package org.eclipse.osgi.internal.signedcontent;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.*;
import java.security.cert.Certificate;
import java.text.*;
import java.util.*;
import javax.security.auth.x500.X500Principal;
import org.eclipse.osgi.util.NLS;
public class PKCS7Processor implements SignedContentConstants {
static CertificateFactory certFact;
static {
try {
certFact = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
}
}
private final String signer;
private final String file;
private Certificate[] certificates;
private Certificate[] tsaCertificates;
private Map<int[], byte[]> signedAttrs;
private Map<int[], byte[]> unsignedAttrs;
private byte signature[];
private String digestAlgorithm;
private String signatureAlgorithm;
private Certificate signerCert;
private Date signingTime;
private static String oid2String(int oid[]) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < oid.length; i++) {
if (i > 0)
sb.append('.');
sb.append(oid[i]);
}
return sb.toString();
}
private static String findEncryption(int encOid[]) throws NoSuchAlgorithmException {
if (Arrays.equals(DSA_OID, encOid)) {
return "DSA";
}
if (Arrays.equals(RSA_OID, encOid)) {
return "RSA";
}
throw new NoSuchAlgorithmException("No algorithm found for " + oid2String(encOid));
}
private static String findDigest(int digestOid[]) throws NoSuchAlgorithmException {
if (Arrays.equals(SHA1_OID, digestOid)) {
return SHA1_STR;
}
if (Arrays.equals(SHA224_OID, digestOid)) {
return SHA224_STR;
}
if (Arrays.equals(SHA256_OID, digestOid)) {
return SHA256_STR;
}
if (Arrays.equals(SHA384_OID, digestOid)) {
return SHA384_STR;
}
if (Arrays.equals(SHA512_OID, digestOid)) {
return SHA512_STR;
}
if (Arrays.equals(SHA512_224_OID, digestOid)) {
return SHA512_224_STR;
}
if (Arrays.equals(SHA512_256_OID, digestOid)) {
return SHA512_256_STR;
}
if (Arrays.equals(MD5_OID, digestOid)) {
return MD5_STR;
}
if (Arrays.equals(MD2_OID, digestOid)) {
return MD2_STR;
}
throw new NoSuchAlgorithmException("No algorithm found for " + oid2String(digestOid));
}
public PKCS7Processor(byte pkcs7[], int pkcs7Offset, int pkcs7Length, String signer, String file) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, SignatureException, NoSuchProviderException {
this.signer = signer;
this.file = file;
List<Certificate> certs = null;
BERProcessor bp = new BERProcessor(pkcs7, pkcs7Offset, pkcs7Length);
bp = bp.stepInto();
if (!Arrays.equals(bp.getObjId(), SIGNEDDATA_OID)) {
throw new SignatureException(NLS.bind(SignedContentMessages.PKCS7_Invalid_File, signer, file));
}
bp.stepOver();
bp = bp.stepInto();
bp = bp.stepInto();
bp.stepOver();
bp.stepOver();
processEncapContentInfo(bp);
bp.stepOver();
if (bp.classOfTag == BERProcessor.CONTEXTSPECIFIC_TAGCLASS && bp.tag == 0) {
certs = processCertificates(bp);
}
if (certs == null || certs.size() < 1)
throw new SignatureException("There are no certificates in the .RSA/.DSA file!");
bp.stepOver();
if (bp.classOfTag == BERProcessor.UNIVERSAL_TAGCLASS && bp.tag == 1) {
bp.stepOver();
}
processSignerInfos(bp, certs);
certs = constructCertPath(certs, signerCert);
certificates = certs.toArray(new Certificate[certs.size()]);
verifyCerts();
if (signingTime == null)
signingTime = PKCS7DateParser.parseDate(this, signer, file);
}
private void processEncapContentInfo(BERProcessor bp) throws SignatureException {
BERProcessor encapContentBERS = bp.stepInto();
