = ...;
 ...
 // encode the TSTInfo
 byte[] encodedTSTInfo = DerCoder.encode(tstInfo.toASN1Object());
 // now sign the TSTInfo:
 ObjectID oid = ObjectID.tstInfo;
 int mode = SignedData.IMPLICIT;
 SignedData signedData = new SignedDataStream(enodedTSTInfo, oid, mode);
 ...
 

Parameters:

content - the content data to be signed

contentType - the contentType for the inherent EncapsulatedContentInfo

mode - IMPLICIT if the message shall be included in the BER encoding, EXPLICIT otherwise

SignedData

public SignedData(java.io.InputStream is)
           throws CMSParsingException,
                  java.io.IOException

Creates a new SignedData from a BER encoded SignedData object which is read from the given InputStream. The encoded SignedData may (or may not) be wrapped into a ContentInfo.

This constructor only shall be used for parsing an encoded SignedData object with included content data bytes (implicit mode) or in explicit mode (where the content data is not included) when subsequently supplying the content data by calling method setContent. In explicit mode alternatively the constructor SignedData(byte[] content, AlgorithmID[] hashAlgorithms) may be used for initializing the hash computation with hash algorithms and content data, and the decoding maybe explicitly performed by calling the decode method.

Parameters:

is - the InputStream holding a BER encoded CMS SignedData object

Throws:

java.io.IOException - if an I/O error occurs during reading from the InputStream

CMSParsingException - if an error occurs while parsing the object

SignedData

public SignedData(java.io.InputStream is,
                  SecurityProvider securityProvider)
           throws CMSParsingException,
                  java.io.IOException

Creates a new SignedData from a BER encoded SignedData object which is read from the given InputStream. The encoded SignedData may (or may not) be wrapped into a ContentInfo.

This constructor only shall be used for parsing an encoded SignedData object with included content data bytes (implicit mode) or in explicit mode (where the content data is not included) when subsequently supplying the content data by calling method setContent. In explicit mode alternatively the constructor SignedData(byte[] content, AlgorithmID[] hashAlgorithms, SecurityProvider securityProvider) may be used for initializing the hash computation with hash algorithms and content data, and the decoding maybe explicitly performed by calling the decode method.

Parameters:

is - the InputStream holding a BER encoded CMS SignedData object

securityProvider - the SecurityProvider to be used for this SignedData object; if null the default system-wide installed SecurityProvider is used

Throws:

java.io.IOException - if an I/O error occurs during reading from the InputStream

CMSParsingException - if an error occurs while parsing the object

SignedData

public SignedData(ASN1Object obj)
           throws CMSParsingException

Creates a CMS SignedData from an ASN1Object. The ASN.1 SignedData may (or may not) be wrapped into a ContentInfo.

Do not use this constructor for supplying the content value to be signed. This constructor may be used by the recipient for parsing an already exisiting SignedData object, supplied as ASN1Object that may have been created by calling toASN1Object.

Use the SignedData(byte[] content, int mode) or SignedData(byte[] content, ObjectID contentType, int mode) constructors for supplying the content value to be signed when creating a SignedData object.

This constructor only shall be used for parsing an ASN1Object that represents a SignedData object with included content data bytes (implicit mode) or in explicit mode (where the content data is not included) when subsequently supplying the content data by calling method setContent. In explicit mode alternatively the constructor SignedData(byte[] content, AlgorithmID[] hashAlgorithms may be used for initializing the hash computation with hash algorithms and content data, and the decoding maybe explicitly performed by calling the decode method.
To initialize a SignedData object for parsing an explicit SignedData message where the content data is not included, use the SignedData(byte[] content, AlgorithmID[] hashAlgorithms) constructor, and perform the decoding explicitly by calling the decode method.

Parameters:

obj - the CMS SignedData as ASN1Object representing an implicit SignedData object

Throws:

CMSParsingException - if a parsing error occurs

SignedData

public SignedData(ASN1Object obj,
                  SecurityProvider securityProvider)
           throws CMSParsingException

Creates a CMS SignedData from an ASN1Object. The ASN.1 SignedData may (or may not) be wrapped into a ContentInfo.

Do not use this constructor for supplying the content value to be signed. This constructor may be used by the recipient for parsing an already exisiting SignedData object, supplied as ASN1Object that may have been created by calling toASN1Object.

Use the SignedData(byte[] content, int mode) or SignedData(byte[] content, ObjectID contentType, int mode) constructors for supplying the content value to be signed when creating a SignedData object.

This constructor only shall be used for parsing an ASN1Object that represents a SignedData object with included content data bytes (implicit mode) or in explicit mode (where the content data is not included) when subsequently supplying the content data by calling method setContent. In explicit mode alternatively the constructor SignedData(byte[] content, AlgorithmID[] hashAlgorithms, SecurityProvider securityProvider) may be used for initializing the hash computation with hash algorithms and content data, and the decoding maybe explicitly performed by calling the decode method.

