demo.pkcs
Class PKCS7Stream

java.lang.Object
  |
  +--demo.pkcs.PKCS7Stream

public class PKCS7Stream
extends Object

This class shows some PKCS#7 examples and uses the stream interface for processing large amounts of data.

All keys and certificates are read from a keystore created by the SetupKeyStore program.

This class tests the following PKCS#7 content type implementations:

Additionally, a SignedAndEncryptedData test is performed, which is a sequential combination of signed and enveloped data and should be prefered to the SignedAndEnvelopedData content type.

All sub-tests use the same proceeding: A test message is properly processed to give the requested content type object, which subsequently is DER encoded to be "sent" to some recipient, who parses it for the inherent structures.

Version:
File Revision 24

Constructor Summary
PKCS7Stream()
          Setup the demo certificate chains.
 
Method Summary
 ASN1Object createData(byte[] message)
          Creates a PKCS#7 Data object.
 byte[] createDataStream(byte[] message)
          Creates a PKCS#7 Data object.
 ASN1Object createDigestedData(byte[] message)
          Creates a PKCS#7 DigestedData object.
 ASN1Object createDigestedData(byte[] message, int mode)
          Creates a PKCS#7 DigestedData object.
 byte[] createDigestedDataStream(byte[] message, int mode)
          Creates a PKCS#7 DigestedData object.
 ASN1Object createEncryptedData(byte[] message, AlgorithmID pbeAlgorithm, char[] password)
          Creates a PKCS#7 EncryptedData message.
 byte[] createEncryptedDataStream(byte[] message, AlgorithmID pbeAlgorithm, char[] password)
          Creates a PKCS#7 EncryptedDataStream message.
 ASN1Object createEnvelopedData(byte[] message)
          Creates a PKCS#7 EnvelopedData message.
 byte[] createEnvelopedDataStream(byte[] message)
          Creates a PKCS#7 EnvelopedDataStream message.
 ASN1Object createSignedAndEncryptedData(byte[] message)
          Creates a SignedAndEncrypted (i.e. sequential combination of SignedData and EnvelopedData) object as suggested in the PKCS#7 specification.
 byte[] createSignedAndEncryptedDataStream(byte[] message)
          Creates a SignedAndEncrypted (i.e. sequential combination of SignedData and EnvelopedData) object as suggested in the PKCS#7 specification.
 ASN1Object createSignedAndEnvelopedData(byte[] message)
          Creates a PKCS#7 SignedAndEnvelopedData object for one recipient signed by one signer.
 byte[] createSignedAndEnvelopedDataStream(byte[] message)
          Creates a PKCS#7 SignedAndEnvelopedData object for one recipient signed by one signer.
 ASN1Object createSignedData(byte[] message, int mode)
          Creates a PKCS#7 SignedData object.
 byte[] createSignedDataStream(byte[] message, int mode)
          Creates a PKCS#7 SignedData object.
 byte[] getData(ASN1Object asn1Object)
          Parses a PKCS#7 Data object.
 byte[] getDataStream(byte[] data)
          Parses a PKCS#7 Data object.
 byte[] getDigestedData(ASN1Object asn1Obj)
          Parses a PKCS#7 DigestedData object and verifies the hash.
 byte[] getDigestedData(ASN1Object obj, byte[] message)
          Parses a PKCS#7 DigestedData object and verifies the hash value.
 byte[] getDigestedDataStream(byte[] digestedData, byte[] message)
          Parses a PKCS#7 DigestedData object and verifies the hash.
 byte[] getEncryptedData(ASN1Object asn1Object, char[] password)
          Decrypts the PBE-encrypted content of the given EncryptedData object using the specified password and returns the decrypted (= original) message.
 byte[] getEncryptedDataStream(byte[] encoding, char[] password)
          Decrypts the PBE-encrypted content of the given EncryptedData object using the specified password and returns the decrypted (= original) message.
 byte[] getEnvelopedData(ASN1Object obj, PrivateKey privateKey, int recipientInfoIndex)
          Decrypts the encrypted content of the given EnvelopedData object for the specified recipient and returns the decrypted (= original) message.
 byte[] getEnvelopedDataStream(byte[] encoding, PrivateKey privateKey, int recipientInfoIndex)
          Decrypts the encrypted content of the given EnvelopedData object for the specified recipient and returns the decrypted (= original) message.
 byte[] getSignedAndEncryptedData(ASN1Object obj)
          Recovers the original message and verifies the signature.
 byte[] getSignedAndEncryptedDataStream(byte[] in)
          Recovers the original message and verifies the signature.
 byte[] getSignedAndEnvelopedData(ASN1Object obj)
          Decrypts the encrypted content of the given SignedAndEnvelopedData object and returns the decrypted (= original) message.
 byte[] getSignedAndEnvelopedDataStream(byte[] encoding)
          Decrypts the encrypted content of the given SignedAndEnvelopedData object and returns the decrypted (= original) message.
 byte[] getSignedData(ASN1Object obj, byte[] message)
          Parses a PKCS#7 SignedData object and verifies the signatures for all participated signers.
 byte[] getSignedDataStream(byte[] signedData, byte[] message)
          Parses a PKCS#7 SignedData object and verifies the signatures for all participated signers.
static void main(String[] argv)
          Starts the PKCS#7 content type implementation tests.
 void start()
          Tests the PKCS#7 content type implementations Data, EnvelopedData, SignedData, SignedAndEnvelopedData, DigestedData and EncryptedData.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PKCS7Stream

