refactoring around encrypted certificate transport.

Author: dghgit

.gitignore

@@ -10,6 +10,7 @@
 */*.iml
 
 bin/
+build/
 */build/
 out/
 */out/

pkix/src/main/java/org/bouncycastle/cert/cmp/CMSProcessableCMPCertificate.java

@@ -0,0 +1,49 @@
+package org.bouncycastle.cert.cmp;
+
+import java.io.IOException;
+import java.io.OutputStream;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.cmp.CMPCertificate;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSTypedData;
+
+/**
+ * Carrier class for a CMPCertificate over CMS.
+ */
+public class CMSProcessableCMPCertificate
+    implements CMSTypedData
+{
+    private final CMPCertificate cmpCert;
+
+    public CMSProcessableCMPCertificate(X509CertificateHolder certificateHolder)
+    {
+        this(new CMPCertificate(certificateHolder.toASN1Structure()));
+    }
+
+    public CMSProcessableCMPCertificate(CMPCertificate cmpCertificate)
+    {
+        this.cmpCert = cmpCertificate;
+    }
+
+    @Override
+    public void write(OutputStream out)
+        throws IOException, CMSException
+    {
+        out.write(cmpCert.getEncoded());
+    }
+
+    @Override
+    public Object getContent()
+    {
+        return cmpCert;
+    }
+
+    @Override
+    public ASN1ObjectIdentifier getContentType()
+    {
+        return PKCSObjectIdentifiers.data;
+    }
+}

pkix/src/main/java/org/bouncycastle/cert/cmp/CertificateConfirmationContent.java

@@ -6,6 +6,9 @@
 import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
 
+/**
+ * Carrier class for a {@link CertConfirmContent} message.
+ */
 public class CertificateConfirmationContent
 {
     private DigestAlgorithmIdentifierFinder digestAlgFinder;

pkix/src/main/java/org/bouncycastle/cert/cmp/CertificateConfirmationContentBuilder.java

@@ -5,7 +5,9 @@
 import java.util.List;
 
 import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.cmp.CMPCertificate;
 import org.bouncycastle.asn1.cmp.CertConfirmContent;
 import org.bouncycastle.asn1.cmp.CertStatus;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
@@ -16,11 +18,15 @@
 import org.bouncycastle.operator.DigestCalculatorProvider;
 import org.bouncycastle.operator.OperatorCreationException;
 
+/**
+ * Builder class for a {@link CertConfirmContent} message.
+ */
 public class CertificateConfirmationContentBuilder
 {
     private DigestAlgorithmIdentifierFinder digestAlgFinder;
-    private List acceptedCerts = new ArrayList();
-    private List acceptedReqIds = new ArrayList();
+    private List<CMPCertificate> acceptedCerts = new ArrayList<CMPCertificate>();
+    private List<AlgorithmIdentifier> acceptedSignatureAlgorithms = new ArrayList<AlgorithmIdentifier>();
+    private List<ASN1Integer> acceptedReqIds = new ArrayList<ASN1Integer>();
 
     public CertificateConfirmationContentBuilder()
     {
@@ -34,7 +40,18 @@ public CertificateConfirmationContentBuilder(DigestAlgorithmIdentifierFinder dig
 
     public CertificateConfirmationContentBuilder addAcceptedCertificate(X509CertificateHolder certHolder, BigInteger certReqID)
     {
-        acceptedCerts.add(certHolder);
+        return addAcceptedCertificate(certHolder, new ASN1Integer(certReqID));
+    }
+
+    public CertificateConfirmationContentBuilder addAcceptedCertificate(X509CertificateHolder certHolder, ASN1Integer certReqID)
+    {
+        return addAcceptedCertificate(new CMPCertificate(certHolder.toASN1Structure()), certHolder.getSignatureAlgorithm(), certReqID);
+    }
+
+    public CertificateConfirmationContentBuilder addAcceptedCertificate(CMPCertificate cmpCertificate, AlgorithmIdentifier sigAlg, ASN1Integer certReqID)
+    {
+        acceptedCerts.add(cmpCertificate);
+        acceptedSignatureAlgorithms.add(sigAlg);
         acceptedReqIds.add(certReqID);
 