Parameters:

obj - the CMS SignedData as ASN1Object representing an implicit SignedData object

securityProvider - the SecurityProvider to be used for this SignedData object; if null the default system-wide installed SecurityProvider is used

Throws:

CMSParsingException - if a parsing error occurs

SignedData

public SignedData(byte[] content,
                  AlgorithmID[] hashAlgorithms)
           throws java.security.NoSuchAlgorithmException

Creates a new SignedData from a byte array holding the content that has been transmitted by other means, and an array specifying the hash algorithms to be used for digesting.

Do not use this constructor for supplying the content value to be signed. This constructor may be used by the recipient for initializing the digest computation for an already existing explicit SignedData message where the content data is not included. In contrast to the equivalent constructor of the parent SignedDataStream class, this constructor not only initializes the digest computation, but also already computes the digests for all supplied digest algorithms. Later, during signature verification these digest values have to be compared against the hash values resulting from decrypting the encrypted digests with the signer public keys.
For subsequently performing the decoding of the received explicit SignedData object, use the decode method:

 // the received explicit SignedData structure as ASN1Object:
 ASN1Object = DerCoder.decode(received_message);
 //initialize - and perform - digest computaion:
 SignedData signedData = new SignedData(content_data, hashAlgorithms);
 //parse the received SignedData ASN1Object
 signedData.decode(obj);
 

A sender shall use the SignedData(byte[] content, int mode) constructor for supplying the content value to be signed when creating a SignedData object.

For parsing an implicit SignedData message, use the SignedData(ASN1Object obj) constructor.

Parameters:

content - the content transmitted by other means

hashAlgorithms - the hash algorithms used by the participated signers for digesting the content data

Throws:

java.security.NoSuchAlgorithmException - if any of the supplied hash algorithms is not supported

SignedData

public SignedData(byte[] content,
                  AlgorithmID[] hashAlgorithms,
                  SecurityProvider securityProvider)
           throws java.security.NoSuchAlgorithmException

Creates a new SignedData from a byte array holding the content that has been transmitted by other means, and an array specifying the hash algorithms to be used for digesting.

Do not use this constructor for supplying the content value to be signed. This constructor may be used by the recipient for initializing the digest computation for an already existing explicit SignedData message where the content data is not included. In contrast to the equivalent constructor of the parent SignedDataStream class, this constructor not only initializes the digest computation, but also already computes the digests for all supplied digest algorithms. Later, during signature verification these digest values have to be compared against the hash values resulting from decrypting the encrypted digests with the signer public keys.
For subsequently performing the decoding of the received explicit SignedData object, use the decode method:

 // the received explicit SignedData structure as ASN1Object:
 ASN1Object = DerCoder.decode(received_message);
 //initialize - and perform - digest computaion:
 SignedData signedData = new SignedData(content_data, hashAlgorithms);
 //parse the received SignedData ASN1Object
 signedData.decode(obj);
 

A sender shall use the SignedData(byte[] content, int mode) constructor for supplying the content value to be signed when creating a SignedData object.

For parsing an implicit SignedData message, use the SignedData(ASN1Object obj) constructor.

Parameters:

content - the content transmitted by other means

hashAlgorithms - the hash algorithms used by the participated signers for digesting the content data

securityProvider - the SecurityProvider to be used for this SignedData object; if null the default system-wide installed SecurityProvider is used

Throws:

java.security.NoSuchAlgorithmException - if any of the supplied hash algorithms is not supported

Method Detail

addSignerInfo

public void addSignerInfo(SignerInfo signerInfo)
                   throws java.security.NoSuchAlgorithmException

Adds a SignerInfo object to this SignedData.

Unlike the same-name method in the SignedDataStream super class this method already performs the digest computation for the given SignerInfo and calculates its signature value.
If the given SignerInfo contains signed attributes, it must include the PKCS#9 content-type attribute and the PKCS#9 message-digest attribute. If the message-digest attribute is not included in the supplied signed attributes it is automatically calculated and set. If the content-type attribute is not included it is automatically added and set to id-data. However, if the signature value is already set for the SignerInfo, an Exception is thrown if the content-type attribute is not included in the signed attributes. An Exception is also thrown if the content-type attribute is already included in the SignerInfo but does not match to the eContentType of the SignedData EncapsulatedContentInfo.

Overrides:

addSignerInfo in class SignedDataStream

Parameters:

signerInfo - the SignerInfo to add

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the message digest algorithm specified in the signerInfo, or if the signature calculation fails, or if the signature value is already set for the SignerInfo and the ContentType attribute is not included in the signed attributes, or if the content-type attribute is already included in the SignerInfo but does not match to the eContentType of the SignedData EncapsulatedContentInfo (for backwards compatibility only an NoSuchAlgorithmException can be thrown by this method)

See Also:

SignerInfo

addDigestAlgorithm

public void addDigestAlgorithm(AlgorithmID digestAlg)
                        throws java.security.NoSuchAlgorithmException

Adds a digest algorithm.

