added support for id-alg-noSignature

dghgit · dghgit · commit 5af657e5ce9b · 2025-02-25T17:51:47.000+11:00
diff --git a/core/src/main/java/org/bouncycastle/asn1/x509/X509ObjectIdentifiers.java b/core/src/main/java/org/bouncycastle/asn1/x509/X509ObjectIdentifiers.java
@@ -95,6 +95,11 @@ public interface X509ObjectIdentifiers
      */
     static final ASN1ObjectIdentifier id_ecdsa_with_shake256 = pkix_algorithms.branch("33");
 
+    /**
+     * id-alg-noSignature OBJECT IDENTIFIER ::= {id-pkix id-alg(6) 2}
+     */
+    ASN1ObjectIdentifier id_alg_noSignature = pkix_algorithms.branch("2");
+
     /** 1.3.6.1.5.5.7.9 */
     static final ASN1ObjectIdentifier id_pda = id_pkix.branch("9");
 
diff --git a/pkix/src/main/java/org/bouncycastle/operator/NoSignatureContentSigner.java b/pkix/src/main/java/org/bouncycastle/operator/NoSignatureContentSigner.java
@@ -0,0 +1,48 @@
+package org.bouncycastle.operator;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+import org.bouncycastle.asn1.DERNull;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
+
+/**
+ * ContentSigner for "Unsigned X.509 Certificates"
+ */
+public class NoSignatureContentSigner
+    implements ContentSigner
+{
+    @Override
+    public AlgorithmIdentifier getAlgorithmIdentifier()
+    {
+        return new AlgorithmIdentifier(X509ObjectIdentifiers.id_alg_noSignature, DERNull.INSTANCE);
+    }
+
+    @Override
+    public OutputStream getOutputStream()
+    {
+        return new OutputStream()
+        {
+            @Override
+            public void write(byte[] buf, int off, int len)
+                throws IOException
+            {
+                // do nothing
+            }
+
+            @Override
+            public void write(int i)
+                throws IOException
+            {
+                // do nothing
+            }
+        };
+    }
+
+    @Override
+    public byte[] getSignature()
+    {
+        return new byte[0];
+    }
+}
diff --git a/pkix/src/test/java/org/bouncycastle/cert/test/CertTest.java b/pkix/src/test/java/org/bouncycastle/cert/test/CertTest.java
@@ -77,6 +77,7 @@
 import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.SubjectAltPublicKeyInfo;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
 import org.bouncycastle.asn1.x9.ECNamedCurveTable;
 import org.bouncycastle.asn1.x9.X9ECParameters;
 import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
@@ -118,6 +119,7 @@
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.NoSignatureContentSigner;
 import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
 import org.bouncycastle.operator.bc.BcRSAContentVerifierProviderBuilder;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
@@ -3973,6 +3975,60 @@ public void checkCreationRSAPSS()
         isTrue(null == crt.getSubjectPublicKeyInfo().getAlgorithm().getParameters());
     }
 
+    public void checkCreationNoSignature()
+        throws Exception
+    {
+        //
+        // set up the keys
+        //
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSASSA-PSS", BC);
+
+        KeyPair kp = kpg.generateKeyPair();
+
+        PrivateKey privKey = kp.getPrivate();
+        PublicKey pubKey = kp.getPublic();
+
+        //
+        // distinguished name table.
+        //
+        X500NameBuilder builder = createStdBuilder();
+
+        //
+        // create the certificate - version 3
+        //
+        ContentSigner sigGen = new NoSignatureContentSigner();
+        X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(builder.build(), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - 50000), new Date(System.currentTimeMillis() + 50000), builder.build(), pubKey);
+
+        X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certGen.build(sigGen));
+
+        cert.checkValidity(new Date());
+
+        //
+        // check fails on verify
+        //
+        try
+        {
+            cert.verify(pubKey);
+            fail("no exception");
+        }
+        catch (InvalidKeyException e)
+        {
+            isEquals(e.getMessage(), "attempt to pass public key to NoSig");
+        }
+
+        // convert and check components.
+        ByteArrayInputStream bIn = new ByteArrayInputStream(cert.getEncoded());
+        CertificateFactory fact = CertificateFactory.getInstance("X.509", BC);
+
+        cert = (X509Certificate)fact.generateCertificate(bIn);
+
+        org.bouncycastle.asn1.x509.Certificate crt = org.bouncycastle.asn1.x509.Certificate.getInstance(cert.getEncoded());
+
+        isTrue(new AlgorithmIdentifier(X509ObjectIdentifiers.id_alg_noSignature, DERNull.INSTANCE).equals(crt.getTBSCertificate().getSignature()));
+        isTrue(new AlgorithmIdentifier(X509ObjectIdentifiers.id_alg_noSignature, DERNull.INSTANCE).equals(crt.getSignatureAlgorithm()));
+        isTrue(0 == cert.getSignature().length);
+    }
+
     /*
      * we generate a self signed certificate across the range of ECDSA algorithms
      */
@@ -5644,6 +5700,7 @@ public void performTest()
         checkCreationECDSA();
         checkCreationRSA();
         checkCreationRSAPSS();
+        checkCreationNoSignature();
 
