blob: d3cf4a524959686a5117414ca47611f3621ae728 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.X509;
using System;
using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.Cmp;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.Crmf;
namespace Org.BouncyCastle.Cmp
{
/// <summary>
/// Wrapper for a PKIMessage with protection attached to it.
/// </summary>
public class ProtectedPkiMessage
{
private PkiMessage pkiMessage;
/// <summary>
/// Wrap a general message.
/// </summary>
/// <exception cref="ArgumentException">If the general message does not have protection.</exception>
/// <param name="pkiMessage">The General message</param>
public ProtectedPkiMessage(GeneralPKIMessage pkiMessage)
{
if (!pkiMessage.HasProtection)
{
throw new ArgumentException("pki message not protected");
}
this.pkiMessage = pkiMessage.ToAsn1Structure();
}
/// <summary>
/// Wrap a PKI message.
/// </summary>
/// <exception cref="ArgumentException">If the PKI message does not have protection.</exception>
/// <param name="pkiMessage">The PKI message</param>
public ProtectedPkiMessage(PkiMessage pkiMessage)
{
if (pkiMessage.Header.ProtectionAlg == null)
{
throw new ArgumentException("pki message not protected");
}
this.pkiMessage = pkiMessage;
}
/// <summary>
/// Message header
/// </summary>
public PkiHeader Header { get { return pkiMessage.Header; } }
/// <summary>
/// Message Body
/// </summary>
public PkiBody Body { get { return pkiMessage.Body; } }
/// <summary>
/// Return the underlying ASN.1 structure contained in this object.
/// </summary>
/// <returns>PKI Message structure</returns>
public PkiMessage ToAsn1Message() { return pkiMessage; }
/// <summary>
/// Determine whether the message is protected by a password based MAC. Use verify(PKMACBuilder, char[])
/// to verify the message if this method returns true.
/// </summary>
/// <returns>true if protection MAC PBE based, false otherwise.</returns>
public bool HasPasswordBasedMacProtected { get { return Header.ProtectionAlg.Algorithm.Equals(CmpObjectIdentifiers.passwordBasedMac); } }
/// <summary>
/// Return the extra certificates associated with this message.
/// </summary>
/// <returns>an array of extra certificates, zero length if none present.</returns>
public X509Certificate[] GetCertificates()
{
CmpCertificate[] certs = pkiMessage.GetExtraCerts();
if (certs == null)
{
return new X509Certificate[0];
}
X509Certificate[] res = new X509Certificate[certs.Length];
for (int t = 0; t < certs.Length; t++)
{
res[t] = new X509Certificate(X509CertificateStructure.GetInstance(certs[t].GetEncoded()));
}
return res;
}
/// <summary>
/// Verify a message with a public key based signature attached.
/// </summary>
/// <param name="verifierFactory">a factory of signature verifiers.</param>
/// <returns>true if the provider is able to create a verifier that validates the signature, false otherwise.</returns>
public bool Verify(IVerifierFactory verifierFactory)
{
IStreamCalculator streamCalculator = verifierFactory.CreateCalculator();
IVerifier result = (IVerifier)Process(streamCalculator);
return result.IsVerified(pkiMessage.Protection.GetBytes());
}
private Object Process(IStreamCalculator streamCalculator)
{
Asn1EncodableVector avec = new Asn1EncodableVector();
avec.Add(pkiMessage.Header);
avec.Add(pkiMessage.Body);
byte[] enc = new DerSequence(avec).GetDerEncoded();
streamCalculator.Stream.Write(enc, 0, enc.Length);
streamCalculator.Stream.Flush();
streamCalculator.Stream.Close();
return streamCalculator.GetResult();
}
/// <summary>
/// Verify a message with password based MAC protection.
/// </summary>
/// <param name="pkMacBuilder">MAC builder that can be used to construct the appropriate MacCalculator</param>
/// <param name="password">the MAC password</param>
/// <returns>true if the passed in password and MAC builder verify the message, false otherwise.</returns>
/// <exception cref="InvalidOperationException">if algorithm not MAC based, or an exception is thrown verifying the MAC.</exception>
public bool Verify(PKMacBuilder pkMacBuilder, char[] password)
{
if (!CmpObjectIdentifiers.passwordBasedMac.Equals(pkiMessage.Header.ProtectionAlg.Algorithm))
{
throw new InvalidOperationException("protection algorithm is not mac based");
}
PbmParameter parameter = PbmParameter.GetInstance(pkiMessage.Header.ProtectionAlg.Parameters);
pkMacBuilder.SetParameters(parameter);
IBlockResult result = (IBlockResult)Process(pkMacBuilder.Build(password).CreateCalculator());
return Arrays.ConstantTimeAreEqual(result.Collect(), this.pkiMessage.Protection.GetBytes());
}
}
}
|