package org.bouncycastle.tsp;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.SimpleTimeZone;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.ess.ESSCertID;
import org.bouncycastle.asn1.ess.ESSCertIDv2;
import org.bouncycastle.asn1.ess.SigningCertificate;
import org.bouncycastle.asn1.ess.SigningCertificateV2;
import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.tsp.Accuracy;
import org.bouncycastle.asn1.tsp.MessageImprint;
import org.bouncycastle.asn1.tsp.TSTInfo;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.IssuerSerial;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSAttributeTableGenerationException;
import org.bouncycastle.cms.CMSAttributeTableGenerator;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.SignerInfoGenerator;
import org.bouncycastle.operator.DigestCalculator;
import org.bouncycastle.util.CollectionStore;
import org.bouncycastle.util.Store;
Currently the class supports ESSCertID by if a digest calculator based on SHA1 is passed in, otherwise it uses
ESSCertIDv2. In the event you need to pass both types, you will need to override the SignedAttributeGenerator
for the SignerInfoGeneratorBuilder you are using. For the default for ESSCertIDv2 the code will look something
like the following:
final ESSCertID essCertid = new ESSCertID(certHashSha1, issuerSerial);
final ESSCertIDv2 essCertidV2 = new ESSCertIDv2(certHashSha256, issuerSerial);
signerInfoGenBuilder.setSignedAttributeGenerator(new CMSAttributeTableGenerator()
{
public AttributeTable getAttributes(Map parameters)
throws CMSAttributeTableGenerationException
{
CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator();
AttributeTable table = attrGen.getAttributes(parameters);
table = table.add(PKCSObjectIdentifiers.id_aa_signingCertificate, new SigningCertificate(essCertid));
table = table.add(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new SigningCertificateV2(essCertidV2));
return table;
}
});
/**
* Currently the class supports ESSCertID by if a digest calculator based on SHA1 is passed in, otherwise it uses
* ESSCertIDv2. In the event you need to pass both types, you will need to override the SignedAttributeGenerator
* for the SignerInfoGeneratorBuilder you are using. For the default for ESSCertIDv2 the code will look something
* like the following:
* <pre>
* final ESSCertID essCertid = new ESSCertID(certHashSha1, issuerSerial);
* final ESSCertIDv2 essCertidV2 = new ESSCertIDv2(certHashSha256, issuerSerial);
*
* signerInfoGenBuilder.setSignedAttributeGenerator(new CMSAttributeTableGenerator()
* {
* public AttributeTable getAttributes(Map parameters)
* throws CMSAttributeTableGenerationException
* {
* CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator();
*
* AttributeTable table = attrGen.getAttributes(parameters);
*
* table = table.add(PKCSObjectIdentifiers.id_aa_signingCertificate, new SigningCertificate(essCertid));
* table = table.add(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new SigningCertificateV2(essCertidV2));
*
* return table;
* }
* });
* </pre>
*/
public class TimeStampTokenGenerator
{
Create time-stamps with a resolution of 1 second (the default).
/**
* Create time-stamps with a resolution of 1 second (the default).
*/
public static final int R_SECONDS = 0;
Create time-stamps with a resolution of 1 tenth of a second.
/**
* Create time-stamps with a resolution of 1 tenth of a second.
*/
public static final int R_TENTHS_OF_SECONDS = 1;
Create time-stamps with a resolution of 1 microsecond.
/**
* Create time-stamps with a resolution of 1 microsecond.
*/
public static final int R_MICROSECONDS = 2;
Create time-stamps with a resolution of 1 millisecond.
/**
* Create time-stamps with a resolution of 1 millisecond.
