|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object iaik.asn1.structures.AttributeValue iaik.cms.attributes.CounterSignature
public class CounterSignature
The CMS CounterSignature attribute.
The Cryptographic Message Syntax (CMS) (RFC 5652)
specifies the CounterSignature
attribute to may be included as an unsigned attribute into a
SignerInfo
for counter signing (signing in serial) the signature
value of a SignerInfo included in a SignedData.
The value of a CounterSignature attribute itself is a SignerInfo:
CounterSignature ::= SignerInfo id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
Since being itself a SignerInfo, CounterSignature objects may be created and supplied
with attributes -- note, that the content-type attribute is not required since a
counter signature has no content type -- in similar way as done for ordinary
SignerInfos
. However, whereas signing and verifying of ordinary
SignerInfos usually is controlled from the SignedData(Stream) object they belong to,
an application explicitly has to call proper counterSign
or verify
methods thereby specifying the signature value
,
SignerInfo
or other CounterSignature
object to be counter signed, e.g.:
// the SignerInfo to be counter signed: SignerInfo signerInfo = ...; // the cert of the counter signer X509Certificate counterCert = ...; // the private key of the counter signer: PrivateKey counterKey = ...; // create a CounterSignature for the counter signer: CounterSignature counterSignature = new CounterSignature(new IssuerAndSerialNumber(counterCert), AlgorithmID.sha256, counterKey); ... // add any attributes, if required ... // now counter sign the SignerInfo counterSignature.counterSign(signerInfo); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; signerInfo.addUnsignedAttributes(unsignedAttributes); ...On the verification end get the CounterSignature unsigned attribute and call a proper
verify
method thereby specifying the signature value
,
SignerInfo
or other CounterSignature
object to be "counter" verified, e.g.:
// the SignerInfo parsed from a SignedData SignerInfo signerInfo = ...; // look for a CounterSignature attribute Attribute counterSignatureAttribute = signerInfo.getUnsignedAttribute(ObjectID.countersignature); if (counterSignatureAttribute != null) { // check for any included CounterSignature AttributeValue[] counterSignatures = counterSignatureAttribute.getAttributeValues(); System.out.println("This SignerInfo is counter signed from: "); // may have more than one values for (int j = 0; j < counterSignatures.length; j++) { CounterSignature counterSignature = (CounterSignature)counterSignatures[i]; try { if (counterSignature.verify(counterCert.getPublicKey(), signerInfo)) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } }
SignedData
,
SignedDataStream
,
SignerInfo
Field Summary | |
---|---|
static ObjectID |
oid
The attributeType object identifier of the CMS CounterSignature attribute. |
Constructor Summary | |
---|---|
CounterSignature()
Default constructor. |
|
CounterSignature(ASN1Object obj)
Creates a CMS CounterSignature from an ASN1Object. |
|
CounterSignature(CertificateIdentifier signerIdentifier,
AlgorithmID digestAlgorithm,
AlgorithmID signatureAlgorithm,
java.security.PrivateKey privateKey)
Creates a new CounterSignature from given signerIdentifier, and digestAlgorithm ID, signature algorithmID, and the signer private key. |
|
CounterSignature(CertificateIdentifier signerIdentifier,
AlgorithmID digestAlgorithm,
java.security.PrivateKey privateKey)
Creates a new CounterSignature from given SignerIdentifier, digestAlgorithm ID, and the counter signer private key. |
Method Summary | |
---|---|
void |
addSignedAttribute(Attribute attribute)
Adds the given attribute to the set of signed attributes. |
void |
addSignedAttributes(Attribute[] attributes)
Adds the given attributes to the set of signed attributes. |
void |
addUnsignedAttribute(Attribute attribute)
Adds the given attribute to the set of unsigned attributes. |
void |
addUnsignedAttributes(Attribute[] attributes)
Adds the given attributes to the set of unsigned attributes. |
void |
counterSign(byte[] signatureToBeCounterSigned)
Counter signs the given signature value. |
void |
counterSign(CounterSignature counterSignature)
Counter signs the given CounterSignature. |
void |
counterSign(SignerInfo signerInfo)
Counter signs the given SignerInfo. |
void |
decode(ASN1Object obj)
Decodes the given ASN.1 CounterSignature object for parsing
the internal structure. |
ObjectID |
getAttributeType()
Returns the OID identifying the CMS CounterSignature attribute type. |
AlgorithmID |
