From f63eb403a0ad2fc869225ee1cce60e225c11c66c Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Tue, 20 Sep 2022 18:26:22 +0700 Subject: Cmp updates --- crypto/src/cmp/CertificateConfirmationContent.cs | 16 ++-- .../cmp/CertificateConfirmationContentBuilder.cs | 37 ++++----- crypto/src/cmp/CertificateStatus.cs | 12 +-- crypto/src/cmp/GeneralPkiMessage.cs | 28 ++----- crypto/src/cmp/ProtectedPkiMessage.cs | 91 ++++++++++------------ crypto/src/cmp/ProtectedPkiMessageBuilder.cs | 52 ++++++------- crypto/src/cmp/RevocationDetails.cs | 30 ++----- crypto/src/cmp/RevocationDetailsBuilder.cs | 18 ++--- 8 files changed, 118 insertions(+), 166 deletions(-) (limited to 'crypto/src') diff --git a/crypto/src/cmp/CertificateConfirmationContent.cs b/crypto/src/cmp/CertificateConfirmationContent.cs index ad46ca039..ceb34e2c8 100644 --- a/crypto/src/cmp/CertificateConfirmationContent.cs +++ b/crypto/src/cmp/CertificateConfirmationContent.cs @@ -7,33 +7,33 @@ namespace Org.BouncyCastle.Cmp { public class CertificateConfirmationContent { - private readonly DefaultDigestAlgorithmIdentifierFinder digestAlgFinder; - private readonly CertConfirmContent content; + private readonly DefaultDigestAlgorithmIdentifierFinder m_digestAlgFinder; + private readonly CertConfirmContent m_content; public CertificateConfirmationContent(CertConfirmContent content) { - this.content = content; + this.m_content = content; } public CertificateConfirmationContent(CertConfirmContent content, DefaultDigestAlgorithmIdentifierFinder digestAlgFinder) { - this.content = content; - this.digestAlgFinder = digestAlgFinder; + this.m_content = content; + this.m_digestAlgFinder = digestAlgFinder; } public CertConfirmContent ToAsn1Structure() { - return content; + return m_content; } public CertificateStatus[] GetStatusMessages() { - CertStatus[] statusArray = content.ToCertStatusArray(); + CertStatus[] statusArray = m_content.ToCertStatusArray(); CertificateStatus[] ret = new CertificateStatus[statusArray.Length]; for (int i = 0; i != ret.Length; i++) { - ret[i] = new CertificateStatus(digestAlgFinder, statusArray[i]); + ret[i] = new CertificateStatus(m_digestAlgFinder, statusArray[i]); } return ret; diff --git a/crypto/src/cmp/CertificateConfirmationContentBuilder.cs b/crypto/src/cmp/CertificateConfirmationContentBuilder.cs index b0647f9a5..fa7e5a897 100644 --- a/crypto/src/cmp/CertificateConfirmationContentBuilder.cs +++ b/crypto/src/cmp/CertificateConfirmationContentBuilder.cs @@ -1,5 +1,4 @@ -using System; -using System.Collections.Generic; +using System.Collections.Generic; using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.Cmp; @@ -11,13 +10,14 @@ using Org.BouncyCastle.X509; namespace Org.BouncyCastle.Cmp { - public class CertificateConfirmationContentBuilder + public sealed class CertificateConfirmationContentBuilder { - private static readonly DefaultSignatureAlgorithmIdentifierFinder sigAlgFinder = new DefaultSignatureAlgorithmIdentifierFinder(); + private static readonly DefaultSignatureAlgorithmIdentifierFinder SigAlgFinder = + new DefaultSignatureAlgorithmIdentifierFinder(); - private readonly DefaultDigestAlgorithmIdentifierFinder digestAlgFinder; - private readonly IList acceptedCerts = new List(); - private readonly IList acceptedReqIds = new List(); + private readonly DefaultDigestAlgorithmIdentifierFinder m_digestAlgFinder; + private readonly IList m_acceptedCerts = new List(); + private readonly IList m_acceptedReqIDs = new List(); public CertificateConfirmationContentBuilder() : this(new