*/
public static final int R_MILLISECONDS = 3;
private int resolution = R_SECONDS;
private Locale locale = null; // default locale
private int accuracySeconds = -1;
private int accuracyMillis = -1;
private int accuracyMicros = -1;
boolean ordering = false;
GeneralName tsa = null;
private ASN1ObjectIdentifier tsaPolicyOID;
private List certs = new ArrayList();
private List crls = new ArrayList();
private List attrCerts = new ArrayList();
private Map otherRevoc = new HashMap();
private SignerInfoGenerator signerInfoGen;
Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from
the signer's associated certificate using the sha1DigestCalculator. If alternate values are required
for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in,
otherwise a standard digest based value will be added.
Params: - signerInfoGen – the generator for the signer we are using.
- digestCalculator – calculator for to use for digest of certificate.
- tsaPolicy – tasPolicy to send.
Throws: - IllegalArgumentException – if calculator is not SHA-1 or there is no associated certificate for the signer,
- TSPException – if the signer certificate cannot be processed.
/**
* Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from
* the signer's associated certificate using the sha1DigestCalculator. If alternate values are required
* for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in,
* otherwise a standard digest based value will be added.
*
* @param signerInfoGen the generator for the signer we are using.
* @param digestCalculator calculator for to use for digest of certificate.
* @param tsaPolicy tasPolicy to send.
* @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated certificate for the signer,
* @throws TSPException if the signer certificate cannot be processed.
*/
public TimeStampTokenGenerator(
final SignerInfoGenerator signerInfoGen,
DigestCalculator digestCalculator,
ASN1ObjectIdentifier tsaPolicy)
throws IllegalArgumentException, TSPException
{
this(signerInfoGen, digestCalculator, tsaPolicy, false);
}
Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from
the signer's associated certificate using the sha1DigestCalculator. If alternate values are required
for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in,
otherwise a standard digest based value will be added.
Params: - signerInfoGen – the generator for the signer we are using.
- digestCalculator – calculator for to use for digest of certificate.
- tsaPolicy – tasPolicy to send.
- isIssuerSerialIncluded – should issuerSerial be included in the ESSCertIDs, true if yes, by default false.
Throws: - IllegalArgumentException – if calculator is not SHA-1 or there is no associated certificate for the signer,
- TSPException – if the signer certificate cannot be processed.
/**
* Basic Constructor - set up a calculator based on signerInfoGen with a ESSCertID calculated from
* the signer's associated certificate using the sha1DigestCalculator. If alternate values are required
* for id-aa-signingCertificate they should be added to the signerInfoGen object before it is passed in,
* otherwise a standard digest based value will be added.
*
* @param signerInfoGen the generator for the signer we are using.
* @param digestCalculator calculator for to use for digest of certificate.
* @param tsaPolicy tasPolicy to send.
* @param isIssuerSerialIncluded should issuerSerial be included in the ESSCertIDs, true if yes, by default false.
* @throws IllegalArgumentException if calculator is not SHA-1 or there is no associated certificate for the signer,
* @throws TSPException if the signer certificate cannot be processed.