getDigestAlgorithm()
Returns the AlgorithmID of the message-digest algorithm that has been used for digesting the content and any signed attributes. |
SecurityProvider |
getSecurityProvider()
Gets the SecurityProvider installed for this CounterSignature. |
AlgorithmID |
getSignatureAlgorithm()
Returns the signature algorithm used for calculating the signature and associated information with the signer private key. |
byte[] |
getSignatureValue()
Returns the signature value. |
Attribute |
getSignedAttribute(ObjectID oid)
Returns the first signed attribute matching to the given ObjectID, if included in this CounterSignature object. |
Attribute[] |
getSignedAttributes()
Returns a set of attributes that are signed by the signer. |
Attribute[] |
getSignedAttributes(ObjectID oid)
Returns all signed attributes matching to the given attribute type, if included in this CounterSignature object. |
AttributeValue |
getSignedAttributeValue(ObjectID oid)
Returns the attribute value of a single valued signed attribute with the given type. |
byte[] |
getSignedDigest()
Returns the message digest included in the signed attributes. |
CertificateIdentifier |
getSignerIdentifier()
Returns information about the signer certificate. |
SigningCertificate |
getSigningCertificateAttribute()
Gets the SigningCertificate attribute, if included. |
SigningCertificateV2 |
getSigningCertificateV2Attribute()
Gets the SigningCertificateV2 attribute, if included. |
Attribute |
getUnsignedAttribute(ObjectID oid)
Returns the first unsigned attribute matching to the given ObjectID, if included in this CounterSignature object. |
Attribute[] |
getUnsignedAttributes()
Returns a set of attributes that are not signed by the signer. |
Attribute[] |
getUnsignedAttributes(ObjectID oid)
Returns all unsigned attributes matching to the given attribute type, if included in this CounterSignature object. |
AttributeValue |
getUnsignedAttributeValue(ObjectID oid)
Returns the attribute value of a single valued unsigned attribute with the given type. |
int |
getVersion()
Returns the synatx version number (1 or 3). |
boolean |
isSignerCertificate(X509Certificate cert)
Checks whether the supplied certificate actually is the certificate of the signer. |
void |
removeSignedAttribute(ObjectID attributeType)
Removes all signed attributes with the given attribute type. |
void |
removeUnsignedAttribute(ObjectID attributeType)
Removes all unsigned attributes with the given attribute type. |
void |
setSecurityProvider(SecurityProvider securityProvider)
Sets the SecurityProvider for this CounterSignature. |
void |
setSignatureValue(byte[] signatureValue)
Sets the signature value. |
void |
setSignedAttributes(Attribute[] attributes)
Sets a set of attributes to be signed along with the content to be signed. |
void |
setUnsignedAttributes(Attribute[] attributes)
Sets a set of attributes that are not signed by the signer. |
ASN1Object |
toASN1Object()
Returns this CounterSignature as ASN1Object. |
java.lang.String |
toString()
Returns a string giving some information about this CounterSignature object. |
java.lang.String |
toString(boolean detailed)
Returns a string giving some - if requested - detailed information about this CounterSignature object. |
boolean |
verify(java.security.PublicKey publicKey,
byte[] signatureThatWasCounterSigned)
Verifies the counter signature of the given signature value with the given public key. |
boolean |
verify(java.security.PublicKey publicKey,
CounterSignature counterSignature)
Verifies the counter signature of the given CounterSiganture with the given public key. |
boolean |
verify(java.security.PublicKey publicKey,
SignerInfo signerInfo)
Verifies the counter signature of the given SignerInfo with the given public key. |
Methods inherited from class iaik.asn1.structures.AttributeValue |
---|
getName, multipleAllowed |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait |
Field Detail |
---|
public static final ObjectID oid
Constructor Detail |
---|
public CounterSignature()
CounterSignature
object and sets the SignerInfo version number to 1, and the signature
algorithm ID to rsaEncryption.
public CounterSignature(CertificateIdentifier signerIdentifier, AlgorithmID digestAlgorithm, java.security.PrivateKey privateKey)
The signerIdentifier
identifies the signer certificate either
by issuer distinguished name and
issuer-specific serial number
or by SubjectKeyIdentifier
. The digestAlgorithm ID specifies the message digest
algorithm used for calculating the digest of the content and any signed
information. The private key is used for calculating the signature.
