6-12 Oracle Fusion Middleware Reference for Oracle Security Developer Tools

6.3.3.3 Creating MultipartSigned Entities

The SmimeMultipartSigned class provides an alternative way to create signed messages. These messages use the multipartsigned mime type instead of applicationpkcs7-mime. The advantage is that the content of the resulting message is readable with non-MIME enabled mail clients, although such clients will not, of course, be able to verify the signature. Creating a multi-partsigned message is slightly different from creating a signed message. For example, to send a multi-partsigned text message: create the content text as a MIME body part MimeBodyPart bp = new MimeBodyPart; bp.setTextExample multipartsigned message.; the constructor takes the signature algorithm SmimeMultipartSigned sig = new SmimeMultipartSignedbp, AlgID.sha1; sign the content sig.addSignaturesignerKey, signerCert; place the content in a MIME message MimeMessage msg = new MimeMessage; msg.setContentsig, sig.generateContentType; The reason for identifying the message digest in the SmimeMultipartSigned constructor is that, unlike the case of applicationpkcs7-mime signed data objects, multipartsigned messages require that all signatures use the same message digest algorithm. The generateContentType method returns the following string: multipartsigned; protocol=applicationpkcs7-signature

6.3.3.4 Creating Digital Envelopes

An SMIME digital envelope encrypted message is represented by the SmimeEnveloped class. This is a MIME entity which is formed by encrypting a MIME body part with some symmetric encryption algorithm eg, Triple-Des or RC2 and a randomly generated session key, then encrypting the session key with the RSA public key for each intended message recipient. In the following example, doc is an instance of MimeBodyPart, which is to be wrapped in an instance of SmimeEnveloped, and recipientCert is the recipients certificate. SmimeEnveloped env = new SmimeEnvelopeddoc, Smime.dES_EDE3_CBC; env.addRecipient recipientCert; Any number of envelope recipients may be added by making repeated calls to addRecipient.

6.3.3.5 Creating Certificates-Only Messages

It is possible to create an SMIME signed-data object that contains neither content nor signatures; rather, it contains just certificates, or CRLs, or both. Such entities can be used as a certificate transport mechanism. They have the special content type: applicationpkcs7-mime; smime-type=certs-only Here is an example: X509Certificate cert1, cert2; SmimeSigned certBag = new SmimeSigned; certBag.addCertificatecert1; Oracle SMIME 6-13 certBag.addCertificatecert2; Now you can pass certBag to an appropriate setContent method. When generateContentType is invoked on certBag, it will automatically return a content type with the correct certs-only value for the smime-type parameter.

6.3.3.6 Reading Messages

The basic JavaMail API technique for extracting Java objects from MIME entities is to invoke the getContent method on an instance of MimePart, an interface which models MIME entities and is implemented by the MimeMesage and MimeBodyPart classes. The getContent method consults the currently installed default command map - which is part of the JavaBeans Activities Framework - to find a data content handler for the given MIME type, which is responsible for converting the content of the MIME entity into a Java object of the appropriate class. The mailcap file provided with your distribution can be used to install the SmimeDataContentHandler class, which serves as a data content handler for the following types:

6.3.3.7 Authenticating Signed Messages

Once you obtain an instance of SmimeSigned or SmimeMutlipartSigned from getContent, you will naturally want to verify the attached signatures. To explain the available options for signature verification, it is neccessary to discuss the structure of an SMIME signed message. The content of a signed SMIME message is a CMS object of type SignedData. Such an object itself has a content - the document to which the signatures are applied - which is the text encoding of a MIME entity. It also contains from zero to any number of signatures, and, optionally, a set of certificates, CRLs, or both, which the receiving party may use to validate the signatures. The SmimeSigned and SmimeMultipartSigned classes encapsulate all of this information. They provide two authentication methods: verifyingSignature and verify. To verify a particular signature with a certificate already in possession, ignoring any certificate and CRLs attached by the signer, use verifySignature. For example: SmimeSignedObject sig = SmimeSignedObjectmsg.getContent; msg is a Message sig.verifySignaturecert, msg.getFrom; cert is an X509Certificate object If verification fails, the verifySignature method throws either a SignatureException or an AuthenticationException ; otherwise, it returns normally. Use verify to verify that the content contains at least one valid signature; that is, there exists a valid certificate chain, starting from a trusted root CA, and terminating Content Type Returns Instance Of applicationpkcs7-mime SmimeSigned or Smime Enveloped applicationpkcs7-signature SmimeSigned applicationpkcs10 oracle.security.crypto.cert.CertificateRequest multipartsigned SmimeMultipartSigned 6-14 Oracle Fusion Middleware Reference for Oracle Security Developer Tools in a certificate for the private key which generated the signature. This method makes use of the attached certificate and CRLs in order to follow certificate chains. For example, given a trusted certificate authority CA certificate already in hand: TrustedCAPolicy trusts = new TrustedCAPolicy; if true, need CRL for each cert in chain trusts.setRequireCRLsfalse; caCert is an X509Certificate object with CA cert trusts.addTrustedCAcaCert; SmimeSignedObject sig = SmimeSignedObjectmsg.getContent; sig.verifytrusts, msg.getFrom; Like verifySignature, verify throws an AuthenticationException if the signature cannot be verified; otherwise it returns normally. In either case you can recover the document that was signed, which is itself a MIME entity, by invoking getEnclosedBodyPart: MimeBodyPart doc = sig.getEnclosedBodyPart;

6.3.3.8 Opening Digital Envelopes Encrypted Messages