crypto/src/cmp/ProtectedPkiMessage.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

using System;

using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.Cmp;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crmf;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.X509;

namespace Org.BouncyCastle.Cmp
{
    /// <summary>
    /// Wrapper for a PKIMessage with protection attached to it.
    /// </summary>
    public class ProtectedPkiMessage
    {
        private readonly PkiMessage m_pkiMessage;

        /// <summary>
        /// Wrap a general message.
        /// </summary>
        /// <exception cref="ArgumentException">If the general message does not have protection.</exception>
        /// <param name="pkiMessage">The General message</param>
        public ProtectedPkiMessage(GeneralPkiMessage pkiMessage)
        {
            if (!pkiMessage.HasProtection)
                throw new ArgumentException("GeneralPkiMessage not protected");

            this.m_pkiMessage = pkiMessage.ToAsn1Structure();
        }

        // TODO[cmp] Make internal? (Has test that uses it)
        /// <summary>
        /// Wrap a PKI message.
        /// </summary>
        /// <exception cref="ArgumentException">If the PKI message does not have protection.</exception>
        /// <param name="pkiMessage">The PKI message</param>
        public ProtectedPkiMessage(PkiMessage pkiMessage)
        {
            if (null == pkiMessage.Header.ProtectionAlg)
                throw new ArgumentException("PkiMessage not protected");

            this.m_pkiMessage = pkiMessage;
        }

        /// <summary>Message header</summary>
        public virtual PkiHeader Header => m_pkiMessage.Header;

        /// <summary>Message body</summary>
        public virtual PkiBody Body => m_pkiMessage.Body;

        /// <summary>
        /// Return the underlying ASN.1 structure contained in this object.
        /// </summary>
        /// <returns>PkiMessage structure</returns>
        public virtual PkiMessage ToAsn1Message() => m_pkiMessage;

        /// <summary>
        /// Determine whether the message is protected by a password based MAC. Use verify(PKMACBuilder, char[])
        /// to verify the message if this method returns true.
        /// </summary>
        /// <returns>true if protection MAC PBE based, false otherwise.</returns>
        public virtual bool HasPasswordBasedMacProtected
        {
            get { return CmpObjectIdentifiers.passwordBasedMac.Equals(Header.ProtectionAlg.Algorithm); }
        }

        /// <summary>
        /// Return the extra certificates associated with this message.
        /// </summary>
        /// <returns>an array of extra certificates, zero length if none present.</returns>
        public virtual X509Certificate[] GetCertificates()
        {
            CmpCertificate[] certs = m_pkiMessage.GetExtraCerts();
            if (null == certs)
                return new X509Certificate[0];

            X509Certificate[] result = new X509Certificate[certs.Length];
            for (int t = 0; t < certs.Length; t++)
            {
                result[t] = new X509Certificate(certs[t].X509v3PKCert);
            }
            return result;
        }

        /// <summary>
        /// Verify a message with a public key based signature attached.
        /// </summary>
        /// <param name="verifierFactory">a factory of signature verifiers.</param>
        /// <returns>true if the provider is able to create a verifier that validates the signature, false otherwise.</returns>      
        public virtual bool Verify(IVerifierFactory verifierFactory)
        {
            IStreamCalculator<IVerifier> streamCalculator = verifierFactory.CreateCalculator();

            IVerifier result = Process(streamCalculator);

            return result.IsVerified(m_pkiMessage.Protection.GetBytes());
        }

        /// <summary>
        /// Verify a message with password based MAC protection.
        /// </summary>
        /// <param name="pkMacBuilder">MAC builder that can be used to construct the appropriate MacCalculator</param>
        /// <param name="password">the MAC password</param>
        /// <returns>true if the passed in password and MAC builder verify the message, false otherwise.</returns>
        /// <exception cref="InvalidOperationException">if algorithm not MAC based, or an exception is thrown verifying the MAC.</exception>
        public virtual bool Verify(PKMacBuilder pkMacBuilder, char[] password)
        {
            if (!CmpObjectIdentifiers.passwordBasedMac.Equals(m_pkiMessage.Header.ProtectionAlg.Algorithm))
                throw new InvalidOperationException("protection algorithm is not mac based");

            PbmParameter parameter = PbmParameter.GetInstance(m_pkiMessage.Header.ProtectionAlg.Parameters);

            pkMacBuilder.SetParameters(parameter);

            IBlockResult result = Process(pkMacBuilder.Build(password).CreateCalculator());

            return Arrays.ConstantTimeAreEqual(result.Collect(), m_pkiMessage.Protection.GetBytes());
        }

        private TResult Process<TResult>(IStreamCalculator<TResult> streamCalculator)
        {
            Asn1EncodableVector avec = new Asn1EncodableVector();
            avec.Add(m_pkiMessage.Header);
            avec.Add(m_pkiMessage.Body);
            byte[] enc = new DerSequence(avec).GetDerEncoded();

            streamCalculator.Stream.Write(enc, 0, enc.Length);
            streamCalculator.Stream.Flush();
            Platform.Dispose(streamCalculator.Stream);

            return streamCalculator.GetResult();
        }
    }
}