*/
public TimeStampTokenGenerator(
final SignerInfoGenerator signerInfoGen,
DigestCalculator digestCalculator,
ASN1ObjectIdentifier tsaPolicy,
boolean isIssuerSerialIncluded)
throws IllegalArgumentException, TSPException
{
this.signerInfoGen = signerInfoGen;
this.tsaPolicyOID = tsaPolicy;
if (!signerInfoGen.hasAssociatedCertificate())
{
throw new IllegalArgumentException("SignerInfoGenerator must have an associated certificate");
}
X509CertificateHolder assocCert = signerInfoGen.getAssociatedCertificate();
TSPUtil.validateCertificate(assocCert);
try
{
OutputStream dOut = digestCalculator.getOutputStream();
dOut.write(assocCert.getEncoded());
dOut.close();
if (digestCalculator.getAlgorithmIdentifier().getAlgorithm().equals(OIWObjectIdentifiers.idSHA1))
{
final ESSCertID essCertid = new ESSCertID(digestCalculator.getDigest(),
isIssuerSerialIncluded ? new IssuerSerial(new GeneralNames(new GeneralName(assocCert.getIssuer())), assocCert.getSerialNumber())
: null);
this.signerInfoGen = new SignerInfoGenerator(signerInfoGen, new CMSAttributeTableGenerator()
{
public AttributeTable getAttributes(Map parameters)
throws CMSAttributeTableGenerationException
{
AttributeTable table = signerInfoGen.getSignedAttributeTableGenerator().getAttributes(parameters);
if (table.get(PKCSObjectIdentifiers.id_aa_signingCertificate) == null)
{
return table.add(PKCSObjectIdentifiers.id_aa_signingCertificate, new SigningCertificate(essCertid));
}
return table;
}
}, signerInfoGen.getUnsignedAttributeTableGenerator());
}
else
{
AlgorithmIdentifier digAlgID = new AlgorithmIdentifier(digestCalculator.getAlgorithmIdentifier().getAlgorithm());
final ESSCertIDv2 essCertid = new ESSCertIDv2(digAlgID, digestCalculator.getDigest(),
isIssuerSerialIncluded ? new IssuerSerial(new GeneralNames(new GeneralName(assocCert.getIssuer())), new ASN1Integer(assocCert.getSerialNumber()))
: null);
this.signerInfoGen = new SignerInfoGenerator(signerInfoGen, new CMSAttributeTableGenerator()
{
public AttributeTable getAttributes(Map parameters)
throws CMSAttributeTableGenerationException
{
AttributeTable table = signerInfoGen.getSignedAttributeTableGenerator().getAttributes(parameters);
if (table.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2) == null)
{
return table.add(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new SigningCertificateV2(essCertid));
}
return table;
}
}, signerInfoGen.getUnsignedAttributeTableGenerator());
}
}
catch (IOException e)
{
throw new TSPException("Exception processing certificate.", e);
}
}
Add the store of X509 Certificates to the generator.
Params: - certStore – a Store containing X509CertificateHolder objects
/**
* Add the store of X509 Certificates to the generator.
*
* @param certStore a Store containing X509CertificateHolder objects
*/
public void addCertificates(
Store certStore)
{
certs.addAll(certStore.getMatches(null));
}
Params: - crlStore – a Store containing X509CRLHolder objects.
/**
*
* @param crlStore a Store containing X509CRLHolder objects.
*/
public void addCRLs(
Store crlStore)
{
crls.addAll(crlStore.getMatches(null));
}
Params: - attrStore – a Store containing X509AttributeCertificate objects.
/**
*
* @param attrStore a Store containing X509AttributeCertificate objects.
*/
public void addAttributeCertificates(
Store attrStore)
{
attrCerts.addAll(attrStore.getMatches(null));
}
Add a Store of otherRevocationData to the CRL set to be included with the generated TimeStampToken.
Params: - otherRevocationInfoFormat – the OID specifying the format of the otherRevocationInfo data.
- otherRevocationInfos – a Store of otherRevocationInfo data to add.
/**
* Add a Store of otherRevocationData to the CRL set to be included with the generated TimeStampToken.
*
* @param otherRevocationInfoFormat the OID specifying the format of the otherRevocationInfo data.
* @param otherRevocationInfos a Store of otherRevocationInfo data to add.
*/
public void addOtherRevocationInfo(
ASN1ObjectIdentifier otherRevocationInfoFormat,
Store otherRevocationInfos)
{
otherRevoc.put(otherRevocationInfoFormat, otherRevocationInfos.getMatches(null));
}
Set the resolution of the time stamp - R_SECONDS (the default), R_TENTH_OF_SECONDS, R_MICROSECONDS, R_MILLISECONDS
Params: - resolution – resolution of timestamps to be produced.
/**
* Set the resolution of the time stamp - R_SECONDS (the default), R_TENTH_OF_SECONDS, R_MICROSECONDS, R_MILLISECONDS
*
* @param resolution resolution of timestamps to be produced.
