/** * Return whether or not a signing key proof-of-possession (POP) is valid. * * @param verifierProvider a provider that can produce content verifiers for the signature contained in this POP. * @return true if the POP is valid, false otherwise. * @throws CRMFException if there is a problem in verification or content verifier creation. * @throws IllegalStateException if POP not appropriate. */ public boolean isValidSigningKeyPOP(ContentVerifierProvider verifierProvider) throws CRMFException, IllegalStateException { ProofOfPossession pop = certReqMsg.getPopo(); if (pop.getType() == popSigningKey) { POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); if (popoSign.getPoposkInput() != null && popoSign.getPoposkInput().getPublicKeyMAC() != null) { throw new IllegalStateException("verification requires password check"); } return verifySignature(verifierProvider, popoSign); } else { throw new IllegalStateException("not Signing Key type of proof of possession"); } }
/** * Return whether or not the proof-of-possession (POP) is of the type popSigningKey and * it has a public key MAC associated with it. * * @return true if POP is popSigningKey and a PKMAC is present, false otherwise. */ public boolean hasSigningKeyProofOfPossessionWithPKMAC() { ProofOfPossession pop = certReqMsg.getPopo(); if (pop.getType() == popSigningKey) { POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); return popoSign.getPoposkInput().getPublicKeyMAC() != null; } return false; }
/** * Return whether or not a signing key proof-of-possession (POP), with an associated PKMAC, is valid. * * @param verifierProvider a provider that can produce content verifiers for the signature contained in this POP. * @param macBuilder a suitable PKMACBuilder to create the MAC verifier. * @param password the password used to key the MAC calculation. * @return true if the POP is valid, false otherwise. * @throws CRMFException if there is a problem in verification or content verifier creation. * @throws IllegalStateException if POP not appropriate. */ public boolean isValidSigningKeyPOP(ContentVerifierProvider verifierProvider, PKMACBuilder macBuilder, char[] password) throws CRMFException, IllegalStateException { ProofOfPossession pop = certReqMsg.getPopo(); if (pop.getType() == popSigningKey) { POPOSigningKey popoSign = POPOSigningKey.getInstance(pop.getObject()); if (popoSign.getPoposkInput() == null || popoSign.getPoposkInput().getSender() != null) { throw new IllegalStateException("no PKMAC present in proof of possession"); } PKMACValue pkMAC = popoSign.getPoposkInput().getPublicKeyMAC(); PKMACValueVerifier macVerifier = new PKMACValueVerifier(macBuilder); if (macVerifier.isValid(pkMAC, password, this.getCertTemplate().getPublicKey())) { return verifySignature(verifierProvider, popoSign); } return false; } else { throw new IllegalStateException("not Signing Key type of proof of possession"); } }
public void testSubsequentMessage() throws Exception { KeyPairGenerator kGen = KeyPairGenerator.getInstance("RSA", BC); kGen.initialize(512); KeyPair kp = kGen.generateKeyPair(); X509CertificateHolder cert = makeV3Certificate(kp, "CN=Test", kp, "CN=Test"); ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider(BC).build( kp.getPrivate()); GeneralName user = new GeneralName(new X500Name("CN=Test")); CertificateRequestMessageBuilder builder = new JcaCertificateRequestMessageBuilder( BigInteger.valueOf(1)).setPublicKey(kp.getPublic()).setProofOfPossessionSubsequentMessage( SubsequentMessage.encrCert); ProtectedPKIMessage certRequestMsg = new ProtectedPKIMessageBuilder(user, user).setTransactionID(new byte[] { 1, 2, 3, 4, 5 }).setBody( new PKIBody(PKIBody.TYPE_KEY_UPDATE_REQ, new CertReqMessages(builder.build().toASN1Structure()))).addCMPCertificate( cert).build(signer); ProtectedPKIMessage msg = new ProtectedPKIMessage(new GeneralPKIMessage(certRequestMsg.toASN1Structure().getEncoded())); CertReqMessages reqMsgs = CertReqMessages.getInstance(msg.getBody().getContent()); CertReqMsg reqMsg = reqMsgs.toCertReqMsgArray()[0]; assertEquals(ProofOfPossession.TYPE_KEY_ENCIPHERMENT, reqMsg.getPopo().getType()); }
