| Code with Finding: |
class PdfPKCS7 {
@SuppressWarnings("unchecked")
public PdfPKCS7(byte[] contentsKey, boolean tsp, String provider) {
isTsp = tsp;
try {
this.provider = provider;
ASN1InputStream din = new ASN1InputStream(new ByteArrayInputStream(contentsKey));
//
// Basic checks to make sure it's a PKCS#7 SignedData Object
//
DERObject pkcs;
try {
pkcs = din.readObject();
}
catch (IOException e) {
throw new IllegalArgumentException(MessageLocalization.getComposedMessage("can.t.decode.pkcs7signeddata.object"));
}
if (!(pkcs instanceof ASN1Sequence)) {
throw new IllegalArgumentException(MessageLocalization.getComposedMessage("not.a.valid.pkcs.7.object.not.a.sequence"));
}
ASN1Sequence signedData = (ASN1Sequence)pkcs;
DERObjectIdentifier objId = (DERObjectIdentifier)signedData.getObjectAt(0);
if (!objId.getId().equals(ID_PKCS7_SIGNED_DATA))
throw new IllegalArgumentException(MessageLocalization.getComposedMessage("not.a.valid.pkcs.7.object.not.signed.data"));
ASN1Sequence content = (ASN1Sequence)((DERTaggedObject)signedData.getObjectAt(1)).getObject();
// the positions that we care are:
// 0 - version
// 1 - digestAlgorithms
// 2 - possible ID_PKCS7_DATA
// (the certificates and crls are taken out by other means)
// last - signerInfos
// the version
version = ((DERInteger)content.getObjectAt(0)).getValue().intValue();
// the digestAlgorithms
digestalgos = new HashSet<String>();
Enumeration<ASN1Sequence> e = ((ASN1Set)content.getObjectAt(1)).getObjects();
while (e.hasMoreElements())
{
ASN1Sequence s = e.nextElement();
DERObjectIdentifier o = (DERObjectIdentifier)s.getObjectAt(0);
digestalgos.add(o.getId());
}
// the certificates
X509CertParser cr = new X509CertParser();
cr.engineInit(new ByteArrayInputStream(contentsKey));
certs = cr.engineReadAll();
// the possible ID_PKCS7_DATA
ASN1Sequence rsaData = (ASN1Sequence)content.getObjectAt(2);
if (rsaData.size() > 1) {
DEROctetString rsaDataContent = (DEROctetString)((DERTaggedObject)rsaData.getObjectAt(1)).getObject();
RSAdata = rsaDataContent.getOctets();
}
// the signerInfos
int next = 3;
while (content.getObjectAt(next) instanceof DERTaggedObject)
++next;
ASN1Set signerInfos = (ASN1Set)content.getObjectAt(next);
if (signerInfos.size() != 1)
throw new IllegalArgumentException(MessageLocalization.getComposedMessage("this.pkcs.7.object.has.multiple.signerinfos.only.one.is.supported.at.this.time"));
ASN1Sequence signerInfo = (ASN1Sequence)signerInfos.getObjectAt(0);
// the positions that we care are
// 0 - version
// 1 - the signing certificate issuer and serial number
// 2 - the digest algorithm
// 3 or 4 - digestEncryptionAlgorithm
// 4 or 5 - encryptedDigest
signerversion = ((DERInteger)signerInfo.getObjectAt(0)).getValue().intValue();
// Get the signing certificate
ASN1Sequence issuerAndSerialNumber = (ASN1Sequence)signerInfo.getObjectAt(1);
X509Principal issuer = new X509Principal(issuerAndSerialNumber.getObjectAt(0).getDERObject().getEncoded());
BigInteger serialNumber = ((DERInteger)issuerAndSerialNumber.getObjectAt(1)).getValue();
for (Object element : certs) {
X509Certificate cert = (X509Certificate)element;
if (issuer.equals(cert.getIssuerDN()) && serialNumber.equals(cert.getSerialNumber())) {
signCert = cert;
break;
}
}
if (signCert == null) {
throw new IllegalArgumentException(MessageLocalization.getComposedMessage("can.t.find.signing.certificate.with.serial.1",
issuer.getName() + " / " + serialNumber.toString(16)));
}
signCertificateChain();
digestAlgorithm = ((DERObjectIdentifier)((ASN1Sequence)signerInfo.getObjectAt(2)).getObjectAt(0)).getId();
next = 3;
if (signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) {
ASN1TaggedObject tagsig = (ASN1TaggedObject)signerInfo.getObjectAt(next);
ASN1Set sseq = ASN1Set.getInstance(tagsig, false);
sigAttr = sseq.getEncoded(ASN1Encodable.DER);
for (int k = 0; k < sseq.size(); ++k) {
ASN1Sequence seq2 = (ASN1Sequence)sseq.getObjectAt(k);
if (((DERObjectIdentifier)seq2.getObjectAt(0)).getId().equals(ID_MESSAGE_DIGEST)) {
ASN1Set set = (ASN1Set)seq2.getObjectAt(1);
digestAttr = ((DEROctetString)set.getObjectAt(0)).getOctets();
}
else if (((DERObjectIdentifier)seq2.getObjectAt(0)).getId().equals(ID_ADBE_REVOCATION)) {
ASN1Set setout = (ASN1Set)seq2.getObjectAt(1);
ASN1Sequence seqout = (ASN1Sequence)setout.getObjectAt(0);
for (int j = 0; j < seqout.size(); ++j) {
ASN1TaggedObject tg = (ASN1TaggedObject)seqout.getObjectAt(j);
if (tg.getTagNo() == 0) {
ASN1Sequence seqin = (ASN1Sequence)tg.getObject();
findCRL(seqin);
}
if (tg.getTagNo() == 1) {
ASN1Sequence seqin = (ASN1Sequence)tg.getObject();
findOcsp(seqin);
}
}
}
}
if (digestAttr == null)
throw new IllegalArgumentException(MessageLocalization.getComposedMessage("authenticated.attribute.is.missing.the.digest"));
++next;
}
digestEncryptionAlgorithm = ((DERObjectIdentifier)((ASN1Sequence)signerInfo.getObjectAt(next++)).getObjectAt(0)).getId();
digest = ((DEROctetString)signerInfo.getObjectAt(next++)).getOctets();
if (next < signerInfo.size() && signerInfo.getObjectAt(next) instanceof DERTaggedObject) {
DERTaggedObject taggedObject = (DERTaggedObject) signerInfo.getObjectAt(next);
ASN1Set unat = ASN1Set.getInstance(taggedObject, false);
AttributeTable attble = new AttributeTable(unat);
Attribute ts = attble.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken);
if (ts != null && ts.getAttrValues().size() > 0) {
ASN1Set attributeValues = ts.getAttrValues();
ASN1Sequence tokenSequence = ASN1Sequence.getInstance(attributeValues.getObjectAt(0));
ContentInfo contentInfo = new ContentInfo(tokenSequence);
this.timeStampToken = new TimeStampToken(contentInfo);
}
}
if (isTsp) {
ContentInfo contentInfoTsp = new ContentInfo(signedData);
this.timeStampToken = new TimeStampToken(contentInfoTsp);
TimeStampTokenInfo info = timeStampToken.getTimeStampInfo();
String algOID = info.getMessageImprintAlgOID();
messageDigest = MessageDigest.getInstance(algOID);
}
else {
if (RSAdata != null || digestAttr != null) {
if (provider == null || provider.startsWith("SunPKCS11")) {
messageDigest = MessageDigest.getInstance(getHashAlgorithm());
encContDigest = MessageDigest.getInstance(getHashAlgorithm()); // Stefan Santesson
}
else {
messageDigest = MessageDigest.getInstance(getHashAlgorithm(), provider);
encContDigest = MessageDigest.getInstance(getHashAlgorithm(), provider); // Stefan Santesson
}
}
if (provider == null)
sig = Signature.getInstance(getDigestAlgorithm());
else
sig = Signature.getInstance(getDigestAlgorithm(), provider);
sig.initVerify(signCert.getPublicKey());
}
}
catch (Exception e) {
throw new ExceptionConverter(e);
}
}
}
|