*/
public void setResolution(int resolution)
{
this.resolution = resolution;
}
Set a Locale for time creation - you may need to use this if the default locale
doesn't use a Gregorian calender so that the GeneralizedTime produced is compatible with other ASN.1 implementations.
Params: - locale – a locale to use for converting system time into a GeneralizedTime.
/**
* Set a Locale for time creation - you may need to use this if the default locale
* doesn't use a Gregorian calender so that the GeneralizedTime produced is compatible with other ASN.1 implementations.
*
* @param locale a locale to use for converting system time into a GeneralizedTime.
*/
public void setLocale(Locale locale)
{
this.locale = locale;
}
public void setAccuracySeconds(int accuracySeconds)
{
this.accuracySeconds = accuracySeconds;
}
public void setAccuracyMillis(int accuracyMillis)
{
this.accuracyMillis = accuracyMillis;
}
public void setAccuracyMicros(int accuracyMicros)
{
this.accuracyMicros = accuracyMicros;
}
public void setOrdering(boolean ordering)
{
this.ordering = ordering;
}
public void setTSA(GeneralName tsa)
{
this.tsa = tsa;
}
Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime.
Params: - request – the originating request.
- serialNumber – serial number for the TimeStampToken
- genTime – token generation time.
Throws: Returns: a TimeStampToken
/**
* Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime.
*
* @param request the originating request.
* @param serialNumber serial number for the TimeStampToken
* @param genTime token generation time.
* @return a TimeStampToken
* @throws TSPException
*/
public TimeStampToken generate(
TimeStampRequest request,
BigInteger serialNumber,
Date genTime)
throws TSPException
{
return generate(request, serialNumber, genTime, null);
}
Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime.
Params: - request – the originating request.
- serialNumber – serial number for the TimeStampToken
- genTime – token generation time.
- additionalExtensions – extra extensions to be added to the response token.
Throws: Returns: a TimeStampToken
/**
* Generate a TimeStampToken for the passed in request and serialNumber marking it with the passed in genTime.
*
* @param request the originating request.
* @param serialNumber serial number for the TimeStampToken
* @param genTime token generation time.
* @param additionalExtensions extra extensions to be added to the response token.
* @return a TimeStampToken
* @throws TSPException
*/
public TimeStampToken generate(
TimeStampRequest request,
BigInteger serialNumber,
Date genTime,
Extensions additionalExtensions)
throws TSPException
{
ASN1ObjectIdentifier digestAlgOID = request.getMessageImprintAlgOID();
AlgorithmIdentifier algID = new AlgorithmIdentifier(digestAlgOID, DERNull.INSTANCE);
MessageImprint messageImprint = new MessageImprint(algID, request.getMessageImprintDigest());
Accuracy accuracy = null;
if (accuracySeconds > 0 || accuracyMillis > 0 || accuracyMicros > 0)
{
ASN1Integer seconds = null;
if (accuracySeconds > 0)
{
seconds = new ASN1Integer(accuracySeconds);
}
ASN1Integer millis = null;
if (accuracyMillis > 0)
{
millis = new ASN1Integer(accuracyMillis);
}
ASN1Integer micros = null;
if (accuracyMicros > 0)
{
micros = new ASN1Integer(accuracyMicros);
}
accuracy = new Accuracy(seconds, millis, micros);
}
ASN1Boolean derOrdering = null;
if (ordering)
{
derOrdering = ASN1Boolean.getInstance(ordering);
}
ASN1Integer nonce = null;
if (request.getNonce() != null)
{
nonce = new ASN1Integer(request.getNonce());
}
ASN1ObjectIdentifier tsaPolicy = tsaPolicyOID;
if (request.getReqPolicy() != null)
{
tsaPolicy = request.getReqPolicy();
}
Extensions respExtensions = request.getExtensions();
if (additionalExtensions != null)
{
ExtensionsGenerator extGen = new ExtensionsGenerator();
if (respExtensions != null)
{
for (Enumeration en = respExtensions.oids(); en.hasMoreElements(); )
{
extGen.addExtension(respExtensions.getExtension(ASN1ObjectIdentifier.getInstance(en.nextElement())));
}
}
for (Enumeration en = additionalExtensions.oids(); en.hasMoreElements(); )
{
extGen.addExtension(additionalExtensions.getExtension(ASN1ObjectIdentifier.getInstance(en.nextElement())));
}
respExtensions = extGen.generate();
}
ASN1GeneralizedTime timeStampTime;
if (resolution == R_SECONDS)
{
timeStampTime = (locale == null) ? new ASN1GeneralizedTime(genTime) : new ASN1GeneralizedTime(genTime, locale);
}
else
{
timeStampTime = createGeneralizedTime(genTime);
}
TSTInfo tstInfo = new TSTInfo(tsaPolicy,
messageImprint, new ASN1Integer(serialNumber),
timeStampTime, accuracy, derOrdering,
nonce, tsa, respExtensions);
try
{
CMSSignedDataGenerator signedDataGenerator = new CMSSignedDataGenerator();
if (request.getCertReq())
{
// TODO: do we need to check certs non-empty?