Usually any digest algorithm required by any SignerInfo is automatically added when adding a SignerInfo.
This method provides the possibility to add a digest algorithm that may be needed for calculating a digest over the data that may be required for other purposes than SignerInfo signature calculation.

Overrides:

addDigestAlgorithm in class SignedDataStream

Parameters:

digestAlg - the digest algorithm to add

Throws:

java.security.NoSuchAlgorithmException - if there is no implementation for the message digest algorithm available

decode

public void decode(ASN1Object obj)
            throws CMSParsingException

Decodes the SignedData supplied as ASN1Object. This method implicitly is called from inside the corresponding constructor for decoding an received implicit SignedData object where the content data is included. This method has to be explicitly called for decoding a received explicit SignedData object where the content data is not included. Before calling this method for an explicit SignedData ASN1Object object, a new SignedData object has to be created by means of the SignedData(byte[] content, AlgorithmID[] hashAlgorithms) constructor for initializing it for hash computation:

 // the received explicit SignedData structure as ASN1Object:
 ASN1Object = DerCoder.decode(received_message);
 //initialize - and perform - digest computaion:
 SignedData signedData = new SignedData(content_data, hashAlgorithms);
 //parse the received SignedData ASN1Object
 signedData.decode(obj);
 

Specified by:

decode in interface Content

Parameters:

obj - the CMS SignedData as ASN1Object

Throws:

CMSParsingException - if an error occurs while parsing the object

decode

public void decode(java.io.InputStream is)
            throws java.io.IOException,
                   CMSParsingException

Reads and decodes the a BER encoded SignedData from the given input stream. The given SignedData may (or may not) be wrapped into a ContentInfo.

This method provides an alternative to the decoding method where the SignedData to be decoded is given as ASN1Object.

Specified by:

decode in interface ContentStream

Overrides:

decode in class SignedDataStream

Parameters:

is - the InputStream holding a BER encoded CMS SignedData object

Throws:

java.io.IOException - if an I/O error occurs during reading from the InputStream

CMSParsingException - if an error occurs while parsing the object

setInputStream

public void setInputStream(java.io.InputStream is)

Sets the InputStream which holds the content to sign/verify. This method overrides the same named method of the SignedDataStream parent class. Attention! This method fully reads the supplied input stream.

Overrides:

setInputStream in class SignedDataStream

Parameters:

is - InputSteam holding the content to sign

setContent

public void setContent(byte[] content)

Sets the content to sign/verify.

Parameters:

content - the content to sign/verify

getInputStream

public java.io.InputStream getInputStream()

Returns an InputStream from which the contents of this object can be read.

This method only overrides the corresponding getInputStream method of the parent SignedDataStream class for returning the content of this SignedData object. There should be no real necessity for using this method since the content data bytes immediately can be obtained by the getContent method. However, in contrast to the equivalent getInputStream method of the parent SignedDataStream class, this method may be called arbitrarly often; it only returns a ByteArrayInputStream that is initialized with the content content bytes.

Overrides:

getInputStream in class SignedDataStream

Returns:

an InputStream with the contents of this SignedData object

getContent

public byte[] getContent()

Returns the content.

Returns:

the content as byte array

toASN1Object

protected ASN1Object toASN1Object(int blockSize)
                           throws CMSException

Returns this SignedData as ASN1Object.

If blockSize is set to a positive value the ASN1Object returned by this method is prepared for forcing an indefinite constructed encoding of the inherent content data bytes, instead of the default definite primitive encoding, e.g:

 0x24 0x80
           0x04 0x02 0x01 0xAB
           0x04 0x02 0x23 0x7F
           0x04 0x01 0xCA
 0x00 0x00 
 

instead of:

 0x04 0x05 0x01 0xAB 0x23 0x7F 0xCA
 

for encoding the five data bytes 0x01 0xAB 0x23 0x7F 0xCA.

The inherent data is encoded by means of the primitive definite method when the blockSize value is not positive.

Overrides:

toASN1Object in class SignedDataStream

Parameters:

blockSize - the block size defining the encoding scheme - and specifying the length of each primitive encoded octet string component, if positive

Throws:

CMSException - if the ASN1Object could not be created

getEncoded

public byte[] getEncoded()
                  throws CMSException

Returns the BER encoding of this SignedData object as byte array. If no positive blocksize has been yet set, any inherent content data bytes (implicit mode) will be encoded as primitive definite octet string. Otherwise the encoding of the inherent data will be indefinite constructed (may be forced by using the writeTo(OutputStream os, int blockSize) method of the parent SignedDataStream class.

Returns:

the BER encoding of this SignedData

Throws:

CMSException - if an encoding error occurs

toString

public java.lang.String toString(boolean detailed)

Returns a string giving some - if requested - detailed information about this SignedData object.

Specified by:

toString in interface ContentStream

Overrides:

toString in class SignedDataStream

Parameters:

detailed - - whether or not to give detailed information

Returns:

the string representation