Java Code Examples for org.bouncycastle.asn1.cms.Attribute#getAttrType()

/**
 * Remove any archive-timestamp-v2/3 attribute added after the
 * timestampToken
 */
private ASN1Sequence filterUnauthenticatedAttributes(ASN1Set unauthenticatedAttributes, TimestampToken timestampToken) {
	ASN1EncodableVector result = new ASN1EncodableVector();
	for (int ii = 0; ii < unauthenticatedAttributes.size(); ii++) {

		final Attribute attribute = Attribute.getInstance(unauthenticatedAttributes.getObjectAt(ii));
		final ASN1ObjectIdentifier attrType = attribute.getAttrType();
		if (id_aa_ets_archiveTimestampV2.equals(attrType) || id_aa_ets_archiveTimestampV3.equals(attrType)) {
			try {

				TimeStampToken token = DSSASN1Utils.getTimeStampToken(attribute);
				if (!token.getTimeStampInfo().getGenTime().before(timestampToken.getGenerationTime())) {
					continue;
				}
			} catch (Exception e) {
				throw new DSSException(e);
			}
		}
		result.add(unauthenticatedAttributes.getObjectAt(ii));
	}
	return new DERSequence(result);
}
 

/**
 * The field unsignedAttrsHashIndex is a sequence of octet strings. Each one contains the hash value of one
 * instance of Attribute within unsignedAttrs field of the SignerInfo. A hash value for every instance of
 * Attribute, as present at the time when the corresponding archive time-stamp is requested, shall be included in
 * unsignedAttrsHashIndex. No other hash values shall be included in this field.
 *
 * We check that every hash attribute found in the timestamp token is found if the signerInformation.
 *
 * If there is more unsigned attributes in the signerInformation than present in the hash attributes list
 * (and there is at least the archiveTimestampAttributeV3), we don't report any error nor which attributes are
 * signed by the timestamp.
 * If there is some attributes that are not present or altered in the signerInformation, we just return some empty
 * sequence to make
 * sure that the timestamped data will not match. We do not report which attributes hash are present if any.
 *
 * If there is not attribute at all in the archive timestamp hash index, that would means we didn't check anything.
 *
 * @param signerInformation
 * @param timestampHashIndex
 * @return
 */
@SuppressWarnings("unchecked")
private ASN1Sequence getVerifiedUnsignedAttributesHashIndex(SignerInformation signerInformation, final ASN1Sequence timestampHashIndex, 
		ASN1ObjectIdentifier atsHashIndexVersionIdentifier) {
	
	final ASN1Sequence unsignedAttributesHashes = DSSASN1Utils.getUnsignedAttributesHashIndex(timestampHashIndex);
	
	final List<DEROctetString> timestampUnsignedAttributesHashesList = new ArrayList<>();
	if (unsignedAttributesHashes != null) {
		timestampUnsignedAttributesHashesList.addAll(Collections.list(unsignedAttributesHashes.getObjects()));
	}
	AttributeTable unsignedAttributes = CMSUtils.getUnsignedAttributes(signerInformation);
	final ASN1EncodableVector asn1EncodableVector = unsignedAttributes.toASN1EncodableVector();
	for (int i = 0; i < asn1EncodableVector.size(); i++) {
		final Attribute attribute = (Attribute) asn1EncodableVector.get(i);
		List<DEROctetString> attributeDerOctetStringHashes = getAttributeDerOctetStringHashes(attribute, atsHashIndexVersionIdentifier);
		for (DEROctetString derOctetStringDigest : attributeDerOctetStringHashes) {
			final ASN1ObjectIdentifier attrType = attribute.getAttrType();
			if (timestampUnsignedAttributesHashesList.remove(derOctetStringDigest)) {
				// attribute present in signature and in timestamp
				LOG.debug("Attribute {} present in timestamp", attrType.getId());
			} else {
				LOG.debug("Attribute {} not present in timestamp", attrType.getId());
			}
		}
	}
	if (!timestampUnsignedAttributesHashesList.isEmpty()) {
		LOG.error("{} attribute(s) hash in Timestamp has not been found in document attributes: {}", timestampUnsignedAttributesHashesList.size(),
				timestampUnsignedAttributesHashesList);
		// return a empty DERSequence to screw up the hash
		return new DERSequence();
	}
	// return the original DERSequence
	return unsignedAttributesHashes;
}
 

/**
 * Returns {@code ASN1ObjectIdentifier} of the found AtsHashIndex
 * @param timestampUnsignedAttributes {@link AttributeTable} of the timestamp's unsignedAttributes
 * @return {@link ASN1ObjectIdentifier} of the AtsHashIndex element version
 */
public static ASN1ObjectIdentifier getAtsHashIndexVersionIdentifier(AttributeTable timestampUnsignedAttributes) {
	if (timestampUnsignedAttributes != null) {
		Attributes attributes = timestampUnsignedAttributes.toASN1Structure();
		for (Attribute attribute : attributes.getAttributes()) {
			ASN1ObjectIdentifier attrType = attribute.getAttrType();
			if (id_aa_ATSHashIndex.equals(attrType) || id_aa_ATSHashIndexV2.equals(attrType) || id_aa_ATSHashIndexV3.equals(attrType)) {
				LOG.debug("Unsigned attribute of type [{}] found in the timestamp.", attrType);
				return attrType;
			}
		}
		LOG.warn("The timestamp unsignedAttributes does not contain ATSHashIndex!");
	}
	return null;
}
 

/**
 * Checks if the attribute is of an allowed archive timestamp type
 * 
 * @param attribute {@link Attribute} to check
 * @return true if the attribute represents an archive timestamp element, false otherwise
 */
public static boolean isArchiveTimeStampToken(Attribute attribute) {
	if (attribute == null) {
		return false;
	}
	ASN1ObjectIdentifier objectIdentifier = attribute.getAttrType();
	return OID.id_aa_ets_archiveTimestampV2.equals(objectIdentifier) || OID.id_aa_ets_archiveTimestampV3.equals(objectIdentifier);
}
 

public ASN1Object getTimeStampAttributeValue(final byte[] messageToTimestamp, final DigestAlgorithm timestampDigestAlgorithm,
		final Attribute... attributesForTimestampToken) {
	try {

		if (LOG.isDebugEnabled()) {
			LOG.debug("Message to timestamp is: {}", Utils.toHex(messageToTimestamp));
		}
		byte[] timestampDigest = DSSUtils.digest(timestampDigestAlgorithm, messageToTimestamp);
		if (LOG.isDebugEnabled()) {
			LOG.debug("Digested ({}) message to timestamp is {}", timestampDigestAlgorithm, Utils.toHex(timestampDigest));
		}

		final TimestampBinary timeStampToken = tspSource.getTimeStampResponse(timestampDigestAlgorithm, timestampDigest);
		CMSSignedData cmsSignedDataTimeStampToken = new CMSSignedData(timeStampToken.getBytes());

		// TODO (27/08/2014): attributesForTimestampToken cannot be null: to be modified
		if (attributesForTimestampToken != null) {
			// timeStampToken contains one and only one signer
			final SignerInformation signerInformation = cmsSignedDataTimeStampToken.getSignerInfos().getSigners().iterator().next();
			AttributeTable unsignedAttributes = CMSUtils.getUnsignedAttributes(signerInformation);
			for (final Attribute attributeToAdd : attributesForTimestampToken) {
				final ASN1ObjectIdentifier attrType = attributeToAdd.getAttrType();
				final ASN1Encodable objectAt = attributeToAdd.getAttrValues().getObjectAt(0);
				unsignedAttributes = unsignedAttributes.add(attrType, objectAt);
			}
			// Unsigned attributes cannot be empty (RFC 5652 5.3)
			if (unsignedAttributes.size() == 0) {
				unsignedAttributes = null;
			}
			final SignerInformation newSignerInformation = SignerInformation.replaceUnsignedAttributes(signerInformation, unsignedAttributes);
			final List<SignerInformation> signerInformationList = new ArrayList<>();
			signerInformationList.add(newSignerInformation);
			final SignerInformationStore newSignerStore = new SignerInformationStore(signerInformationList);
			cmsSignedDataTimeStampToken = CMSSignedData.replaceSigners(cmsSignedDataTimeStampToken, newSignerStore);
		}
		final byte[] newTimeStampTokenBytes = cmsSignedDataTimeStampToken.getEncoded();
		return DSSASN1Utils.toASN1Primitive(newTimeStampTokenBytes);
	} catch (IOException | CMSException e) {
		throw new DSSException("Cannot obtain timestamp attribute value.", e);
	}

}