signedDataGenerator.addCertificates(new CollectionStore(certs));
signedDataGenerator.addAttributeCertificates(new CollectionStore(attrCerts));
}
signedDataGenerator.addCRLs(new CollectionStore(crls));
if (!otherRevoc.isEmpty())
{
for (Iterator it = otherRevoc.keySet().iterator(); it.hasNext();)
{
ASN1ObjectIdentifier format = (ASN1ObjectIdentifier)it.next();
signedDataGenerator.addOtherRevocationInfo(format, new CollectionStore((Collection)otherRevoc.get(format)));
}
}
signedDataGenerator.addSignerInfoGenerator(signerInfoGen);
byte[] derEncodedTSTInfo = tstInfo.getEncoded(ASN1Encoding.DER);
CMSSignedData signedData = signedDataGenerator.generate(new CMSProcessableByteArray(PKCSObjectIdentifiers.id_ct_TSTInfo, derEncodedTSTInfo), true);
return new TimeStampToken(signedData);
}
catch (CMSException cmsEx)
{
throw new TSPException("Error generating time-stamp token", cmsEx);
}
catch (IOException e)
{
throw new TSPException("Exception encoding info", e);
}
}
// we need to produce a correct DER encoding GeneralizedTime here as the BC ASN.1 library doesn't handle this properly yet.
private ASN1GeneralizedTime createGeneralizedTime(Date time)
throws TSPException
{
String format = "yyyyMMddHHmmss.SSS";
SimpleDateFormat dateF = (locale == null) ? new SimpleDateFormat(format) : new SimpleDateFormat(format, locale);
dateF.setTimeZone(new SimpleTimeZone(0, "Z"));
StringBuilder sBuild = new StringBuilder(dateF.format(time));
int dotIndex = sBuild.indexOf(".");
if (dotIndex < 0)
{
// came back in seconds only, just return
sBuild.append("Z");
return new ASN1GeneralizedTime(sBuild.toString());
}
// trim to resolution
switch (resolution)
{
case R_TENTHS_OF_SECONDS:
if (sBuild.length() > dotIndex + 2)
{
sBuild.delete(dotIndex + 2, sBuild.length());
}
break;
case R_MICROSECONDS:
if (sBuild.length() > dotIndex + 3)
{
sBuild.delete(dotIndex + 3, sBuild.length());
}
break;
case R_MILLISECONDS:
// do nothing
break;
default:
throw new TSPException("unknown time-stamp resolution: " + resolution);
}
// remove trailing zeros
while (sBuild.charAt(sBuild.length() - 1) == '0')
{
sBuild.deleteCharAt(sBuild.length() - 1);
}
if (sBuild.length() - 1 == dotIndex)
{
sBuild.deleteCharAt(sBuild.length() - 1);
}
sBuild.append("Z");
return new ASN1GeneralizedTime(sBuild.toString());
}
}