public PKCS7Stream()
            throws IOException
Setup the demo certificate chains. Keys and certificate are retrieved from the demo KeyStore.
Throws:
IOException - if an file read error occurs
Method Detail

createDataStream

public byte[] createDataStream(byte[] message)
                        throws PKCSException,
                               IOException
Creates a PKCS#7 Data object.

Parameters:
message - the message to be sent, as byte representation
Returns:
the DER encoding of the Data object just created
Throws:
PKCSException - if the Data object cannot be created

getDataStream

public byte[] getDataStream(byte[] data)
                     throws PKCSException,
                            IOException
Parses a PKCS#7 Data object.
Parameters:
data - the Data object as DER encoded byte array
Returns:
the inherent message as byte array, or null if there is no message included into the supplied data object
Throws:
IOException - if an IOException occurs
PKCSException - if an parsing exception occurs

createEnvelopedDataStream

public byte[] createEnvelopedDataStream(byte[] message)
                                 throws PKCSException,
                                        IOException
Creates a PKCS#7 EnvelopedDataStream message.

The enveloped-data content type consists of encrypted content of any type and encrypted content-encryption keys for one or more recipients. The combination of encrypted content and encrypted content-encryption key for a recipient is a "digital envelope" for that recipient. Any type of content can be enveloped for any number of recipients in parallel.

Parameters:
message - the message to be enveloped, as byte representation
Returns:
the DER encoding of the EnvelopedData object just created
Throws:
PKCSException - if the EnvelopedData object cannot be created

getEnvelopedDataStream

public byte[] getEnvelopedDataStream(byte[] encoding,
                                     PrivateKey privateKey,
                                     int recipientInfoIndex)
                              throws PKCSException,
                                     IOException
Decrypts the encrypted content of the given EnvelopedData object for the specified recipient and returns the decrypted (= original) message.
Parameters:
encoding - the EnvelopedData object as DER encoded byte array
privateKey - the private key to decrypt the message
recipientInfoIndex - the index into the RecipientInfo array to which the specified private key belongs
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createSignedDataStream

public byte[] createSignedDataStream(byte[] message,
                                     int mode)
                              throws PKCSException,
                                     IOException
Creates a PKCS#7 SignedData object.

The signed-data content type consists of content of any type and encrypted message digests of the content for zero or more signers. The encrypted digest for a signer is a "digital signature" on the content for that signer. Any type of content can be signed by any number of signers in parallel. Furthermore, the syntax has a degenerate case in which there are no signers on the content. The degenerate case provides a means for disseminating certificates and certificate-revocation lists.

Parameters:
message - the message to be signed, as byte representation
mode - the transmission mode, either IMPLICIT or EXPLICIT
Returns:
the DER encoding of the SignedData object just created
Throws:
PKCSException - if the SignedData object cannot be created

getSignedDataStream

public byte[] getSignedDataStream(byte[] signedData,
                                  byte[] message)
                           throws PKCSException,
                                  IOException
Parses a PKCS#7 SignedData object and verifies the signatures for all participated signers.
Parameters:
signedData - SignedData object as DER encoded byte array
message - the the message which was transmitted out-of-band (explicit signed)
Returns:
the inherent message as byte array
Throws:
PKCSException - if any signature does not verify

createSignedAndEnvelopedDataStream

public byte[] createSignedAndEnvelopedDataStream(byte[] message)
                                          throws PKCSException,
                                                 IOException
Creates a PKCS#7 SignedAndEnvelopedData object for one recipient signed by one signer.

