}
if ( allowRaVerifyPopo && (pop.getRaVerified() != null)) {
ret = true;
} else if (pop.getSignature() != null) {
try {
final POPOSigningKey sk = pop.getSignature();
final POPOSigningKeyInput pski = sk.getPoposkInput();
Object protObject = pski;
// Use of POPOSigningKeyInput or not, as described in RFC4211, section 4.1.
if (pski == null) {
if (log.isDebugEnabled()) {
log.debug("Using CertRequest as POPO input.");
}
protObject = getReq().getCertReq();
} else {
// Assume POPOSigningKeyInput with the public key and name, MUST be the same as in the request according to RFC4211
if (log.isDebugEnabled()) {
log.debug("Using POPOSigningKeyInput as POPO input.");
}
final CertRequest req = getReq().getCertReq();
// If subject is present in cert template it must be the same as in POPOSigningKeyInput
final X509Name subject = req.getCertTemplate().getSubject();
if (subject != null && !subject.toString().equals(pski.getSender().getName().toString())) {
log.info("Subject '"+subject.toString()+"̈́', is not equal to '"+pski.getSender().toString()+"'.");
protObject = null; // pski is not a valid protection object
}
// If public key is present in cert template it must be the same as in POPOSigningKeyInput
final SubjectPublicKeyInfo pk = req.getCertTemplate().getPublicKey();
if (pk != null && !Arrays.areEqual(pk.getEncoded(), pski.getPublicKey().getEncoded())) {
log.info("Subject key in cert template, is not equal to subject key in POPOSigningKeyInput.");
protObject = null; // pski is not a valid protection object
}
}
// If a protectObject is present we extract the bytes and verify it
if (protObject != null) {
final ByteArrayOutputStream bao = new ByteArrayOutputStream();
new DEROutputStream(bao).writeObject(protObject);
final byte[] protBytes = bao.toByteArray();
final AlgorithmIdentifier algId = sk.getAlgorithmIdentifier();
if (log.isDebugEnabled()) {
log.debug("POP protection bytes length: "+protBytes != null ? protBytes.length : "null");
log.debug("POP algorithm identifier is: "+algId.getObjectId().getId());
}
final Signature sig = Signature.getInstance(algId.getObjectId().getId(), "BC");
sig.initVerify(getRequestPublicKey());
sig.update(protBytes);
final DERBitString bs = sk.getSignature();
ret = sig.verify(bs.getBytes());
}
} catch (IOException e) {
log.error("Error encoding CertReqMsg: ", e);
} catch (SignatureException e) {