When using this constructor, the signature is calculated with the PKCS#1
rsaEncryption method.
signerIdentifier
- information about the counter signer certificate.digestAlgorithm
- the AlgorithmID of the message-digest algorithmprivateKey
- the counter signer private key to be used for signing
java.lang.IllegalArgumentException
- if the supplied signerIdentifier is not a
SubjectKeyID or IssuerAndSerialNumberpublic CounterSignature(CertificateIdentifier signerIdentifier, AlgorithmID digestAlgorithm, AlgorithmID signatureAlgorithm, java.security.PrivateKey privateKey)
The signerIdentifier
identifies the signer certificate either
by issuer distinguished name and
issuer-specific serial number
or by SubjectKeyIdentifier
. The digestAlgorithm ID specifies the message digest
algorithm used for calculating the digest of the content and any signed
information. The private key is used for calculating the signature with
the given signature algorithm.
signerIdentifier
- information about the counter igner certificate.digestAlgorithm
- the AlgorithmID of the message-digest algorithmsignatureAlgorithm
- the algorithm to be used for signature calculationprivateKey
- the counter signer private key to be used for signing
if
- the supplied signerIdentifier is not a SubjectKeyID or
IssuerAndSerialNumberpublic CounterSignature(ASN1Object obj) throws CodingException
CounterSignature
from an ASN1Object.
The ASN1Object supplied to this constructor represents an
already exisiting CounterSignature
object that may
have been created by calling toASN1Object
.
obj
- the CMS CounterSignature as ASN1Object
CodingException
- if the object can not be parsedMethod Detail |
---|
public void setSecurityProvider(SecurityProvider securityProvider)
This method allows to explicitly set a SecurityProvider for this CounterSignature. If no explicit SecurityProvider is set, the default system wide installed SecurityProvider will be used for the required cryptographic operations.
This class may use the following method(s) of the SecurityProvider
, which may be overriden by an application, if required:
calculateSignatureFromSignedAttributes()
to calculate the signature value from the encoding of the signed attributes
calculateSignatureFromHash()
to calculate the signature value from the message hash
getHash()
as may be required for cert hash calculation when querying for included SigningCertificate
attributes
securityProvider
- the SecurityProvider to be setpublic SecurityProvider getSecurityProvider()
This class uses the following method(s) of the SecurityProvider
, which may be overriden by an application, if required:
calculateSignatureFromSignedAttributes()
to calculate the signature value from the encoding of the signed attributes
calculateSignatureFromHash()
to calculate the signature value from the message hash
getHash()
as may be required for cert hash calculation when querying for included SigningCertificate
or SigningCertificateV2
attributes
set
for this object,
the default system wide installed SecurityProvider will be used for the required cryptographic
operations. However, this method will return null
if it does not have its own
SecurityProvider.
null
if
this object does not have its own SecurityProviderpublic void decode(ASN1Object obj) throws CodingException
CounterSignature
object for parsing
the internal structure.
This method internally is called when creating a CMS SignerInfo
object from an already existing CounterSignature
object,
supplied as ASN1Object.
obj
- the CMS CounterSignature as ASN1Object
CodingException
- if the object can not be parsedpublic ASN1Object toASN1Object() throws CodingException
CounterSignature
as ASN1Object.
CodingException
- if the ASN1Object could not be createdpublic ObjectID getAttributeType()
getAttributeType
in class AttributeValue
public void setSignedAttributes(Attribute[] attributes)
attributes
- a set of attributes to be signed along with the content
to be signed.
