codec.pkcs7
Class Signer

java.lang.Object
  |
  +--codec.pkcs7.Signer

public class Signer

extends Object

ATTENTION : if the strict DER Encoding shall be used, the function setStrict(true) must be called right after instantiating the Object. Signs a given Signable object, e.g. a SignedData or a SignedAndEnvelopedData.

Version:

"$Id: Signer.java,v 1.5 2004/08/12 12:27:56 pebinger Exp $"

Author:

Volker Roth

Field Summary

static int	BUFFER_SIZE The size of the buffer allocated for reading and signing data in case this is a detached signature file.
protected ASN1ObjectIdentifier	contentType_ The content type to be signed.
protected MessageDigest	digest_ The message digest engine that is used while signing is in progress.
protected SignerInfo	info_ The SignerInfo of the signer whose signature generation is in progress.
protected Signable	target_ The Signable that is signed.
protected boolean	twostep_ true if signing is done with authenticated attributes.

Constructor Summary

Signer(Signable sigdat, SignerInfo info, PrivateKey key)
Creates an instance ready for signing.

Method Summary

void	setStrict(boolean strictness)
void	sign() Completes the signing.
void	update() Update operation.
void	update(byte[] b) Update operation.
void	update(byte[] b, int offset, int len) Update operation.
void	update(InputStream in) Update operation for signing or verification.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

BUFFER_SIZE

public static final int BUFFER_SIZE

The size of the buffer allocated for reading and signing data in case this is a detached signature file.

target_

protected Signable target_

The Signable that is signed.

info_

protected SignerInfo info_

The SignerInfo of the signer whose signature generation is in progress.

digest_

protected MessageDigest digest_

The message digest engine that is used while signing is in progress. The digest engine is used only in the presence of authenticated attributes.

contentType_

protected ASN1ObjectIdentifier contentType_

The content type to be signed.

twostep_

protected boolean twostep_

true if signing is done with authenticated attributes.

Constructor Detail

Signer

public Signer(Signable sigdat,
              SignerInfo info,
              PrivateKey key)
       throws GeneralSecurityException

Creates an instance ready for signing.

Parameters:

sigdat - The Signable to which SignerInfo instances are added.

info - The SignerInfo with the attributes that are signed along with the data. This instance is later added to the Signable .

key - The private key to use for signing.

Throws:

NoSuchAlgorithmException - if some required algorithm implementation cannot be found.

InvalidAlgorithmParameterException - if some parameters do not match the required algorithms.

InvalidKeyException - if the public key does not match the signature algorithm.

InvalidAttributeException - if the PKCS#9 ContentType attribute in the given SignerInfo does not match the content type of the corresponding SignedData.

Method Detail

setStrict

public void setStrict(boolean strictness)

update

public void update(InputStream in)
            throws SignatureException,
                   IOException

Update operation for signing or verification. The given input stream is not closed after completition of this method.

Parameters:

in - The input data to be signed or verified.

Throws:

IOException - if an I/O error occurs while reading from the given stream.

SignatureException - if this instance is not properly initialized.

IOException - if an I/O exception occurs while reading from the input stream.

update

public void update()
            throws GeneralSecurityException

Update operation. Updates the signature computation with the content of the SignedData specified at creation time. If the SignedData has no content then no updating takes place.

Note: updating must be done on the contents octets of the content only, no identifier and length octets are hashed or signed (Verison 1.5). Because the contents are already decoded by the ContentInfo we have to re-encode them according to DER. Unfortunately we cannot tell how many identifier and length octets we have to skip without decoding them first. There is a trick, though. We can briefly modify the tagging of the contents to IMPLICIT tagging while encoding them. That way, the identifier and length octets won't be encoded.

Note: Remember, the tagging will be changed for re-encoding purposes. Custom content type instances must support this (it's supported by default in all codec.asn1.* types).

If the content type is Data then there is no problem because we can simply grab the contents octets from it.

update

public void update(byte[] b)
            throws SignatureException

Update operation.

Parameters:

b - The input bytes.

update

public void update(byte[] b,
                   int offset,
                   int len)
            throws SignatureException

Update operation.

Parameters:

b - The input bytes.

offset - The offset into b at which the data to be signed starts.

len - The number of bytes starting with offset to be signed.

sign

public void sign()
          throws GeneralSecurityException

Completes the signing. The SignerInfo is added to the target SignedData automatically.

Note: The signer's certificate is not added to the target SignedData. This has to be done separately. Application shall have full control over the embedding of certificates, because certificates are likely to be distributed by other means as well (e.g. LDAP). So there might not be a need to distibute them with SignedData objects.