bcgit
diff --git a/‎CLAUDE.md‎
Lines changed: 19 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎docs/releasenotes.html‎
Lines changed: 1 addition & 0 deletions b/‎docs/releasenotes.html‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkix/src/main/java/org/bouncycastle/cades/CAdESArchiveTimestampUtil.java‎
Lines changed: 293 additions & 0 deletions b/‎pkix/src/main/java/org/bouncycastle/cades/CAdESArchiveTimestampUtil.java‎
Lines changed: 293 additions & 0 deletions
diff --git a/‎pkix/src/main/java/org/bouncycastle/cades/CAdESException.java‎
Lines changed: 23 additions & 0 deletions b/‎pkix/src/main/java/org/bouncycastle/cades/CAdESException.java‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎pkix/src/main/java/org/bouncycastle/cades/CAdESLevel.java‎
Lines changed: 39 additions & 0 deletions b/‎pkix/src/main/java/org/bouncycastle/cades/CAdESLevel.java‎
Lines changed: 39 additions & 0 deletions
@@ -105,6 +105,25 @@ When moving existing example code into `misc/`, remember to drop any matching `e
 
 `BouncyCastleProvider` (in `prov`) registers algorithms by string name through `ConfigurableProvider.addAlgorithm("Cipher.SM2", "...GMCipherSpi$SM2")` etc. Per-algorithm registration code lives in `prov/src/main/java/org/bouncycastle/jcajce/provider/{asymmetric,symmetric,digest,keystore,...}/<Family>.java`. The corresponding `*Spi` classes (CipherSpi, KeyFactorySpi, KeyPairGeneratorSpi, etc.) are siblings under the same package. When adding or fixing a JCE-visible behaviour, the registration `Family.java` is the entry point; the underlying lightweight engine usually lives in `core/src/main/java/org/bouncycastle/crypto/engines/`.
 
+### Package layering: `.bc` (lightweight) vs `.jcajce` (JCA/JCE)
+
+The high-level modules (`pkix`, `pg`, `mail`/`jmail`, `tls`, `mls`) split their public surface by which low-level crypto stack a class touches:
+
+- **`.bc` subpackages** — lightweight implementations using `org.bouncycastle.crypto.*` engines / signers / digests directly. Examples: `org.bouncycastle.cms.bc`, `org.bouncycastle.openpgp.bc`, `org.bouncycastle.operator.bc`.
+- **`.jcajce` subpackages** — JCA/JCE implementations that call `java.security.*` / `javax.crypto.*` classes (typically through a `JcaJceHelper` so the provider is overridable). Examples: `org.bouncycastle.cms.jcajce`, `org.bouncycastle.openpgp.operator.jcajce`, `org.bouncycastle.operator.jcajce`.
+- **Top-level packages** (e.g. `org.bouncycastle.cms`, `org.bouncycastle.openpgp`, `org.bouncycastle.cades`, `org.bouncycastle.cert`) — JCA-free abstractions. They may take `DigestCalculatorProvider` / `ContentSigner` / `X509CertificateHolder` etc., but must not import `java.security.MessageDigest`, `java.security.Signature`, `javax.crypto.Cipher`, or `java.security.cert.X509Certificate`.
+
+The only JCA class allowed to be referenced from a non-`.jcajce` package is `java.security.SecureRandom`. Everything else must be in a `.jcajce` package.
+
+Practical implications when adding code:
+
+- Need an algorithm digest in a top-level utility? Take a `DigestCalculatorProvider` parameter and call `provider.get(algId).getOutputStream().write(...)` — never `MessageDigest.getInstance(...)`.
+- Need to verify a signature in a top-level utility? Take a `SignerInfoVerifier` (or similar operator) — never `Signature.getInstance(...)`.
+- Need to wrap an existing `Jca*` builder? Either (a) wrap the JCA-free parent (e.g. wrap `SignerInfoGeneratorBuilder` instead of `JcaSignerInfoGeneratorBuilder`) so the class can stay at the top, or (b) move the class into the `.jcajce` subpackage.
+- A top-level class that does need to expose a JCA-friendly factory method should ship the factory in its `.jcajce` peer instead of pulling JCA into the top package.
+
+The rule applies uniformly to `pkix` (`cms`, `cades`, `tsp`, `cert`, `operator`, ...), `pg`, `mail`/`jmail`, `tls`, and `mls`. When adding a new package under any of these modules, decide on the split up-front: if any class needs `java.security` / `javax.crypto` beyond `SecureRandom`, the package should be a `.jcajce` subpackage, with a JCA-free top-level parent if appropriate.