DefaultDigestAlgorithmIdentifierFinder()) @@ -26,39 +26,40 @@ namespace Org.BouncyCastle.Cmp public CertificateConfirmationContentBuilder(DefaultDigestAlgorithmIdentifierFinder digestAlgFinder) { - this.digestAlgFinder = digestAlgFinder; + this.m_digestAlgFinder = digestAlgFinder; } public CertificateConfirmationContentBuilder AddAcceptedCertificate(X509Certificate certHolder, BigInteger certReqId) { - acceptedCerts.Add(certHolder); - acceptedReqIds.Add(certReqId); + m_acceptedCerts.Add(certHolder); + m_acceptedReqIDs.Add(certReqId); return this; } public CertificateConfirmationContent Build() { Asn1EncodableVector v = new Asn1EncodableVector(); - for (int i = 0; i != acceptedCerts.Count; i++) + for (int i = 0; i != m_acceptedCerts.Count; i++) { - X509Certificate cert = acceptedCerts[i]; - BigInteger reqId = acceptedReqIds[i]; + X509Certificate cert = m_acceptedCerts[i]; + BigInteger reqID = m_acceptedReqIDs[i]; + AlgorithmIdentifier algorithmIdentifier = SigAlgFinder.Find(cert.SigAlgName); + if (null == algorithmIdentifier) + throw new CmpException("cannot find algorithm identifier for signature name"); - AlgorithmIdentifier algorithmIdentifier = sigAlgFinder.Find(cert.SigAlgName); - - AlgorithmIdentifier digAlg = digestAlgFinder.Find(algorithmIdentifier); + AlgorithmIdentifier digAlg = m_digestAlgFinder.Find(algorithmIdentifier); if (null == digAlg) throw new CmpException("cannot find algorithm for digest from signature"); byte[] digest = DigestUtilities.CalculateDigest(digAlg.Algorithm, cert.GetEncoded()); - v.Add(new CertStatus(digest, reqId)); + v.Add(new CertStatus(digest, reqID)); } return new CertificateConfirmationContent(CertConfirmContent.GetInstance(new DerSequence(v)), - digestAlgFinder); + m_digestAlgFinder); } } } diff --git a/crypto/src/cmp/CertificateStatus.cs b/crypto/src/cmp/CertificateStatus.cs index 2e3afe3b6..e697f73bc 100644 --- a/crypto/src/cmp/CertificateStatus.cs +++ b/crypto/src/cmp/CertificateStatus.cs @@ -24,17 +24,11 @@ namespace Org.BouncyCastle.Cmp this.certStatus = certStatus; } - public PkiStatusInfo PkiStatusInfo - { - get { return certStatus.StatusInfo; } - } + public virtual PkiStatusInfo StatusInfo => certStatus.StatusInfo; - public BigInteger CertRequestId - { - get { return certStatus.CertReqID.Value; } - } + public virtual BigInteger CertRequestID => certStatus.CertReqID.Value; - public bool IsVerified(X509Certificate cert) + public virtual bool IsVerified(X509Certificate cert) { AlgorithmIdentifier digAlg = digestAlgFinder.Find(sigAlgFinder.Find(cert.SigAlgName)); if (null == digAlg) diff --git a/crypto/src/cmp/GeneralPkiMessage.cs b/crypto/src/cmp/GeneralPkiMessage.cs index 9b12ee77b..d52161f6c 100644 --- a/crypto/src/cmp/GeneralPkiMessage.cs +++ b/crypto/src/cmp/GeneralPkiMessage.cs @@ -1,13 +1,11 @@ -using System; - -using Org.BouncyCastle.Asn1; +using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.Cmp; namespace Org.BouncyCastle.Cmp { public class GeneralPkiMessage { - private readonly PkiMessage pkiMessage; + private readonly PkiMessage m_pkiMessage; private static PkiMessage ParseBytes(byte[] encoding) { @@ -20,7 +18,7 @@ namespace Org.BouncyCastle.Cmp /// PKI message. public GeneralPkiMessage(PkiMessage pkiMessage) { - this.pkiMessage = pkiMessage; + this.m_pkiMessage = pkiMessage; } /// @@ -32,28 +30,16 @@ namespace Org.BouncyCastle.Cmp { } - public PkiHeader Header - { - get { return pkiMessage.Header; } - } + public virtual PkiHeader Header => m_pkiMessage.Header; - public