In order to encrypt a document CmsEnvelopeGenerator or CmsEnvelopeStreamGenerator is used. The latter is used for handling very large documents. Since CmsEnvelopeGenerator performs encryption in memory, the maximum file size is limited with the JRE's memory limit.
A document may be encrypted for one or more persons. If the private key of one of the recipients are accessible then new recipients added to an EnvelopedData. To create an EnvelopedData, the encryption certificates of the recipients are required.
CmsEnvelopeStreamGenerator cmsGenerator = new CmsEnvelopeStreamGenerator(plainInputStream );
cmsGenerator.addRecipientInfos(new ECertificate [] {cert});
cmsGenerator.generate(encryptedOutputStream);
CmsEnvelopeStreamGenerator cmsGenerator = new CmsEnvelopeStreamGenerator(plainInputStream );
cmsGenerator.addRecipientInfos(new ECertificate [] {cert});
cmsGenerator.generate(encryptedOutputStream);
In order to decrypt an encrypted document CmsEnvelopeParser or CmsEnvelopeStreamParser is used. The latter is used for handling very large documents.
To decrypt an EnvelopedData the private key of one of the recipients of the document must be accessible. To access a private key either smartcard or memory is used. Below, you can see an example of decryption with a private key stored in a smartcard.
ByteArrayOutputStream decryptedOutputStream = new ByteArrayOutputStream(); SmartCard sc = new SmartCard(CardType.AKIS); long slot = sc.getSlotList()[0]; long session = sc.openSession(slot); sc.login(session, "12345"); CmsEnvelopeStreamParser cmsParser = new CmsEnvelopeStreamParser(encryptedInputStream); IDecryptorStore decryptor = new SCDecryptor(sc, session); cmsParser.open(decryptedOutputStream, decryptor);
MemoryStream decryptedOutputStream = new MemoryStream(); SmartCard sc = new SmartCard(CardType.AKIS); long slot = sc.getSlotList()[0]; long session = sc.openSession(slot); sc.login(session, "12345"); CmsEnvelopeStreamParser cmsParser = new CmsEnvelopeStreamParser(encryptedInputStream); IDecryptorStore decryptor = new SCDecryptor(sc, session); cmsParser.open(decryptedOutputStream, decryptor);
While creating an EnvelopedData, you must have the encryption certificates of the recipients. One way to collect recipient certificates is to query an existing LDAP system by using the e-mail address information of the recipients.
LDAP operations are placed in the ESYA API Infra project in ESYA API. You have to get “ma3api-infra-….jar” for this project.
The sample code below, finds a certificate by searching our test system with an e-mail address. You should adapt this code for your own environment before using it.
public void testGettingCertificateFromLDAP() throws Exception
{
ECertificate originalCert=new ECertificate(ugCert.getBytes("ASCII"));
ECertificate adcert=readEncCertificatesFromDirectory("yasemin.akturk@ug.net")[0];
}
public static ECertificate [] readEncCertificatesFromDirectory(String aEmail) throws ESYAException{
String ip = "10.1.0.15";
int port = 389;
String directoryType = DirectoryBase.ACTIVE_DIRECTORY;
String user = "esyakm@ug.net";
String pass = "Ugnet.2010";
String searchPoint = "dc=ug, dc=net";
DirectoryInfo di = new StaticDirectoryInfo(ip,port,directoryType,user,pass);
SearchDirectory search = new SearchDirectory(di, searchPoint);
if(search.isConnected() == false)
{
System.out.println("Dizine baglanamadi!");
return null;
}
String tka = search.getTKAbyEmail(aEmail);
Object[][] objs = search.getAttributes(tka, DirectoryBase.ATTR_KULLANICISERTIFIKASI);
if(objs == null)
{
System.out.println("kullanici sertifikasi yok 1.");
return null;
}
Object[] certs = objs[0];
if(certs == null)
{
System.out.println("kullanici sertifikasi yok 2.");
return null;
}
List<ECertificate> encCerts = new ArrayList<ECertificate>();
for (int i = 0; i < certs.length; i++)
{
byte [] certBytes = (byte[]) certs[i];
ECertificate cert = new ECertificate(certBytes);
EKeyUsage keyUsage = cert.getExtensions().getKeyUsage();
if(keyUsage.isDataEncipherment() || keyUsage.isKeyEncipherment())
{
encCerts.add(cert);
}
}