+
 ### Test conventions
 
 - Most tests extend `org.bouncycastle.util.test.SimpleTest` (not JUnit). They override `performTest()` and call `fail(msg)` / `isTrue(msg, cond)` / `areEqual(a, b)`. They are *not* discovered by Gradle directly — they're invoked from JUnit `AllTests` / `RegressionTest` wrappers.
 
@@ -52,6 +52,7 @@ <h3>2.1.2 Defects Fixed</h3>
 </ul>
 <h3>2.2.3 Additional Features and Functionality</h3>
 <ul>
+<li>Initial CAdES (CMS Advanced Electronic Signatures) high-level builders, in the new org.bouncycastle.cades package, covering all four CAdES baseline levels (ETSI EN 319 122-1 / RFC 5126): B-B (CAdESSignerInfoGeneratorBuilder + CAdESSignedDataGenerator: mandatory ESS signing-certificate-v2 reference plus optional commitment-type / signature-policy / signer-location / content-hints), B-T (CAdESSignatureTimestampUtil: id-aa-signatureTimeStampToken over the SignerInfo signature value, with caller-fetched RFC 3161 token), B-LT (CAdESLongTermValuesUtil: id-aa-ets-certificateRefs / certValues / revocationRefs / revocationValues, supporting both CRLs and OCSP responses) and B-LTA (CAdESArchiveTimestampUtil: id-aa-ets-archiveTimestampV2 over the ETSI TS 101 733 v1.7.4 Annex A.2 canonicalisation, with archive-timestamps stripped so chains are renewable). CAdESLevelDetector inspects a SignerInformation and reports the attained level. The newer ETSI EN 319 122-1 v3 archive-timestamp form (id-aa-ets-archiveTimestampV3) is not yet supported. The low-level ASN.1 types under org.bouncycastle.asn1.esf and org.bouncycastle.asn1.ess remain available for callers needing finer-grained control (issue #275).</li>
 <li>The system/security property "org.bouncycastle.pkcs1.strict_digestinfo" (also exposed as Properties.PKCS1_STRICT_DIGESTINFO) lets callers opt in to strict RFC 8017 Appendix A.2.4 enforcement when verifying RSA PKCS#1 v1.5 signatures: when set to "true", DigestInfo encodings whose AlgorithmIdentifier omits the required NULL parameters octets are rejected. Default (unset / "false") preserves the legacy lenient fallback that accepts the two-byte-shorter encoding for compatibility with implementations that have historically produced it. Affects both the BC JCE provider's DigestSignatureSpi (e.g. Signature.getInstance("SHA256withRSA", "BC")) and the lightweight crypto RSADigestSigner (issue #2273).</li>
 <li>KeyPurposeId constants for the four Extended Key Usage KeyPurposeIds defined in RFC 9809 sec. 3: id_kp_configSigning (id-kp 41, signing general-purpose configuration files), id_kp_trustAnchorConfigSigning (id-kp 42, signing trust anchor configuration files), id_kp_updatePackageSigning (id-kp 43, signing software / firmware update packages) and id_kp_safetyCommunication (id-kp 44, authenticating peers for safety-critical communication). The matching human-readable names are also registered in X509CertificateFormatter so the new EKUs print symbolically.</li>
 <li>FalconPrivateKeyParameters.getPublicKeyParameters() returns the matching FalconPublicKeyParameters for a private key, mirroring MLDSAPrivateKeyParameters.getPublicKeyParameters(). Lets wallet / HSM code recover the public key from a stored private key without re-running keygen (issue #2297).</li>
 
@@ -0,0 +1,293 @@
+package org.bouncycastle.cades;
+
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.List;
+
+import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Encoding;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.ASN1Set;
+import org.bouncycastle.asn1.DERSet;
+import org.bouncycastle.asn1.cms.Attribute;
+import org.bouncycastle.asn1.cms.AttributeTable;
+import org.bouncycastle.asn1.cms.ContentInfo;
+import org.bouncycastle.asn1.cms.SignedData;
+import org.bouncycastle.asn1.esf.ESFAttributes;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.cms.CMSSignedData;
+import org.bouncycastle.cms.SignerId;
+import org.bouncycastle.cms.SignerInformation;
+import org.bouncycastle.cms.SignerInformationStore;
+import org.bouncycastle.operator.DigestCalculator;
+import org.bouncycastle.operator.DigestCalculatorProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.tsp.TimeStampToken;
+
+/**
+ * Helpers for upgrading a CAdES B-LT signature to B-LTA by attaching an
+ * archive-time-stamp covering the entire SignedData.
