Oracle CMS 5-23

5.3.3.2 Difference between CMSStream and CMSConnector Classes

The CMSOutputStream class is an output stream filter which wraps the data written to it within a CMS RFC-2630 ContentInfo structure, whose BER encoding is then written to the underlying output stream. The CMSOutputConnector class is an output stream filter which likewise wraps the data written to it within a CMS RFC-2630 ContentInfo structure, except that only the values octets of the Content field of the ContentInfo structure minus the explicit [0] tag are written to the underlying output stream. The CMSInputStream class is an input stream filter which reads in a BER encoding of a CMS RFC-2630 ContentInfo structure from the underlying output stream. The CMSInputConnector class is an input stream filter that expects the underlying input stream to be positioned at the start of the value octets of the Content field of the ContentInfo structure after the explicit [0] tag. CMSConnectors are useful in creating and reading nested objects.

5.3.3.3 Using the CMSOutputStream and CMSInputStream Classes

To construct an object: 1. Create a CMSOutputStream class of the appropriate content type. All the relevant parameters are passed through the constructor. 2. Write the data being protected to the CMSOutputStream created in step 1. 3. After all the data is written, close the CMSOutputStream created in step 1 . To read an object: 1. Create a CMSInputStream class of the appropriate content type by passing the underlying input stream through the constructor. 2. Read the protected data from the CMSInputStream created in step 1 using the read and read byte[],... methods. 3. Invoke terminate after you have finished reading data from the CMSInputStream created in step 1. This completes the reading of the object. 4. Invoke the appropriate methods to verify that the protected content is secure.

5.3.3.3.1 CMS id-data Object

The getData method returns the data which can then be written to a CMSOutputStream or CMSOutputConnector.

5.3.3.3.2 CMS id-ct-receipt Object

The getReceiptData method returns the encoded receipt which can then be written to a CMSOutputStream or CMSOutputConnector. To read ESSReceipt data from the input stream: byte[] rcptData = in.read...; ESSReceipt er = new ESSReceipt; er.inputContentrcptData;

5.3.3.3.3 CMS id-digestedData Object

You will not be able to verify the digest of a detached digested-data object. Setting the boolean parameter writeEContentInfo in the CMSDigestedDataOutputStream constructor to false enables you to create a detached digested-data object. 5-24 Oracle Fusion Middleware Reference for Oracle Security Developer Tools

5.3.3.3.4 CMS id-signedData Object

You will not be able to verify the signature of a detached signed-data object. The CMSSignerInfoSpec class stores signer-specific information. For every signature you want to add, you will need to create a corresponding CMSSignerInfoSpec object which is then passed to the constructor. Setting the boolean parameter createExternalSignatures in the CMSSignedDataOutputStream constructor to true enables you to create a detached signed-data object or external signatures. To create a CertificateCRL only object, do not pass any signer information to the CMSDSignedDataOutputStream constructor.

5.3.3.3.5 CMS id-encryptedData Objects

Setting the boolean parameter writeEncryptedOutput in the CMSEncryptedDataOutputStream constructor to false enables you to create a detached encrypted-data object.

5.3.3.3.6 CMS id-envelopedData Objects

The CMSRecipientInfoSpec class stores recipient-specific information. For every recipient you want to add, you will need to create a corresponding CMSRecipientInfoSpec object which is then passed to the constructor. Setting the boolean parameter writeContent in the CMSEnvelopedDataOutputStream constructor to false enables you to create a detached enveloped-data object. Key Transport Key Exchange Mechanism Use the CMSKeyTransRecipientInfoSpec class to store recipient information that uses the key transport key management mechanism. Key Agreement Key Exchange Mechanism This mechanism is not supported at this time. Key Encryption wrap Key Exchange Mechanism Use the CMSKEKRecipientInfoSpec class to store recipient information that uses the key wrap key management mechanism.

5.3.3.3.7 CMS id-ct-authData Objects

You will not be able to verify the MAC of a detached authenticated-data object. Setting the boolean parameter detachEncapContent in the CMSAuthenticatedDataOutputStream constructor to true enables you to create a detached authenticated-data object.

5.3.3.4 Wrapping Triple or more CMSConnector Objects