The signed-and-enveloped-data content type consists of encrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message digests for one or more signers. The "double encryption" consists of an encryption with a signer's private key followed by an encryption with the content-encryption key.

The combination of encrypted content and encrypted content-encryption key for a recipient is a "digital envelope" for that recipient. The recovered singly encrypted message digest for a signer is a "digital signature" on the recovered content for that signer. Any type of content can be enveloped for any number of recipients and signed by any number of signers in parallel.

Parameters:
message - the message to be signed and enveloped, as byte representation
Returns:
the DER encoding of the SignedAndEnvelopedData object just created
Throws:
PKCSException - if the SignedAndEnvelopedData object cannot be created

getSignedAndEnvelopedDataStream

public byte[] getSignedAndEnvelopedDataStream(byte[] encoding)
                                       throws PKCSException,
                                              IOException
Decrypts the encrypted content of the given SignedAndEnvelopedData object and returns the decrypted (= original) message.

The SignedAndEnvelopedData is given as DER encoded byte array hoding an encrypted message for one recipient, signed by one signer. This method recovers and returns the original message for the recipient and verifies the signature of the signer.

Parameters:
encoding - the SignedAndEnvelopedData object as DER encoded byte array
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createSignedAndEncryptedDataStream

public byte[] createSignedAndEncryptedDataStream(byte[] message)
                                          throws PKCSException,
                                                 IOException
Creates a SignedAndEncrypted (i.e. sequential combination of SignedData and EnvelopedData) object as suggested in the PKCS#7 specification.

PKCS#7 specification:

Note. The signed-and-enveloped-data content type provides cryptographic enhancements similar to those resulting from the sequential combination of signed-data and enveloped-data content types. However, since the signed-and-enveloped-data content type does not have authenticated or unauthenticated attributes, nor does it provide enveloping of signer information other than the signature, the sequential combination of signed-data and enveloped-data content types is generally preferable to the SignedAndEnvelopedData content type, except when compatibility with the ENCRYPTED process type in Privacy-Enhanced Mail in intended.

Parameters:
message - the message to be signed and encrypted, as byte representation
Returns:
the DER encoding of the signed and encrypted message object just created
Throws:
PKCSException - if the the SignedData or EnvelopedData object cannot be created

getSignedAndEncryptedDataStream

public byte[] getSignedAndEncryptedDataStream(byte[] in)
                                       throws PKCSException,
                                              IOException
Recovers the original message and verifies the signature.
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createDigestedDataStream

public byte[] createDigestedDataStream(byte[] message,
                                       int mode)
                                throws PKCSException,
                                       IOException
Creates a PKCS#7 DigestedData object.

Parameters:
message - the message to be digested, as byte representation
Returns:
the DER encoding of the DigestedData object just created
Throws:
PKCSException - if the DigestedData object cannot be created

getDigestedDataStream

public byte[] getDigestedDataStream(byte[] digestedData,
                                    byte[] message)
                             throws PKCSException,
                                    IOException
Parses a PKCS#7 DigestedData object and verifies the hash.
Parameters:
digestedData - DigestedData object as DER encoded byte array
message - the the message which was transmitted out-of-band
Returns:
the inherent message as byte array
Throws:
PKCSException - if any signature does not verify

createEncryptedDataStream

public byte[] createEncryptedDataStream(byte[] message,
                                        AlgorithmID pbeAlgorithm,
                                        char[] password)
                                 throws PKCSException,
                                        IOException
Creates a PKCS#7 EncryptedDataStream message.

The supplied content is PBE-encrypted using the specified password.

Parameters:
message - the message to be encrypted, as byte representation
pbeAlgorithm - the PBE algorithm to be used
password - the password
Returns:
the DER encoding of the EncryptedData object just created
Throws:
PKCSException - if the EncryptedData object cannot be created

getEncryptedDataStream

public byte[] getEncryptedDataStream(byte[] encoding,
                                     char[] password)
                              throws PKCSException,
                                     IOException
Decrypts the PBE-encrypted content of the given EncryptedData object using the specified password and returns the decrypted (= original) message.
Parameters:
encoding - the EncryptedData object as DER encoded byte array
password - the password to decrypt the message
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createData

public ASN1Object createData(byte[] message)
                      throws PKCSException,
                             IOException
Creates a PKCS#7 Data object.

