@Override protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("protection is not signature based: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return false; } PKIHeader header = protectedMsg.getHeader(); if (!header.getSender().equals(responderSubject)) { LOG.warn("not authorized responder '{}'", header.getSender()); return false; } String algOid = protectedMsg.getHeader().getProtectionAlg().getAlgorithm().getId(); if (!trustedProtectionAlgOids.contains(algOid)) { LOG.warn("PKI protection algorithm is untrusted '{}'", algOid); return false; } ContentVerifierProvider verifierProvider = getContentVerifierProvider( responderCert.getPublicKey()); if (verifierProvider == null) { LOG.warn("not authorized responder '{}'", header.getSender()); return false; } return protectedMsg.verify(verifierProvider); } // method verifyProtection
@Override protected boolean verifyProtection(GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (!protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return false; } PBMParameter parameter = PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters()); ASN1ObjectIdentifier algOid = parameter.getOwf().getAlgorithm(); if (!trustedOwfOids.contains(algOid)) { LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.owf: {})", algOid); return false; } algOid = parameter.getMac().getAlgorithm(); if (!trustedMacOids.contains(algOid)) { LOG.warn("MAC_ALGO_FORBIDDEN (PBMParameter.mac: {})", algOid); return false; } PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator()); return protectedMsg.verify(pkMacBuilder, password); }
AlgorithmIdentifier protectionAlg = header.getProtectionAlg(); PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters()); AlgorithmIdentifier algId = parameter.getOwf(); if (!cmpControl.isRequestPbmOwfPermitted(algId)) { if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) { LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGNATURE_ALGO_FORBIDDEN);
if (!protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_MAC_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); PBMParameter.getInstance(pkiMessage.getHeader().getProtectionAlg().getParameters()); AlgorithmIdentifier algId = parameter.getOwf(); if (!macResponder.isPbmOwfPermitted(algId)) { if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNATURE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); AlgorithmIdentifier protectionAlgo = protectedMsg.getHeader().getProtectionAlg(); if (!sigResponder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) { String algoName;