+ * <p>
+ * The helper emits the ETSI TS&nbsp;101&nbsp;733&nbsp;v1.7.4 "v2" form
+ * ({@code id-aa-ets-archiveTimestampV2}, OID {@code 1.2.840.113549.1.9.16.2.48}).
+ * The newer ETSI EN&nbsp;319&nbsp;122-1 "v3" form, which embeds an
+ * {@code ats-hash-index-v3} signed attribute inside the TSA token, is not
+ * yet supported &mdash; v3 generation requires custom signed-attribute
+ * injection on the TSA token that is not yet exposed by the {@code tsp}
+ * module.
+ * <p>
+ * The v2 imprint is the digest, under the caller-supplied algorithm, of
+ * the canonical concatenation defined by ETSI TS&nbsp;101&nbsp;733 Annex A:
+ * <ol>
+ *   <li>the content octets of the encapsulated content (omitted if the
+ *       signed-data is detached or has no eContent),</li>
+ *   <li>each {@code Certificate} from the {@code certificates} field, in
+ *       wire-encoding order, as its own DER encoding,</li>
+ *   <li>each {@code CertificateList} from the {@code crls} field, in
+ *       wire-encoding order, as its own DER encoding,</li>
+ *   <li>for each {@code SignerInfo} (in wire-encoding order), its DER
+ *       encoding with any archive-time-stamp attributes removed from
+ *       the {@code unsignedAttrs} field.</li>
+ * </ol>
+ * Typical caller flow:
+ * <ol>
+ *   <li>{@link #computeArchiveTimestampImprint(CMSSignedData, AlgorithmIdentifier,
+ *       DigestCalculatorProvider)} returns the digest bytes.</li>
+ *   <li>The caller obtains a {@link TimeStampToken} from a TSA over those
+ *       bytes (transport is out of scope for BC).</li>
+ *   <li>{@link #applyArchiveTimestamp(CMSSignedData, SignerId, TimeStampToken)}
+ *       returns a new CMSSignedData with the token attached as an
+ *       {@code id-aa-ets-archiveTimestampV2} unsigned attribute on the
+ *       chosen signer.</li>
+ * </ol>
+ */
+public final class CAdESArchiveTimestampUtil
+{
+    /** ETSI TS 101 733 v1.7.4 id-aa-ets-archiveTimestampV2 OID. */
+    public static final ASN1ObjectIdentifier id_aa_ets_archiveTimestampV2 =
+        ESFAttributes.archiveTimestampV2;
+
+    private CAdESArchiveTimestampUtil()
+    {
+    }
+
+    /**
+     * Digest the canonical archive-time-stamp v2 input for {@code signed}
+     * under {@code digestAlg}.
+     */
+    public static byte[] computeArchiveTimestampImprint(CMSSignedData signed,
+                                                        AlgorithmIdentifier digestAlg,
+                                                        DigestCalculatorProvider digCalcProv)
+        throws CAdESException, OperatorCreationException, IOException
+    {
+        if (signed == null)
+        {
+            throw new NullPointerException("signed");
+        }
+        if (digestAlg == null)
+        {
+            throw new NullPointerException("digestAlg");
+        }
+
+        DigestCalculator dc = digCalcProv.get(digestAlg);
+        OutputStream out = dc.getOutputStream();
+        feedCanonicalInput(signed, out);
+        out.close();
+        return dc.getDigest();
+    }
+
+    /**
+     * Attach an archive-time-stamp v2 to the signer matched by
+     * {@code signerId}. If the signer already has one or more
+     * archive-timestamp attributes the new token is appended into the
+     * existing attribute's value-set; archive-timestamps form an ordered
+     * chain so this preserves earlier timestamps.