if (Arrays.equals(encapContentBERS.getObjId(), TIMESTAMP_TST_OID)) {
encapContentBERS.stepOver();
BERProcessor encapContentBERS1 = encapContentBERS.stepInto();
byte bytesman[] = encapContentBERS1.getBytes();
BERProcessor eContentStructure = new BERProcessor(bytesman, 0, bytesman.length);
BERProcessor eContentBER = eContentStructure.stepInto();
int tsaVersion = eContentBER.getIntValue().intValue();
if (tsaVersion != 1)
throw new SignatureException("Not a version 1 time-stamp token");
eContentBER.stepOver();
eContentBER.stepOver();
eContentBER.stepOver();
eContentBER.stepOver();
String dateString = new String(eContentBER.getBytes(), SignedContentConstants.UTF8);
if (!dateString.endsWith("Z"))
throw new SignatureException("Wrong dateformat used in time-stamp token");
int dotIndex = dateString.indexOf('.');
StringBuilder dateFormatSB = new StringBuilder("yyyyMMddHHmmss");
if (dotIndex != -1) {
int noS = dateString.indexOf('Z') - 1 - dotIndex;
dateFormatSB.append('.');
for (int i = 0; i < noS; i++) {
dateFormatSB.append('s');
}
}
dateFormatSB.append("'Z'");
try {
DateFormat dateFormt = new SimpleDateFormat(dateFormatSB.toString(), Locale.ENGLISH);
dateFormt.setTimeZone(TimeZone.getTimeZone("GMT"));
signingTime = dateFormt.parse(dateString);
} catch (ParseException e) {
throw new SignatureException(SignedContentMessages.PKCS7_Parse_Signing_Time, e);
}
}
}
private List<Certificate> constructCertPath(List<Certificate> certs, Certificate targetCert) {
List<Certificate> certsList = new ArrayList<>();
certsList.add(targetCert);
X509Certificate currentCert = (X509Certificate) targetCert;
int numIteration = certs.size();
int i = 0;
while (i < numIteration) {
X500Principal subject = currentCert.getSubjectX500Principal();
X500Principal issuer = currentCert.getIssuerX500Principal();
if (subject.equals(issuer)) {
break;
}
currentCert = null;
Iterator<Certificate> itr = certs.iterator();
while (itr.hasNext()) {
X509Certificate tempCert = (X509Certificate) itr.next();
if (tempCert.getSubjectX500Principal().equals(issuer)) {
certsList.add(tempCert);
currentCert = tempCert;
}
}
i++;
}
return certsList;
}
public void verifyCerts() throws InvalidKeyException, SignatureException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
if (certificates == null || certificates.length == 0) {
throw new CertificateException("There are no certificates in the signature block file!");
}
int len = certificates.length;
for (int i = 0; i < len; i++) {
X509Certificate currentX509Cert = (X509Certificate) certificates[i];
if (i == len - 1) {
if (currentX509Cert.getSubjectDN().equals(currentX509Cert.getIssuerDN()))
currentX509Cert.verify(currentX509Cert.getPublicKey());
} else {
X509Certificate nextX509Cert = (X509Certificate) certificates[i + 1];
currentX509Cert.verify(nextX509Cert.getPublicKey());
}
}
}
private Certificate processSignerInfos(BERProcessor bp, List<Certificate> certs) throws CertificateException, NoSuchAlgorithmException, SignatureException {
bp = bp.stepInto();
bp = bp.stepInto();
BigInteger signerInfoVersion = bp.getIntValue();
if (signerInfoVersion.intValue() != 1) {
throw new CertificateException(SignedContentMessages.PKCS7_SignerInfo_Version_Not_Supported);
}
bp.stepOver();
BERProcessor issuerAndSN = bp.stepInto();
X500Principal signerIssuer = new X500Principal(new ByteArrayInputStream(issuerAndSN.buffer, issuerAndSN.offset, issuerAndSN.endOffset - issuerAndSN.offset));
issuerAndSN.stepOver();