         return this;
@@ -47,10 +64,10 @@ public CertificateConfirmationContent build(DigestCalculatorProvider digesterPro
 
         for (int i = 0; i != acceptedCerts.size(); i++)
         {
-            X509CertificateHolder certHolder = (X509CertificateHolder)acceptedCerts.get(i);
-            BigInteger reqID = (BigInteger)acceptedReqIds.get(i);
+            CMPCertificate certHolder = (CMPCertificate)acceptedCerts.get(i);
+            ASN1Integer reqID = (ASN1Integer)acceptedReqIds.get(i);
 
-            AlgorithmIdentifier digAlg = digestAlgFinder.find(certHolder.toASN1Structure().getSignatureAlgorithm());
+            AlgorithmIdentifier digAlg = digestAlgFinder.find((AlgorithmIdentifier)acceptedSignatureAlgorithms.get(i));
             if (digAlg == null)
             {
                 throw new CMPException("cannot find algorithm for digest from signature");
@@ -67,7 +84,7 @@ public CertificateConfirmationContent build(DigestCalculatorProvider digesterPro
                 throw new CMPException("unable to create digest: " + e.getMessage(), e);
             }
 
-            CMPUtil.derEncodeToStream(certHolder.toASN1Structure(), digester.getOutputStream());
+            CMPUtil.derEncodeToStream(certHolder, digester.getOutputStream());
 
             v.add(new CertStatus(digester.getDigest(), reqID));
         }

pkix/src/main/java/org/bouncycastle/cert/cmp/CertificateStatus.java

@@ -2,10 +2,12 @@
 
 import java.math.BigInteger;
 
+import org.bouncycastle.asn1.cmp.CMPCertificate;
 import org.bouncycastle.asn1.cmp.CertStatus;
 import org.bouncycastle.asn1.cmp.PKIStatusInfo;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.jcajce.BCFKSLoadStoreParameter;
 import org.bouncycastle.operator.DigestAlgorithmIdentifierFinder;
 import org.bouncycastle.operator.DigestCalculator;
 import org.bouncycastle.operator.DigestCalculatorProvider;
@@ -36,7 +38,13 @@ public BigInteger getCertRequestID()
     public boolean isVerified(X509CertificateHolder certHolder, DigestCalculatorProvider digesterProvider)
         throws CMPException
     {
-        AlgorithmIdentifier digAlg = digestAlgFinder.find(certHolder.toASN1Structure().getSignatureAlgorithm());
+        return isVerified(new CMPCertificate(certHolder.toASN1Structure()), certHolder.getSignatureAlgorithm(), digesterProvider);
+    }
+
+    public boolean isVerified(CMPCertificate cmpCert, AlgorithmIdentifier signatureAlgorithm, DigestCalculatorProvider digesterProvider)
+        throws CMPException
+    {
+        AlgorithmIdentifier digAlg = digestAlgFinder.find(signatureAlgorithm);
         if (digAlg == null)
         {
             throw new CMPException("cannot find algorithm for digest from signature");
@@ -53,7 +61,7 @@ public boolean isVerified(X509CertificateHolder certHolder, DigestCalculatorProv
             throw new CMPException("unable to create digester: " + e.getMessage(), e);
         }
 
-        CMPUtil.derEncodeToStream(certHolder.toASN1Structure(), digester.getOutputStream());
+        CMPUtil.derEncodeToStream(cmpCert, digester.getOutputStream());
 
         return Arrays.areEqual(certStatus.getCertHash().getOctets(), digester.getDigest());
     }

pkix/src/main/java/org/bouncycastle/cert/crmf/CertificateRequestMessageBuilder.java

@@ -32,6 +32,9 @@
 import org.bouncycastle.cert.CertIOException;
 import org.bouncycastle.operator.ContentSigner;
 