PkiBody Body - { - get { return pkiMessage.Body; } - } + public virtual PkiBody Body => m_pkiMessage.Body; /// /// Return true if this message has protection bits on it. A return value of true /// indicates the message can be used to construct a ProtectedPKIMessage. /// - public bool HasProtection - { - get { return pkiMessage.Protection != null; } - } + public virtual bool HasProtection => m_pkiMessage.Protection != null; - public PkiMessage ToAsn1Structure() - { - return pkiMessage; - } + public virtual PkiMessage ToAsn1Structure() => m_pkiMessage; } } diff --git a/crypto/src/cmp/ProtectedPkiMessage.cs b/crypto/src/cmp/ProtectedPkiMessage.cs index 738fd8ab3..f99672cc7 100644 --- a/crypto/src/cmp/ProtectedPkiMessage.cs +++ b/crypto/src/cmp/ProtectedPkiMessage.cs @@ -15,7 +15,7 @@ namespace Org.BouncyCastle.Cmp /// public class ProtectedPkiMessage { - private readonly PkiMessage pkiMessage; + private readonly PkiMessage m_pkiMessage; /// /// Wrap a general message. @@ -25,11 +25,12 @@ namespace Org.BouncyCastle.Cmp public ProtectedPkiMessage(GeneralPkiMessage pkiMessage) { if (!pkiMessage.HasProtection) - throw new ArgumentException("pki message not protected"); + throw new ArgumentException("GeneralPkiMessage not protected"); - this.pkiMessage = pkiMessage.ToAsn1Structure(); + this.m_pkiMessage = pkiMessage.ToAsn1Structure(); } + // TODO[cmp] Make internal? (Has test that uses it) /// /// Wrap a PKI message. /// @@ -38,63 +39,49 @@ namespace Org.BouncyCastle.Cmp public ProtectedPkiMessage(PkiMessage pkiMessage) { if (null == pkiMessage.Header.ProtectionAlg) - throw new ArgumentException("pki message not protected"); + throw new ArgumentException("PkiMessage not protected"); - this.pkiMessage = pkiMessage; + this.m_pkiMessage = pkiMessage; } - /// - /// Message header - /// - public PkiHeader Header - { - get { return pkiMessage.Header; } - } + /// Message header + public virtual PkiHeader Header => m_pkiMessage.Header; - /// - /// Message Body - /// - public PkiBody Body - { - get { return pkiMessage.Body; } - } + /// Message body + public virtual PkiBody Body => m_pkiMessage.Body; /// /// Return the underlying ASN.1 structure contained in this object. /// - /// PKI Message structure - public PkiMessage ToAsn1Message() - { - return pkiMessage; - } + /// PkiMessage structure + public virtual PkiMessage ToAsn1Message() => m_pkiMessage; /// /// Determine whether the message is protected by a password based MAC. Use verify(PKMACBuilder, char[]) /// to verify the message if this method returns true. /// /// true if protection MAC PBE based, false otherwise. - public bool HasPasswordBasedMacProtected + public virtual bool HasPasswordBasedMacProtected { - get { return Header.ProtectionAlg.Algorithm.Equals(CmpObjectIdentifiers.passwordBasedMac); } + get { return CmpObjectIdentifiers.passwordBasedMac.Equals(Header.ProtectionAlg.Algorithm); } } /// /// Return the extra certificates associated with this message. /// /// an array of extra certificates, zero length if none present. - public X509Certificate[] GetCertificates() + public virtual X509Certificate[] GetCertificates() { - CmpCertificate[] certs = pkiMessage.GetExtraCerts(); + CmpCertificate[] certs = m_pkiMessage.GetExtraCerts(); if (null == certs) return new X509Certificate[0]; - X509Certificate[] res = new X509Certificate[certs.Length]; + X509Certificate[] result = new X509Certificate[certs.Length]; for (int t = 0; t < certs.Length; t++) { - res[t] = new