         checkCreationFalcon();
         checkCreationDilithium();
diff --git a/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/NoSig.java b/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/NoSig.java
@@ -0,0 +1,90 @@
+package org.bouncycastle.jcajce.provider.asymmetric;
+
+import java.security.InvalidKeyException;
+import java.security.InvalidParameterException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.SignatureSpi;
+
+import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
+import org.bouncycastle.jcajce.provider.config.ConfigurableProvider;
+import org.bouncycastle.jcajce.provider.util.AsymmetricAlgorithmProvider;
+
+public class NoSig
+{
+    private static final String PREFIX = "org.bouncycastle.jcajce.provider.asymmetric.NoSig$";
+
+    public static class SigSpi
+        extends SignatureSpi
+    {
+        @Override
+        protected void engineInitVerify(PublicKey publicKey)
+            throws InvalidKeyException
+        {
+            throw new InvalidKeyException("attempt to pass public key to NoSig");
+        }
+
+        @Override
+        protected void engineInitSign(PrivateKey privateKey)
+            throws InvalidKeyException
+        {
+            throw new InvalidKeyException("attempt to pass private key to NoSig");
+        }
+
+        @Override
+        protected void engineUpdate(byte b)
+            throws SignatureException
+        {
+
+        }
+
+        @Override
+        protected void engineUpdate(byte[] bytes, int i, int i1)
+            throws SignatureException
+        {
+
+        }
+
+        @Override
+        protected byte[] engineSign()
+            throws SignatureException
+        {
+            return new byte[0];
+        }
+
+        @Override
+        protected boolean engineVerify(byte[] bytes)
+            throws SignatureException
+        {
+            return false;
+        }
+
+        @Override
+        protected void engineSetParameter(String s, Object o)
+            throws InvalidParameterException
+        {
+
+        }
+
+        @Override
+        protected Object engineGetParameter(String s)
+            throws InvalidParameterException
+        {
+            return null;
+        }
+    }
+
+    public static class Mappings
+        extends AsymmetricAlgorithmProvider
+    {
+        public Mappings()
+        {
+        }
+
+        public void configure(ConfigurableProvider provider)
+        {
+            provider.addAlgorithm("Signature." + X509ObjectIdentifiers.id_alg_noSignature, PREFIX + "SigSpi");
+        }
+    }
+}
diff --git a/prov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/prov/src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java
@@ -123,7 +123,7 @@ public final class BouncyCastleProvider extends Provider
     // later ones configure it.
     private static final String[] ASYMMETRIC_GENERIC =
     {
-        "X509", "IES", "COMPOSITE", "EXTERNAL", "CompositeSignatures"
+        "X509", "IES", "COMPOSITE", "EXTERNAL", "CompositeSignatures", "NoSig"
     };
 
     private static final String[] ASYMMETRIC_CIPHERS =

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ public final class BouncyCastleProvider extends Provider`
`123`	`123`	`// later ones configure it.`
`124`	`124`	`private static final String[] ASYMMETRIC_GENERIC =`
`125`	`125`	`{`
`126`		`- "X509", "IES", "COMPOSITE", "EXTERNAL", "CompositeSignatures"`
	`126`	`+ "X509", "IES", "COMPOSITE", "EXTERNAL", "CompositeSignatures", "NoSig"`
`127`	`127`	`};`
`128`	`128`
`129`	`129`	`private static final String[] ASYMMETRIC_CIPHERS =`