java.lang.IllegalArgumentException
- if the given attributes contain a ContentType attribute
(not allowed for CounterSignatures)public void addSignedAttributes(Attribute[] attributes)
attributes
- the attributes to be added to the signed attributes
java.lang.IllegalArgumentException
- if the given attributes contain a ContentType attribute
(not allowed for CounterSignatures)public void addSignedAttribute(Attribute attribute)
attribute
- the attribute to be added to the signed attributes
java.lang.IllegalArgumentException
- if the given attribute is a ContentType attribute
(not allowed for CounterSignatures)public void removeSignedAttribute(ObjectID attributeType)
attributeType
- the OID identifying the attribute to be removedpublic SigningCertificate getSigningCertificateAttribute() throws CMSException
null
if
not included
CMSException
- if an error occurs while parsing for the
SigningCertificate attributepublic SigningCertificateV2 getSigningCertificateV2Attribute() throws CMSException
null
if
not included
CMSException
- if an error occurs while parsing for the
SigningCertificateV2 attributepublic byte[] getSignedDigest() throws CMSException
null
if not present
CMSException
public void setUnsignedAttributes(Attribute[] attributes)
attributes
- a set of attributes that are not signed by the signerpublic void addUnsignedAttributes(Attribute[] attributes)
attributes
- the attributes to be added to the unsigned attributespublic void addUnsignedAttribute(Attribute attribute)
attribute
- the attribute to be added to the unsigned attributespublic void removeUnsignedAttribute(ObjectID attributeType)
attributeType
- the OID identifying the attribute to be removedpublic int getVersion()
public CertificateIdentifier getSignerIdentifier()
The information is returned as CertificateIdentifier
object specifying the signer certificate either
by issuer distinguished name and
issuer-specific serial number
or by SubjectKeyIdentifier
.
public boolean isSignerCertificate(X509Certificate cert) throws CMSException
This method first checks if the the signerIdentifier of this CounterSignature
identifies the supplied certificate via IssuerAndSerialNumber or
SubjectKeyIdentifier. If this check is successful, this method then looks
if the SigningCertificate
and/or the SigningCertificateV2
are
present and identify the given certificate as cert of the signer. If both
SigningCertificate attributes are present this method accepts the
given certificate as signer certificate only if it is identified by
both SigningCertificate attributes.
cert
- the certificate to be checked of being the one of the signer
true
if the supplied certificate is the signer
certificate, false
if not
CMSException
- if the check cannot be completed because an error occurs
when parsing the SigningCertificate or SigningCertificate attribute
or a hash algorithm (required for calculating the cert hash) is not
supported by the installed cryptographic providerspublic AlgorithmID getDigestAlgorithm()
public Attribute[] getSignedAttributes()
public Attribute getSignedAttribute(ObjectID oid)
null
if there is no attribute for the given OID.public Attribute[] getSignedAttributes(ObjectID oid)
oid
- the attribute type to look for
null
if there is no attribute for the given OID.public AttributeValue getSignedAttributeValue(ObjectID oid) throws CMSException
This method provides the possibility to immediately access the value of an
attribute with the given type. This method may be used for getting the value
of the first included attribute of requested type or -- more appropriate --
the only one value of a single valued signed attribute of requested type. In this way,
this method can be seen as an alternative to method getSignedAttribute
for providing immediate access to the attribute value, e.g.:
SigningCertificate signingCertificate = (SigningCertificate)counterSignature.getSignedAttributeValue(Signingcertificate.oid); if (signingCertificate != null) { ... }
oid
- the object identifier representing the type of the attribute for which to get the value
null
if no attribute of given type is included
if
- the ASN.1 representation of the attribute value cannot be parsed
CMSException
public AlgorithmID getSignatureAlgorithm()
public byte[] getSignatureValue()
public void setSignatureValue(byte[] signatureValue)
signatureValue
- the signature value, calculated from outsidepublic Attribute[] getUnsignedAttributes()
public Attribute getUnsignedAttribute(ObjectID oid)
null
if there is no attribute for the given OID.public Attribute[] getUnsignedAttributes(ObjectID oid)
oid
- the attribute type to look for
null
if there is no attribute for the given OID.public AttributeValue getUnsignedAttributeValue(ObjectID oid) throws CMSException
This method provides the possibility to immediately access the value of an unsigned
attribute with the given type. This method may be used for getting the value
of the first included unsigned attribute of requested type or -- more appropriate --
the only one value of a single valued unsigned attribute of requested type. In this way,
this method can be seen as an alternative to method getUnsignedAttribute
for providing immediate access to the attribute value, e.g.:
SigningTime signingTime = (SigningTime)counterSignature.getUnsignedAttributeValue(SigningTime.oid); if (signingTime != null) { ... }
oid
- the object identifier representing the type of the attribute for which to get the value
null
if no attribute of given type is included
if
- the ASN.1 representation of the attribute value cannot be parsed
CMSException
public java.lang.String toString()
CounterSignature
object.