+     */
+    public static CMSSignedData applyArchiveTimestamp(CMSSignedData signed,
+                                                      SignerId signerId,
+                                                      TimeStampToken token)
+        throws CAdESException
+    {
+        if (signed == null)
+        {
+            throw new NullPointerException("signed");
+        }
+        if (signerId == null)
+        {
+            throw new NullPointerException("signerId");
+        }
+        if (token == null)
+        {
+            throw new NullPointerException("token");
+        }
+
+        SignerInformationStore signers = signed.getSignerInfos();
+        Collection<SignerInformation> matched = signers.getSigners(signerId);
+        if (matched.isEmpty())
+        {
+            throw new CAdESException("no signer matched in CMSSignedData");
+        }
+
+        ContentInfo tokenCi;
+        try
+        {
+            tokenCi = ContentInfo.getInstance(
+                ASN1Primitive.fromByteArray(token.getEncoded()));
+        }
+        catch (IOException e)
+        {
+            throw new CAdESException("unable to encode TimeStampToken: " + e.getMessage(), e);
+        }
+
+        List<SignerInformation> rebuilt = new ArrayList<SignerInformation>(signers.size());
+        for (Iterator<SignerInformation> it = signers.getSigners().iterator(); it.hasNext(); )
+        {
+            SignerInformation cur = it.next();
+            if (matched.contains(cur))
+            {
+                rebuilt.add(appendArchiveTimestamp(cur, tokenCi));
+            }
+            else
+            {
+                rebuilt.add(cur);
+            }
+        }
+        return CMSSignedData.replaceSigners(signed, new SignerInformationStore(rebuilt));
+    }
+
+    private static SignerInformation appendArchiveTimestamp(SignerInformation signer,
+                                                             ContentInfo tokenCi)
+    {
+        AttributeTable unsigned = signer.getUnsignedAttributes();
+
+        Attribute existing = unsigned == null
+            ? null
+            : unsigned.get(id_aa_ets_archiveTimestampV2);
+
+        ASN1EncodableVector vals = new ASN1EncodableVector();
+        if (existing != null)
+        {
+            ASN1Set prev = existing.getAttrValues();
+            for (int i = 0; i != prev.size(); i++)
+            {
+                vals.add(prev.getObjectAt(i));
+            }
+        }
+        vals.add(tokenCi);
+        Attribute merged = new Attribute(id_aa_ets_archiveTimestampV2, new DERSet(vals));
+
+        ASN1EncodableVector all = unsigned == null
+            ? new ASN1EncodableVector()
+            : unsigned.toASN1EncodableVector();
+
+        ASN1EncodableVector outVec = new ASN1EncodableVector();
+        for (int i = 0; i != all.size(); ++i)
+        {
+            Attribute a = Attribute.getInstance(all.get(i));
+            if (!id_aa_ets_archiveTimestampV2.equals(a.getAttrType()))
+            {
+                outVec.add(a);
+            }
+        }
+        outVec.add(merged);
+
+        return SignerInformation.replaceUnsignedAttributes(signer, new AttributeTable(outVec));
+    }
+
+    /**
+     * Walk the SignedData and feed the canonical archive-time-stamp v2
+     * input bytes to {@code out}.
+     */
+    private static void feedCanonicalInput(CMSSignedData signed, OutputStream out)
+        throws CAdESException, IOException
+    {
+        SignedData sd;
+        try
+        {
+            sd = SignedData.getInstance(signed.toASN1Structure().getContent());
+        }
+        catch (Exception e)
+        {
+            throw new CAdESException("unable to read SignedData: " + e.getMessage(),
+                e instanceof Exception ? (Exception)e : new RuntimeException(e));
+        }
+
+        // (1) eContent octets, if present.
+        ASN1Encodable encap = sd.getEncapContentInfo().getContent();
+        if (encap instanceof ASN1OctetString)
+        {
+            out.write(((ASN1OctetString)encap).getOctets());
+        }
+
+        // (2) certificates, in wire-encoding order.
+        ASN1Set certs = sd.getCertificates();
+        if (certs != null)
+        {
+            Enumeration e = certs.getObjects();
+            while (e.hasMoreElements())
+            {
+                ASN1Encodable c = (ASN1Encodable)e.nextElement();
+                out.write(c.toASN1Primitive().getEncoded(ASN1Encoding.DER));
+            }
+        }
+
+        // (3) CRLs, in wire-encoding order.
+        ASN1Set crls = sd.getCRLs();
+        if (crls != null)
+        {
+            Enumeration e = crls.getObjects();
+            while (e.hasMoreElements())
+            {
+                ASN1Encodable c = (ASN1Encodable)e.nextElement();
+                out.write(c.toASN1Primitive().getEncoded(ASN1Encoding.DER));
+            }
+        }
+
+        // (4) Each SignerInfo, with archive-time-stamps stripped from
+        //     unsignedAttrs and re-DER-encoded.