return encCerts.toArray(new ECertificate[0]);
}
public void testGettingCertificateFromLDAP()
{
ECertificate originalCert = new ECertificate(ugCert);
ECertificate adcert=readEncCertificatesFromDirectory("yasemin.akturk@ug.net")[0];
}
public static ECertificate[] readEncCertificatesFromDirectory(String aEmail)
{
String ip = "10.1.0.15";
int port = 389;
String directoryType = DirectoryBase.ACTIVE_DIRECTORY;
String user = "esyakm@ug.net";
String pass = "Ugnet.2010";
String searchPoint = "dc=ug, dc=net";
DirectoryInfo di = new StaticDirectoryInfo(ip, port, directoryType, user, pass);
SearchDirectory search = new SearchDirectory(di, searchPoint);
String tka = search.getTKAbyEmail(aEmail);
Object[][] objs = search.getAttributes(tka, DirectoryBase.ATTR_KULLANICISERTIFIKASI);
if (objs == null)
{
Console.WriteLine("kullanici sertifikasi yok 1.");
return null;
}
Object[] certs = objs[0];
if (certs == null)
{
Console.WriteLine("kullanici sertifikasi yok 2.");
return null;
}
List<ECertificate> encCerts = new List<ECertificate>();
for (int i = 0; i < certs.Length; i++)
{
byte[] certBytes = (byte[])certs[i];
ECertificate cert = new ECertificate(certBytes);
EKeyUsage keyUsage = cert.getExtensions().getKeyUsage();
if (keyUsage.isDataEncipherment() || keyUsage.isKeyEncipherment())
{
Console.WriteLine("sifreleme sertifikasidir");
encCerts.Add(cert);
}
}
return encCerts.ToArray();
}
New recipients can be added into an existing EnvelopedData, which do not requires a complete decryption of the document. The encrypted symmetric key is decrypted by the private key of one of the existing recipients and reencrypted by using the certificate of the new recipient. Therefore to add a new recipient to an existing EnvelopedData, one decryptor object must be provided to the API. The decryption of only symmetric encryption key does not take as long time as the decryption of the whole document.
//Add first recipient
InputStream plainInputStream = new ByteArrayInputStream("test".getBytes());
ByteArrayOutputStream envelopeWithOneRecipient = new ByteArrayOutputStream();
ECertificate cert = new ECertificate(ugCert.getBytes("ASCII"));
CmsEnvelopeStreamGenerator cmsGenerator = new CmsEnvelopeStreamGenerator(plainInputStream );
cmsGenerator.addRecipientInfos(new ECertificate [] {cert});
cmsGenerator.generate(envelopeWithOneRecipient);
//CMS Envelope with one recipient is generated.
//Add a new recipient to envelope
ByteArrayInputStream bais = new ByteArrayInputStream(envelopeWithOneRecipient.toByteArray());
ByteArrayOutputStream envelopeWithTwoRecipient = new ByteArrayOutputStream();
SmartCard sc = new SmartCard(CardType.AKIS);
long slot = sc.getSlotList()[0];
long session = sc.openSession(slot);
sc.login(session, "12345");
CmsEnvelopeStreamParser cmsParser = new CmsEnvelopeStreamParser(bais);
IDecryptorStore decryptor = new SCDecryptor(sc, session);
cmsParser.addRecipientInfo(envelopeWithTwoRecipient, decryptor, cert);
//Add first recipient
using (Stream plainInputStream = new MemoryStream(ASCIIEncoding.ASCII.GetBytes("test")), envelopeWithOneRecipient = new MemoryStream())
{
//MemoryStream envelopeWithOneRecipient = new MemoryStream();
ECertificate cert = new ECertificate(ugCert);
CmsEnvelopeStreamGenerator cmsGenerator = new CmsEnvelopeStreamGenerator(plainInputStream);
cmsGenerator.addRecipientInfos(new ECertificate[] { cert });
cmsGenerator.generate(envelopeWithOneRecipient);
//CMS Envelope with one recipient is generated.
//Add a new recipient to envelope
using (MemoryStream bais = new MemoryStream(((MemoryStream)envelopeWithOneRecipient).ToArray()), envelopeWithTwoRecipient = new MemoryStream())
{
//MemoryStream envelopeWithTwoRecipient = new MemoryStream();
SmartCard sc = new SmartCard(CardType.AKIS);
long slot = sc.getSlotList()[0];
long session = sc.openSession(slot);
sc.login(session, "12345");
CmsEnvelopeStreamParser cmsParser = new CmsEnvelopeStreamParser(bais);
IDecryptorStore decryptor = new SCDecryptor(sc, session);
cmsParser.addRecipientInfo(envelopeWithTwoRecipient, decryptor, cert);
sc.logout(session);
}
}