toString
in class AttributeValue
public java.lang.String toString(boolean detailed)
CounterSignature
object.
detailed
- - whether or not to give detailed information
public void counterSign(SignerInfo signerInfo) throws java.security.SignatureException
... counterSignature.counterSign(signerInfo); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; signerInfo.addUnsignedAttributes(unsignedAttributes); ...Please note that one single CounterSignature object only can sign one single signature. So do not repeatedly call this method for signing more than one signatures; rather create a new CounterSignature object for any new signature to be counter signed.
signerInfo
- the SignerInfo to be counter signed
java.security.SignatureException
- if signing fails for some reasonpublic void counterSign(CounterSignature counterSignature) throws java.security.SignatureException
This method may be used for counter signing another CounterSognature. After counter signing the CounterSignature you must explicitly set the CounterSignature attribute, e.g.:
... counterSignature.counterSign(firstCounterSignature); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; firstCounterSignature.addUnsignedAttributes(unsignedAttributes); ...Please note that one single CounterSignature object only can sign one single signature. So do not repeatedly call this method for signing more than one signatures; rather create a new CounterSignature object for any new signature to be counter signed.
counterSignature
- the CounterSignature to be counter signed
java.security.SignatureException
- if signing fails for some reasonpublic void counterSign(byte[] signatureToBeCounterSigned) throws java.security.SignatureException
... counterSignature.counterSign(signerInfo.getSignatureValue()); // and add the counter signature as unsigned attribute Attribute[] unsignedAttributes = new Attribute[] { new Attribute(counterSignature) }; signerInfo.addUnsignedAttributes(unsignedAttributes); ...Please note that one single CounterSignature object only can sign one single signature. So do not repeatedly call this method for signing more than one signatures; rather create a new CounterSignature object for any new signature to be counter signed.
signatureToBeCounterSigned
- the signature value to be counter signed
java.security.SignatureException
- if signing fails for some reasonpublic boolean verify(java.security.PublicKey publicKey, SignerInfo signerInfo) throws java.security.SignatureException
The given SignerInfo represents the SignerInfo that has been counter signed, e.g.:
try { if (counterSignature.verify(counterCert.getPublicKey(), signerInfo)) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); }
publicKey
- the public key of the counter signersignerInfo
- SignerInfo the SignerInfo that has been counter signed
true
if the signature verifies, false
if not
java.security.SignatureException
- signature verification process failspublic boolean verify(java.security.PublicKey publicKey, CounterSignature counterSignature) throws java.security.SignatureException
CounterSignatures may be applied recursively, i.e. one CounterSignature may be counter signed by another. The given CounterSignature represents the CounterSignature that has been counter signed, e.g.:
try { if (counterSignature.verify(counterCert.getPublicKey(), counterSignature)) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); }
publicKey
- the public key of the counter signercounterSignature
- CounterSignature the CounterSignature that has been counter signed
true
if the signature verifies, false
if not
java.security.SignatureException
- signature verification process failspublic boolean verify(java.security.PublicKey publicKey, byte[] signatureThatWasCounterSigned) throws java.security.SignatureException
The given signature value may be the one of the SignerInfo that has been counter signed, e.g.:
try { if (counterSignature.verify(counterCert.getPublicKey(), signerInfo.getSignatureValue())) { System.out.println("Signature OK from counter signer: "+counterSignature.getSignerIdentifier()); } else { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); } } catch (SignatureException ex) { System.out.println("Signature ERROR from counter signer: "+counterSignature.getSignerIdentifier()); }
publicKey
- the public key of the counter signersignatureThatWasCounterSigned
- the siganture that has been counter signed
true
if the signature verifies, false
if not
java.security.SignatureException
- if the signature verification process fails for some reason
InvalidContentHashException
- if the signature verification process fails because the
content hash does not match to value of the included MessageDigest
attribute
InvalidContentTypeException
- if the signed attributes contain a ContentType attribute
(not allowed for CounterSignature)
|
This Javadoc may contain text parts from text parts from IETF Internet Standard specifications (see copyright note). | ||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |