org.mozilla.jss.pkix.cms

Class SignerInfo

Implemented Interfaces:
ASN1Value

public class SignerInfo
extends java.lang.Object
implements ASN1Value

A CMS SignerInfo.

Nested Class Summary

static class
SignerInfo.Template
A template for decoding a SignerInfo blob

Constructor Summary

SignerInfo(SignerIdentifier signerIdentifier, SET signedAttributes, SET unsignedAttributes, OBJECT_IDENTIFIER contentType, byte[] messageDigest, SignatureAlgorithm signingAlg, PrivateKey signingKey)
A constructor for creating a new SignerInfo from scratch.

Method Summary

void
encode(OutputStream ostream)
void
encode(Tag tag, OutputStream ostream)
DigestAlgorithm
getDigestAlgorithm()
Retrieves the DigestAlgorithm used in this SignerInfo.
AlgorithmIdentifier
getDigestAlgorithmIdentifer()
Retrieves the DigestAlgorithmIdentifier used in this SignerInfo.
SignatureAlgorithm
getDigestEncryptionAlgorithm()
Returns the raw signature (digest encryption) algorithm used in this SignerInfo.
AlgorithmIdentifier
getDigestEncryptionAlgorithmIdentifier()
Returns the DigestEncryptionAlgorithmIdentifier used in this SignerInfo.
byte[]
getEncryptedDigest()
Retrieves the encrypted digest.
SET
getSignedAttributes()
Retrieves the signed attributes, if they exist.
SignerIdentifier
getSignerIdentifier()
Retrieves the SignerIdentifier.
Tag
getTag()
static SignerInfo.Template
getTemplate()
SET
getUnsignedAttributes()
Retrieves the unsigned attributes, if they exist.
INTEGER
getVersion()
Retrieves the version number of this SignerInfo.
boolean
hasSignedAttributes()
Returns true if the signedAttributes field is present.
boolean
hasUnsignedAttributes()
Returns true if the unsignedAttributes field is present.
void
verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
Verifies that this SignerInfo contains a valid signature of the given message digest.
void
verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType, PublicKey pubkey)
Verifies that this SignerInfo contains a valid signature of the given message digest.

Constructor Details

SignerInfo

public SignerInfo(SignerIdentifier signerIdentifier,
                  SET signedAttributes,
                  SET unsignedAttributes,
                  OBJECT_IDENTIFIER contentType,
                  byte[] messageDigest,
                  SignatureAlgorithm signingAlg,
                  PrivateKey signingKey)
            throws InvalidKeyException,
                   NoSuchAlgorithmException,
                   CryptoManager.NotInitializedException,
                   SignatureException,
                   TokenException
A constructor for creating a new SignerInfo from scratch.
Parameters:
signerIdentifier - The signerIdentifier of the certificate from which the public key was extracted to create this SignerInfo.
signedAttributes - An optional set of Attributes, which will be signed along with the message content. This parameter may be null, or the SET may be empty. DO NOT insert the PKCS #9 content-type or message-digest attributes. They will be added automatically if they are necessary.
unsignedAttributes - An optional set of Attributes, which will be included in the SignerInfo but not signed. This parameter may be null, or the SET may be empty.
contentType - The type of the ContentInfo that is being signed. If it is not data, then the PKCS #9 attributes content-type and message-digest will be automatically computed and added to the signed attributes.
messageDigest - The digest of the message contents. The digest must have been created with the digest algorithm specified by the signingAlg parameter.
signingAlg - The algorithm to be used to sign the content. This should be a composite algorithm, such as RSASignatureWithMD5Digest, instead of a raw algorithm, such as RSASignature. Note that the digest portion of this algorithm must be the same algorithm as was used to digest the message content.

Method Details

encode

public void encode(OutputStream ostream)
            throws IOException
Specified by:
encode in interface ASN1Value

encode

public void encode(Tag tag,
                   OutputStream ostream)
            throws IOException
Specified by:
encode in interface ASN1Value

getDigestAlgorithm

public DigestAlgorithm getDigestAlgorithm()
            throws NoSuchAlgorithmException
Retrieves the DigestAlgorithm used in this SignerInfo.

getDigestAlgorithmIdentifer

public AlgorithmIdentifier getDigestAlgorithmIdentifer()
Retrieves the DigestAlgorithmIdentifier used in this SignerInfo.

getDigestEncryptionAlgorithm

public SignatureAlgorithm getDigestEncryptionAlgorithm()
            throws NoSuchAlgorithmException
Returns the raw signature (digest encryption) algorithm used in this SignerInfo.

getDigestEncryptionAlgorithmIdentifier

public AlgorithmIdentifier getDigestEncryptionAlgorithmIdentifier()
Returns the DigestEncryptionAlgorithmIdentifier used in this SignerInfo.

getEncryptedDigest

public byte[] getEncryptedDigest()
Retrieves the encrypted digest.

getSignedAttributes

public SET getSignedAttributes()
Retrieves the signed attributes, if they exist.

getSignerIdentifier

public SignerIdentifier getSignerIdentifier()
Retrieves the SignerIdentifier.

getTag

public Tag getTag()
Specified by:
getTag in interface ASN1Value

getTemplate

public static SignerInfo.Template getTemplate()

getUnsignedAttributes

public SET getUnsignedAttributes()
Retrieves the unsigned attributes, if they exist.

getVersion

public INTEGER getVersion()
Retrieves the version number of this SignerInfo.

hasSignedAttributes

public boolean hasSignedAttributes()
Returns true if the signedAttributes field is present.

hasUnsignedAttributes

public boolean hasUnsignedAttributes()
Returns true if the unsignedAttributes field is present.

verify

public void verify(byte[] messageDigest,
                   OBJECT_IDENTIFIER contentType)
            throws CryptoManager.NotInitializedException,
                   NoSuchAlgorithmException,
                   InvalidKeyException,
                   TokenException,
                   SignatureException,
                   ObjectNotFoundException
Verifies that this SignerInfo contains a valid signature of the given message digest. If any signed attributes are present, they are also validated. The verification algorithm is as follows:

    not

  • If no signed attributes are present, the content type is verified to be data. Then it is verified that the message digest passed in, when encrypted with the given public key, matches the encrypted digest in the SignerInfo.
  • If signed attributes are present, two particular attributes must be present:
    • PKCS #9 Content-Type, the type of content that is being signed. This must match the contentType parameter.
    • PKCS #9 Message-Digest, the digest of the content that is being signed. This must match the messageDigest parameter.
    After these two attributes are verified to be both present and correct, the encryptedDigest field of the SignerInfo is verified to be the signature of the contents octets of the DER encoding of the signedAttributes field.
    Parameters:
    messageDigest - The hash of the content that is signed by this SignerInfo.
    contentType - The type of the content that is signed by this SignerInfo.

    verify

    public void verify(byte[] messageDigest,
                       OBJECT_IDENTIFIER contentType,
                       PublicKey pubkey)
                throws CryptoManager.NotInitializedException,
                       NoSuchAlgorithmException,
                       InvalidKeyException,
                       TokenException,
                       SignatureException
    Verifies that this SignerInfo contains a valid signature of the given message digest. If any signed attributes are present, they are also validated. The verification algorithm is as follows:
    • If no signed attributes are present, the content type is verified to be data. Then it is verified that the message digest passed in, when encrypted with the given public key, matches the encrypted digest in the SignerInfo.
    • If signed attributes are present, two particular attributes must be present:
      • PKCS #9 Content-Type, the type of content that is being signed. This must match the contentType parameter.
      • PKCS #9 Message-Digest, the digest of the content that is being signed. This must match the messageDigest parameter.
      After these two attributes are verified to be both present and correct, the encryptedDigest field of the SignerInfo is verified to be the signature of the contents octets of the DER encoding of the signedAttributes field.
      Parameters:
      messageDigest - The hash of the content that is signed by this SignerInfo.
      contentType - The type of the content that is signed by this SignerInfo.
      pubkey - The public key to use to verify the signature.