+        for (SignerInformation s : signed.getSignerInfos().getSigners())
+        {
+            SignerInformation stripped = stripArchiveTimestamps(s);
+            out.write(stripped.toASN1Structure().getEncoded(ASN1Encoding.DER));
+        }
+    }
+
+    private static SignerInformation stripArchiveTimestamps(SignerInformation signer)
+    {
+        AttributeTable unsigned = signer.getUnsignedAttributes();
+        if (unsigned == null)
+        {
+            return signer;
+        }
+
+        boolean hasAny = unsigned.get(id_aa_ets_archiveTimestampV2) != null
+            || unsigned.get(PKCSObjectIdentifiers.id_aa_ets_archiveTimestamp) != null;
+        if (!hasAny)
+        {
+            return signer;
+        }
+
+        ASN1EncodableVector kept = new ASN1EncodableVector();
+        ASN1EncodableVector all = unsigned.toASN1EncodableVector();
+        for (int i = 0; i != all.size(); ++i)
+        {
+            Attribute a = Attribute.getInstance(all.get(i));
+            ASN1ObjectIdentifier type = a.getAttrType();
+            if (!id_aa_ets_archiveTimestampV2.equals(type)
+                && !PKCSObjectIdentifiers.id_aa_ets_archiveTimestamp.equals(type))
+            {
+                kept.add(a);
+            }
+        }
+        AttributeTable filtered = kept.size() == 0 ? null : new AttributeTable(kept);
+        return SignerInformation.replaceUnsignedAttributes(signer, filtered);
+    }
+}
@@ -0,0 +1,23 @@
+package org.bouncycastle.cades;
+
+import org.bouncycastle.cms.CMSException;
+
+/**
+ * Exception thrown when a CAdES builder cannot assemble a profile (e.g. the
+ * signing certificate cannot be digested, the configured signature policy is
+ * malformed, etc.). Sub-classes {@link CMSException} so callers that already
+ * catch CMS exceptions can keep doing so.
+ */
+public class CAdESException
+    extends CMSException
+{
+    public CAdESException(String msg)
+    {
+        super(msg);
+    }
+
+    public CAdESException(String msg, Exception cause)
+    {
+        super(msg, cause);
+    }
+}
@@ -0,0 +1,39 @@
+package org.bouncycastle.cades;
+
+/**
+ * CAdES baseline profile levels per ETSI EN&nbsp;319&nbsp;122-1, with the
+ * older RFC&nbsp;5126 names alongside for callers that still target the
+ * legacy specification. Each level is a strict superset of the one before it.
+ * <ul>
+ *   <li>{@link #B_B} ({@code BES}) &mdash; basic electronic signature: CMS
+ *       SignedData with the mandatory ESS signing-certificate(-v2) reference
+ *       and optional commitment-type, signature-policy, signer-location and
+ *       content-hints signed attributes.</li>
+ *   <li>{@link #B_T} ({@code T}) &mdash; B-B plus an
+ *       {@code id-aa-signatureTimeStampToken} unsigned attribute carrying an
+ *       RFC&nbsp;3161 token over the SignerInfo signature value.</li>
+ *   <li>{@link #B_LT} ({@code C} / {@code X-L}) &mdash; B-T plus complete
+ *       certificate / revocation references and the corresponding certificate
+ *       / revocation value sets needed for offline long-term validation.</li>
+ *   <li>{@link #B_LTA} ({@code A}) &mdash; B-LT plus one or more
+ *       {@code id-aa-ets-archiveTimestampV3} unsigned attributes that protect
+ *       the entire signature against weakening of the original signature
+ *       algorithm.</li>
+ * </ul>
+ */
+public enum CAdESLevel
+{
+    /** ETSI EN&nbsp;319&nbsp;122-1 B-B / RFC&nbsp;5126 BES. */
+    B_B,
+    /** ETSI EN&nbsp;319&nbsp;122-1 B-T / RFC&nbsp;5126 T. */
+    B_T,
+    /** ETSI EN&nbsp;319&nbsp;122-1 B-LT / RFC&nbsp;5126 C-X-L. */
+    B_LT,
+    /** ETSI EN&nbsp;319&nbsp;122-1 B-LTA / RFC&nbsp;5126 A. */
+    B_LTA;
+
+    /** Legacy RFC&nbsp;5126 alias for {@link #B_B}. */
+    public static final CAdESLevel BES = B_B;
+    /** Legacy RFC&nbsp;5126 alias for {@link #B_T}. */
+    public static final CAdESLevel T = B_T;
+}