Parameters:
message - the message to be sent, as byte representation
Returns:
the ASN.1 representation of the Data object just created
Throws:
PKCSException - if the Data object cannot be created

getData

public byte[] getData(ASN1Object asn1Object)
               throws PKCSException,
                      IOException
Parses a PKCS#7 Data object.
Parameters:
asn1Object - the Data object as ASN.1 object
Returns:
the inherent message as byte array
Throws:
IOException - if an IOException occurs
PKCSException - if an parsing exception occurs

createEnvelopedData

public ASN1Object createEnvelopedData(byte[] message)
                               throws PKCSException,
                                      IOException
Creates a PKCS#7 EnvelopedData message.

The enveloped-data content type consists of encrypted content of any type and encrypted content-encryption keys for one or more recipients. The combination of encrypted content and encrypted content-encryption key for a recipient is a "digital envelope" for that recipient. Any type of content can be enveloped for any number of recipients in parallel.

Parameters:
message - the message to be enveloped, as byte representation
Returns:
the EnvelopedData as ASN.1 object
Throws:
PKCSException - if the EnvelopedData object cannot be created

getEnvelopedData

public byte[] getEnvelopedData(ASN1Object obj,
                               PrivateKey privateKey,
                               int recipientInfoIndex)
                        throws PKCSException,
                               IOException
Decrypts the encrypted content of the given EnvelopedData object for the specified recipient and returns the decrypted (= original) message.
Parameters:
obj - the EnvelopedData as ASN.1 object
privateKey - the private key to decrypt the message
recipientInfoIndex - the index into the RecipientInfo array to which the specified private key belongs
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createSignedData

public ASN1Object createSignedData(byte[] message,
                                   int mode)
                            throws PKCSException,
                                   IOException
Creates a PKCS#7 SignedData object.

The signed-data content type consists of content of any type and encrypted message digests of the content for zero or more signers. The encrypted digest for a signer is a "digital signature" on the content for that signer. Any type of content can be signed by any number of signers in parallel. Furthermore, the syntax has a degenerate case in which there are no signers on the content. The degenerate case provides a means for disseminating certificates and certificate-revocation lists.

Parameters:
message - the message to be signed, as byte representation
Returns:
the SignedData object as ASN.1 object
Throws:
PKCSException - if the SignedData object cannot be created

getSignedData

public byte[] getSignedData(ASN1Object obj,
                            byte[] message)
                     throws PKCSException,
                            IOException
Parses a PKCS#7 SignedData object and verifies the signatures for all participated signers.
Parameters:
obj - SignedData object in ASN.1 representation
message - the the message which was transmitted out-of-band (explicit signed)
Returns:
the inherent message as byte array
Throws:
PKCSException - if any signature does not verify

createSignedAndEnvelopedData

public ASN1Object createSignedAndEnvelopedData(byte[] message)
                                        throws PKCSException,
                                               IOException
Creates a PKCS#7 SignedAndEnvelopedData object for one recipient signed by one signer.

The signed-and-enveloped-data content type consists of encrypted content of any type, encrypted content-encryption keys for one or more recipients, and doubly encrypted message digests for one or more signers. The "double encryption" consists of an encryption with a signer's private key followed by an encryption with the content-encryption key.

The combination of encrypted content and encrypted content-encryption key for a recipient is a "digital envelope" for that recipient. The recovered singly encrypted message digest for a signer is a "digital signature" on the recovered content for that signer. Any type of content can be enveloped for any number of recipients and signed by any number of signers in parallel.

Parameters:
message - the message to be signed and enveloped, as byte representation
Returns:
the SignedAndEnvelopedData as ASN.1 object
Throws:
PKCSException - if the SignedAndEnvelopedData object cannot be created

getSignedAndEnvelopedData

public byte[] getSignedAndEnvelopedData(ASN1Object obj)
                                 throws PKCSException,
                                        IOException
Decrypts the encrypted content of the given SignedAndEnvelopedData object and returns the decrypted (= original) message.

The SignedAndEnvelopedData is given as DER encoded byte array hoding an encrypted message for one recipient, signed by one signer. This method recovers and returns the original message for the recipient and verifies the signature of the signer.

Parameters:
obj - the SignedAndEnvelopedData object in ASN.1 representation
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createSignedAndEncryptedData

public ASN1Object createSignedAndEncryptedData(byte[] message)
                                        throws PKCSException,
                                               IOException
Creates a SignedAndEncrypted (i.e. sequential combination of SignedData and EnvelopedData) object as suggested in the PKCS#7 specification.