X509Certificate(X509CertificateStructure.GetInstance(certs[t].GetEncoded())); + result[t] = new X509Certificate(certs[t].X509v3PKCert); } - - return res; + return result; } /// @@ -102,27 +89,13 @@ namespace Org.BouncyCastle.Cmp /// /// a factory of signature verifiers. /// true if the provider is able to create a verifier that validates the signature, false otherwise. - public bool Verify(IVerifierFactory verifierFactory) + public virtual bool Verify(IVerifierFactory verifierFactory) { IStreamCalculator streamCalculator = verifierFactory.CreateCalculator(); IVerifier result = Process(streamCalculator); - return result.IsVerified(pkiMessage.Protection.GetBytes()); - } - - private TResult Process(IStreamCalculator streamCalculator) - { - Asn1EncodableVector avec = new Asn1EncodableVector(); - avec.Add(pkiMessage.Header); - avec.Add(pkiMessage.Body); - byte[] enc = new DerSequence(avec).GetDerEncoded(); - - streamCalculator.Stream.Write(enc, 0, enc.Length); - streamCalculator.Stream.Flush(); - Platform.Dispose(streamCalculator.Stream); - - return streamCalculator.GetResult(); + return result.IsVerified(m_pkiMessage.Protection.GetBytes()); } /// @@ -132,18 +105,32 @@ namespace Org.BouncyCastle.Cmp /// the MAC password /// true if the passed in password and MAC builder verify the message, false otherwise. /// if algorithm not MAC based, or an exception is thrown verifying the MAC. - public bool Verify(PKMacBuilder pkMacBuilder, char[] password) + public virtual bool Verify(PKMacBuilder pkMacBuilder, char[] password) { - if (!CmpObjectIdentifiers.passwordBasedMac.Equals(pkiMessage.Header.ProtectionAlg.Algorithm)) + if (!CmpObjectIdentifiers.passwordBasedMac.Equals(m_pkiMessage.Header.ProtectionAlg.Algorithm)) throw new InvalidOperationException("protection algorithm is not mac based"); - PbmParameter parameter = PbmParameter.GetInstance(pkiMessage.Header.ProtectionAlg.Parameters); + PbmParameter parameter = PbmParameter.GetInstance(m_pkiMessage.Header.ProtectionAlg.Parameters); pkMacBuilder.SetParameters(parameter); IBlockResult result = Process(pkMacBuilder.Build(password).CreateCalculator()); - return Arrays.ConstantTimeAreEqual(result.Collect(), this.pkiMessage.Protection.GetBytes()); + return Arrays.ConstantTimeAreEqual(result.Collect(), m_pkiMessage.Protection.GetBytes()); + } + + private TResult Process(IStreamCalculator streamCalculator) + { + Asn1EncodableVector avec = new Asn1EncodableVector(); + avec.Add(m_pkiMessage.Header); + avec.Add(m_pkiMessage.Body); + byte[] enc = new DerSequence(avec).GetDerEncoded(); + + streamCalculator.Stream.Write(enc, 0, enc.Length); + streamCalculator.Stream.Flush(); + Platform.Dispose(streamCalculator.Stream); + + return streamCalculator.GetResult(); } } } diff --git a/crypto/src/cmp/ProtectedPkiMessageBuilder.cs b/crypto/src/cmp/ProtectedPkiMessageBuilder.cs index 8573d1fc8..837eb177f 100644 --- a/crypto/src/cmp/ProtectedPkiMessageBuilder.cs +++ b/crypto/src/cmp/ProtectedPkiMessageBuilder.cs @@ -5,17 +5,16 @@ using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.Cmp; using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Crypto; -using Org.BouncyCastle.Crypto.Operators; using Org.BouncyCastle.X509; namespace Org.BouncyCastle.Cmp { - public class ProtectedPkiMessageBuilder + public sealed class ProtectedPkiMessageBuilder { - private PkiHeaderBuilder hdrBuilBuilder; + private readonly PkiHeaderBuilder m_hdrBuilder; private PkiBody body; - private List generalInfos = new List(); - private List extraCerts = new List(); + private readonly List generalInfos = new List(); + private readonly List extraCerts = new List(); public ProtectedPkiMessageBuilder(GeneralName sender, GeneralName recipient) : this(PkiHeader.CMP_2000, sender, recipient) @@ -24,18 +23,18 @@ namespace Org.BouncyCastle.Cmp public ProtectedPkiMessageBuilder(int pvno, GeneralName sender, GeneralName recipient) { - hdrBuilBuilder = new PkiHeaderBuilder(pvno, sender, recipient); + m_hdrBuilder = new PkiHeaderBuilder(pvno, sender, recipient); } public ProtectedPkiMessageBuilder SetTransactionId(byte[] tid) { - hdrBuilBuilder.SetTransactionID(tid); + m_hdrBuilder.SetTransactionID(tid); return this; } public ProtectedPkiMessageBuilder SetFreeText(PkiFreeText freeText) { - hdrBuilBuilder.SetFreeText(freeText); + m_hdrBuilder.SetFreeText(freeText); return this; } @@ -47,31 +46,31 @@ namespace Org.BouncyCastle.Cmp public ProtectedPkiMessageBuilder SetMessageTime(DerGeneralizedTime generalizedTime) { - hdrBuilBuilder.SetMessageTime(generalizedTime); + m_hdrBuilder.SetMessageTime(generalizedTime); return this; } public ProtectedPkiMessageBuilder SetRecipKID(byte[] id) { - hdrBuilBuilder.SetRecipKID(id); + m_hdrBuilder.SetRecipKID(id); return this; } public ProtectedPkiMessageBuilder SetRecipNonce(byte[] nonce) { - hdrBuilBuilder.SetRecipNonce(nonce); + m_hdrBuilder.SetRecipNonce(nonce); return this; } public ProtectedPkiMessageBuilder SetSenderKID(byte[] id) { - hdrBuilBuilder.SetSenderKID(id); + m_hdrBuilder.SetSenderKID(id); return this; } public ProtectedPkiMessageBuilder SetSenderNonce(byte[] nonce) { - hdrBuilBuilder.SetSenderNonce(nonce); + m_hdrBuilder.SetSenderNonce(nonce); return this; } @@ -94,35 +93,37 @@ namespace Org.BouncyCastle.Cmp IStreamCalculator calculator = signatureFactory.CreateCalculator(); - if (!(signatureFactory.AlgorithmDetails is AlgorithmIdentifier)) - { + if (!(signatureFactory.AlgorithmDetails is AlgorithmIdentifier algorithmDetails)) throw new ArgumentException("AlgorithmDetails is not AlgorithmIdentifier"); - } - FinalizeHeader((AlgorithmIdentifier)signatureFactory.AlgorithmDetails); - PkiHeader header = hdrBuilBuilder.Build(); + FinalizeHeader(algorithmDetails); + PkiHeader header = m_hdrBuilder.Build(); DerBitString protection = new DerBitString(CalculateSignature(calculator, header, body)); return FinalizeMessage(header, protection); } - public ProtectedPkiMessage Build(IMacFactory factory) + public ProtectedPkiMessage Build(IMacFactory macFactory) { if (null == body) throw new InvalidOperationException("body must be set before building"); - IStreamCalculator calculator = factory.CreateCalculator(); - FinalizeHeader((AlgorithmIdentifier)factory.AlgorithmDetails); - PkiHeader header = hdrBuilBuilder.Build(); + IStreamCalculator calculator = macFactory.CreateCalculator(); + + if (!(macFactory.AlgorithmDetails is AlgorithmIdentifier algorithmDetails)) + throw new ArgumentException("AlgorithmDetails is not AlgorithmIdentifier"); + + FinalizeHeader(algorithmDetails); + PkiHeader header = m_hdrBuilder.Build(); DerBitString protection = new DerBitString(CalculateSignature(calculator, header, body)); return FinalizeMessage(header, protection); } private void FinalizeHeader(AlgorithmIdentifier algorithmIdentifier) { - hdrBuilBuilder.SetProtectionAlg(algorithmIdentifier); + m_hdrBuilder.SetProtectionAlg(algorithmIdentifier); if (generalInfos.Count > 0) { - hdrBuilBuilder.SetGeneralInfo(generalInfos.ToArray()); + m_hdrBuilder.SetGeneralInfo(generalInfos.ToArray()); } } @@ -134,8 +135,7 @@ namespace Org.BouncyCastle.Cmp