BigInteger sn = issuerAndSN.getIntValue();
Certificate newSignerCert = null;
Iterator<Certificate> itr = certs.iterator();
while (itr.hasNext()) {
X509Certificate cert = (X509Certificate) itr.next();
if (cert.getIssuerX500Principal().equals(signerIssuer) && cert.getSerialNumber().equals(sn)) {
newSignerCert = cert;
break;
}
}
if (newSignerCert == null)
throw new CertificateException("Signer certificate not in pkcs7block");
signerCert = newSignerCert;
bp.stepOver();
BERProcessor digestAlg = bp.stepInto();
digestAlgorithm = findDigest(digestAlg.getObjId());
bp.stepOver();
processSignedAttributes(bp);
BERProcessor encryptionAlg = bp.stepInto();
signatureAlgorithm = findEncryption(encryptionAlg.getObjId());
bp.stepOver();
signature = bp.getBytes();
bp.stepOver();
processUnsignedAttributes(bp);
return newSignerCert;
}
private void processUnsignedAttributes(BERProcessor bp) throws SignatureException {
if (bp.classOfTag == BERProcessor.CONTEXTSPECIFIC_TAGCLASS && bp.tag == 1) {
unsignedAttrs = new HashMap<>();
BERProcessor unsignedAttrsBERS = bp.stepInto();
do {
BERProcessor unsignedAttrBER = unsignedAttrsBERS.stepInto();
int[] objID = unsignedAttrBER.getObjId();
unsignedAttrBER.stepOver();
byte[] structure = unsignedAttrBER.getBytes();
unsignedAttrs.put(objID, structure);
unsignedAttrsBERS.stepOver();
} while (!unsignedAttrsBERS.endOfSequence());
}
}
private void processSignedAttributes(BERProcessor bp) throws SignatureException {
if (bp.classOfTag == BERProcessor.CONTEXTSPECIFIC_TAGCLASS) {
signedAttrs = new HashMap<>();
BERProcessor signedAttrsBERS = bp.stepInto();
do {
BERProcessor signedAttrBER = signedAttrsBERS.stepInto();
int[] signedAttrObjID = signedAttrBER.getObjId();
signedAttrBER.stepOver();
byte[] signedAttrStructure = signedAttrBER.getBytes();
signedAttrs.put(signedAttrObjID, signedAttrStructure);
signedAttrsBERS.stepOver();
} while (!signedAttrsBERS.endOfSequence());
bp.stepOver();
}
}
public Certificate[] getCertificates() {
return certificates == null ? new Certificate[0] : certificates;
}
public void verifySFSignature(byte data[], int dataOffset, int dataLength) throws InvalidKeyException, NoSuchAlgorithmException, SignatureException {
Signature sig = Signature.getInstance(digestAlgorithm + "with" + signatureAlgorithm);
sig.initVerify(signerCert.getPublicKey());
sig.update(data, dataOffset, dataLength);
if (!sig.verify(signature)) {
throw new SignatureException(NLS.bind(SignedContentMessages.Signature_Not_Verify, signer, file));
}
}
public Map<int[], byte[]> getUnsignedAttrs() {
return unsignedAttrs;
}
public Map<int[], byte[]> getSignedAttrs() {
return signedAttrs;
}
private List<Certificate> processCertificates(BERProcessor bp) throws CertificateException, SignatureException {
List<Certificate> rtvList = new ArrayList<>(3);
BERProcessor certsBERS = bp.stepInto();
do {
X509Certificate x509Cert = (X509Certificate) certFact.generateCertificate(new ByteArrayInputStream(certsBERS.buffer, certsBERS.offset, certsBERS.endOffset - certsBERS.offset));
if (x509Cert != null) {
rtvList.add(x509Cert);
}
certsBERS.stepOver();
} while (!certsBERS.endOfSequence());
return rtvList;
}
public Date getSigningTime() {
return signingTime;
}
void setTSACertificates(Certificate[] tsaCertificates) {
this.tsaCertificates = tsaCertificates;
}
public Certificate[] getTSACertificates() {
return (tsaCertificates == null) ? new Certificate[0] : tsaCertificates;
}
}