PKCS#7 specification:

Note. The signed-and-enveloped-data content type provides cryptographic enhancements similar to those resulting from the sequential combination of signed-data and enveloped-data content types. However, since the signed-and-enveloped-data content type does not have authenticated or unauthenticated attributes, nor does it provide enveloping of signer information other than the signature, the sequential combination of signed-data and enveloped-data content types is generally preferable to the SignedAndEnvelopedData content type, except when compatibility with the ENCRYPTED process type in Privacy-Enhanced Mail in intended.

Parameters:
message - the message to be signed and encrypted, as byte representation
Returns:
the the signed and encrypted message as ASN.1 Object
Throws:
PKCSException - if the the SignedData or EnvelopedData object cannot be created

getSignedAndEncryptedData

public byte[] getSignedAndEncryptedData(ASN1Object obj)
                                 throws PKCSException,
                                        IOException
Recovers the original message and verifies the signature.
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

createDigestedData

public ASN1Object createDigestedData(byte[] message)
                              throws Exception
Creates a PKCS#7 DigestedData object.

Parameters:
message - the message to be digested, as byte representation
Returns:
the DigestedData as ASN.1 object
Throws:
Exception - if the DigestedData object cannot be created

getDigestedData

public byte[] getDigestedData(ASN1Object asn1Obj)
                       throws PKCSException,
                              IOException,
                              NoSuchAlgorithmException
Parses a PKCS#7 DigestedData object and verifies the hash.
Parameters:
asn1Obj - the DigestedData as ASN.1 object
Returns:
the inherent message as byte array
Throws:
PKCSException - if any signature does not verify

createDigestedData

public ASN1Object createDigestedData(byte[] message,
                                     int mode)
                              throws PKCSException,
                                     IOException
Creates a PKCS#7 DigestedData object.

Parameters:
message - the message to be digested, as byte representation
Returns:
the DigestedData as ASN.1 object
Throws:
PKCSException - if the DigestedData object cannot be created

getDigestedData

public byte[] getDigestedData(ASN1Object obj,
                              byte[] message)
                       throws PKCSException,
                              IOException
Parses a PKCS#7 DigestedData object and verifies the hash value.
Parameters:
obj - DigestedData object in ASN.1 representation
message - the the message which was transmitted out-of-band (explicit digested)
Returns:
the message
Throws:
PKCSException - if some parsing exception occurs

createEncryptedData

public ASN1Object createEncryptedData(byte[] message,
                                      AlgorithmID pbeAlgorithm,
                                      char[] password)
                               throws PKCSException,
                                      IOException
Creates a PKCS#7 EncryptedData message.

The supplied content is PBE-encrypted using the specified password.

Parameters:
message - the message to be encrypted, as byte representation
pbeAlgorithm - the PBE algorithm to be used
password - the password
Returns:
the DER encoding of the EncryptedData object just created
Throws:
PKCSException - if the EncryptedData object cannot be created

getEncryptedData

public byte[] getEncryptedData(ASN1Object asn1Object,
                               char[] password)
                        throws PKCSException,
                               IOException
Decrypts the PBE-encrypted content of the given EncryptedData object using the specified password and returns the decrypted (= original) message.
Parameters:
asn1Object - the EncryptedData object as ASN1Object
password - the password to decrypt the message
Returns:
the recovered message, as byte array
Throws:
PKCSException - if the message cannot be recovered

start

public void start()
Tests the PKCS#7 content type implementations Data, EnvelopedData, SignedData, SignedAndEnvelopedData, DigestedData and EncryptedData. An additional SignedAndEncryptedData test sequentially combines signed and enveloped data, which should be prefered to the SignedAndEnvelopedData content type.

main

public static void main(String[] argv)
                 throws Exception
Starts the PKCS#7 content type implementation tests.
Throws:
IOException - if an I/O error occurs when reading required keys and certificates from files

This Javadoc may contain text parts from Internet Standard specifications (RFC 2459, 3280, 3039, 2560, 1521, 821, 822, 2253, 1319, 1321, ,2630, 2631, 2268, 3058, 2984, 2104, 2144, 2040, 2311, 2279, see copyright note) and RSA Data Security Public-Key Cryptography Standards (PKCS#1,3,5,7,8,9,10,12, see copyright note).

IAIK-JCE 3.1 with IAIK-JCE CC Core 3.1, (c) 1997-2004 IAIK