CmpCertificate[] cmpCertificates = new CmpCertificate[extraCerts.Count]; for (int i = 0; i < cmpCertificates.Length; i++) { - byte[] cert = extraCerts[i].GetEncoded(); - cmpCertificates[i] = CmpCertificate.GetInstance(Asn1Object.FromByteArray(cert)); + cmpCertificates[i] = new CmpCertificate(extraCerts[i].CertificateStructure); } return new ProtectedPkiMessage(new PkiMessage(header, body, protection, cmpCertificates)); diff --git a/crypto/src/cmp/RevocationDetails.cs b/crypto/src/cmp/RevocationDetails.cs index 2d3f9a5eb..6060c6575 100644 --- a/crypto/src/cmp/RevocationDetails.cs +++ b/crypto/src/cmp/RevocationDetails.cs @@ -1,38 +1,24 @@ -using System; - -using Org.BouncyCastle.Asn1.Cmp; +using Org.BouncyCastle.Asn1.Cmp; using Org.BouncyCastle.Asn1.X509; using Org.BouncyCastle.Math; namespace Org.BouncyCastle.Cmp { - public class RevocationDetails + public struct RevocationDetails { - private readonly RevDetails revDetails; + private readonly RevDetails m_revDetails; public RevocationDetails(RevDetails revDetails) { - this.revDetails = revDetails; + m_revDetails = revDetails; } - public X509Name Subject - { - get { return revDetails.CertDetails.Subject; } - } + public X509Name Subject => m_revDetails.CertDetails.Subject; - public X509Name Issuer - { - get { return revDetails.CertDetails.Issuer; } - } + public X509Name Issuer => m_revDetails.CertDetails.Issuer; - public BigInteger SerialNumber - { - get { return revDetails.CertDetails.SerialNumber.Value; } - } + public BigInteger SerialNumber => m_revDetails.CertDetails.SerialNumber.Value; - public RevDetails ToASN1Structure() - { - return revDetails; - } + public RevDetails ToASN1Structure() => m_revDetails; } } diff --git a/crypto/src/cmp/RevocationDetailsBuilder.cs b/crypto/src/cmp/RevocationDetailsBuilder.cs index b3be01242..086bf9c11 100644 --- a/crypto/src/cmp/RevocationDetailsBuilder.cs +++ b/crypto/src/cmp/RevocationDetailsBuilder.cs @@ -1,6 +1,4 @@ -using System; - -using Org.BouncyCastle.Asn1; +using Org.BouncyCastle.Asn1; using Org.BouncyCastle.Asn1.Cmp; using Org.BouncyCastle.Asn1.Crmf; using Org.BouncyCastle.Asn1.X509; @@ -8,15 +6,15 @@ using Org.BouncyCastle.Math; namespace Org.BouncyCastle.Cmp { - public class RevocationDetailsBuilder + public sealed class RevocationDetailsBuilder { - private readonly CertTemplateBuilder _templateBuilder = new CertTemplateBuilder(); + private readonly CertTemplateBuilder m_templateBuilder = new CertTemplateBuilder(); public RevocationDetailsBuilder SetPublicKey(SubjectPublicKeyInfo publicKey) { if (publicKey != null) { - _templateBuilder.SetPublicKey(publicKey); + m_templateBuilder.SetPublicKey(publicKey); } return this; @@ -26,7 +24,7 @@ namespace Org.BouncyCastle.Cmp { if (issuer != null) { - _templateBuilder.SetIssuer(issuer); + m_templateBuilder.SetIssuer(issuer); } return this; @@ -36,7 +34,7 @@ namespace Org.BouncyCastle.Cmp { if (serialNumber != null) { - _templateBuilder.SetSerialNumber(new DerInteger(serialNumber)); + m_templateBuilder.SetSerialNumber(new DerInteger(serialNumber)); } return this; @@ -46,7 +44,7 @@ namespace Org.BouncyCastle.Cmp { if (subject != null) { - _templateBuilder.SetSubject(subject); + m_templateBuilder.SetSubject(subject); } return this; @@ -54,7 +52,7 @@ namespace Org.BouncyCastle.Cmp public RevocationDetails Build() { - return new RevocationDetails(new RevDetails(_templateBuilder.Build())); + return new RevocationDetails(new RevDetails(m_templateBuilder.Build())); } } } \ No newline at end of file -- cgit 1.4.1