+/**
+ * Builder for high-level objects built on {@link org.bouncycastle.asn1.crmf.CertReqMsg}.
+ */
 public class CertificateRequestMessageBuilder
 {
     private final BigInteger certReqId;

pkix/src/main/java/org/bouncycastle/cert/crmf/CertificateResponse.java

@@ -1,13 +1,24 @@
 package org.bouncycastle.cert.crmf;
 
+import java.util.Collection;
+import java.util.Iterator;
+
+import org.bouncycastle.asn1.bc.BCObjectIdentifiers;
 import org.bouncycastle.asn1.cmp.CMPCertificate;
 import org.bouncycastle.asn1.cmp.CertResponse;
 import org.bouncycastle.asn1.cmp.CertifiedKeyPair;
 import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.cms.CMSEnvelopedData;
 import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.Recipient;
+import org.bouncycastle.cms.RecipientInformation;
+import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.jcajce.JceKeyTransEnvelopedRecipient;
 
+/**
+ * High level wrapper for the CertResponse CRMF structure.
+ */
 public class CertificateResponse
 {
     private final CertResponse certResponse;
@@ -18,26 +29,85 @@ public CertificateResponse(CertResponse certResponse)
         this.certResponse = certResponse;
     }
 
+    /**
+     * Return true if the response contains an encrypted certificate.
+     *
+     * @return true if certificate in response encrypted, false otherwise.
+     */
     public boolean hasEncryptecCertificate()
     {
         return certResponse.getCertifiedKeyPair().getCertOrEncCert().hasEncryptedCertificate();
     }
 
+    /**
+     * Return a CMSEnvelopedData representing the encrypted certificate contained in the response.
+     *
+     * @return a CMEEnvelopedData if an encrypted certificate is present.
+     * @throws IllegalStateException if no encrypted certificate is present, or there is an issue with the enveloped data.
+     */
     public CMSEnvelopedData getEncryptedCertificate()
         throws CMSException
     {
+        if (!hasEncryptecCertificate())
+        {
+            throw new IllegalStateException("encrypted certificate asked for, none found");
+        }
+
         CertifiedKeyPair receivedKeyPair = certResponse.getCertifiedKeyPair();
 
-        return new CMSEnvelopedData(
+        CMSEnvelopedData envelopedData = new CMSEnvelopedData(
             new ContentInfo(PKCSObjectIdentifiers.envelopedData, receivedKeyPair.getCertOrEncCert().getEncryptedCert().getValue()));
+
+        if (envelopedData.getRecipientInfos().size() != 1)
+        {
+            throw new IllegalStateException("data encrypted for more than one recipient");
+        }
+
+        return envelopedData;
     }
 
+    /**
+     * Return the CMPCertificate representing the plaintext certificate in the response.
+     *
+     * @return a CMPCertificate if a plaintext certificate is present.
+     * @throws IllegalStateException if no plaintext certificate is present.
+     */
+    public CMPCertificate getCertificate(Recipient recipient)
+        throws CMSException
+    {
+       CMSEnvelopedData encryptedCert = getEncryptedCertificate();
+
+        RecipientInformationStore recipients = encryptedCert.getRecipientInfos();
+
+        Collection c = recipients.getRecipients();
+
+        RecipientInformation recInfo = (RecipientInformation)c.iterator().next();
+
+        return CMPCertificate.getInstance(recInfo.getContent(recipient));
+    }
+
+    /**
+     * Return the CMPCertificate representing the plaintext certificate in the response.
+     *
+     * @return a CMPCertificate if a plaintext certificate is present.
+     * @throws IllegalStateException if no plaintext certificate is present.
+     */
     public CMPCertificate getCertificate()
         throws CMSException
     {
+        if (hasEncryptecCertificate())
+        {
+            throw new IllegalStateException("plaintext certificate asked for, none found");
+        }
+
         return certResponse.getCertifiedKeyPair().getCertOrEncCert().getCertificate();
     }
 
+    /**
+     * Return this object's underlying ASN.1 structure.
+     *
+     * @return a CertResponse
+     */
     public CertResponse toASN1Structure()
     {
         return certResponse;