use of iso.std.iso_iec._24727.tech.schema.Sign in project open-ecard by ecsec.
the class SignStep method performLegacySignature.
/**
* The method performs the SignatureCreation if no standard commands are possible.
* This method creates a signature with APDUs which are not covered by the methods defined in TR-03112 part 7.
*
* @param cryptoMarker A {@link CryptoMarkerType} object containing the information about the creation of a signature
* in a legacy way.
* @param slotHandle A slotHandle identifying the current card.
* @param templateCTX A Map containing the context data for the evaluation of the template variables. This object
* contains per default the message to sign and the {@link TLVFunction}.
* @return A {@link SignResponse} object containing the signature of the <b>message</b>.
* @throws APDUTemplateException Thrown if the evaluation of the {@link CardCommandTemplate} failed.
* @throws APDUException Thrown if one of the commands to execute failed.
* @throws WSHelper.WSException Thrown if the checkResult method of WSHelper failed.
*/
private SignResponse performLegacySignature(CryptoMarkerType cryptoMarker, ConnectionHandleType connectionHandle, BaseTemplateContext templateCTX) throws APDUTemplateException, APDUException, WSHelper.WSException {
SignResponse response = WSHelper.makeResponse(SignResponse.class, WSHelper.makeResultOK());
List<Object> legacyCommands = cryptoMarker.getLegacySignatureGenerationInfo();
CardCommandAPDU cmdAPDU;
CardResponseAPDU responseAPDU = null;
byte[] slotHandle = connectionHandle.getSlotHandle();
byte[] signedMessage;
for (Object next : legacyCommands) {
if (next instanceof CardCallTemplateType) {
CardCallTemplateType cctt = (CardCallTemplateType) next;
CardCommandTemplate template = new CardCommandTemplate(cctt);
cmdAPDU = template.evaluate(templateCTX);
responseAPDU = cmdAPDU.transmit(dispatcher, slotHandle, Collections.<byte[]>emptyList());
} else if (next instanceof APICommand) {
sendAPICommand(connectionHandle, (APICommand) next);
}
}
signedMessage = responseAPDU.getData();
// check if further response data is available
while (responseAPDU.getTrailer()[0] == (byte) 0x61) {
CardCommandAPDU getResponseData = new CardCommandAPDU((byte) 0x00, (byte) 0xC0, (byte) 0x00, (byte) 0x00, responseAPDU.getTrailer()[1]);
responseAPDU = getResponseData.transmit(dispatcher, slotHandle, Collections.<byte[]>emptyList());
signedMessage = Arrays.concatenate(signedMessage, responseAPDU.getData());
}
if (!Arrays.areEqual(responseAPDU.getTrailer(), new byte[] { (byte) 0x90, (byte) 0x00 })) {
String minor = SALErrorUtils.getMinor(responseAPDU.getTrailer());
response.setResult(WSHelper.makeResultError(minor, responseAPDU.getStatusMessage()));
return response;
}
// fix output format
String outForm = cryptoMarker.getLegacyOutputFormat();
if (outForm != null) {
switch(outForm) {
case "rawRS":
signedMessage = encodeRawRS(signedMessage);
break;
default:
LOG.warn("Unsupport outputFormat={} specified in LegacySignatureGenerationInfo.", outForm);
}
}
response.setSignature(signedMessage);
return response;
}
use of iso.std.iso_iec._24727.tech.schema.Sign in project open-ecard by ecsec.
the class TinySALTest method testSign.
/**
* Test of sign method, of class TinySAL.
*/
@Test(enabled = TESTS_ENABLED)
public void testSign() {
System.out.println("sign");
Sign parameters = new Sign();
SignResponse result = instance.sign(parameters);
assertEquals(ECardConstants.Major.ERROR, result.getResult().getResultMajor());
}
use of iso.std.iso_iec._24727.tech.schema.Sign in project open-ecard by ecsec.
the class MiddlewareSAL method sign.
@Override
public SignResponse sign(Sign request) {
SignResponse response = WSHelper.makeResponse(SignResponse.class, WSHelper.makeResultOK());
try {
ConnectionHandleType connectionHandle = SALUtils.getConnectionHandle(request);
CardStateEntry cardStateEntry = SALUtils.getCardStateEntry(states, connectionHandle, false);
byte[] application = cardStateEntry.getImplicitlySelectedApplicationIdentifier();
byte[] slotHandle = connectionHandle.getSlotHandle();
String didName = SALUtils.getDIDName(request);
byte[] message = request.getMessage();
Assert.assertIncorrectParameter(message, "The parameter Message is empty.");
DIDStructureType didStructure = cardStateEntry.getDIDStructure(didName, application);
Assert.assertNamedEntityNotFound(didStructure, "The given DIDName cannot be found.");
CryptoMarkerType marker = new CryptoMarkerType(didStructure.getDIDMarker());
String keyLabel = marker.getLegacyKeyName();
MwSession session = managedSessions.get(slotHandle);
for (MwPrivateKey key : session.getPrivateKeys()) {
String nextLabel = "";
try {
nextLabel = key.getKeyLabel();
} catch (CryptokiException ex) {
LOG.warn("Error reading key label.", ex);
}
LOG.debug("Try to match keys '{}' == '{}'", keyLabel, nextLabel);
if (keyLabel.equals(nextLabel)) {
long sigAlg = getPKCS11Alg(marker.getAlgorithmInfo());
byte[] sig = key.sign(sigAlg, message);
response.setSignature(sig);
// set PIN to unauthenticated
setPinNotAuth(cardStateEntry);
return response;
}
}
// TODO: use other exception
String msg = String.format("The given DIDName %s references an unknown key.", didName);
throw new IncorrectParameterException(msg);
} catch (ECardException e) {
LOG.debug(e.getMessage(), e);
response.setResult(e.getResult());
} catch (Exception e) {
LOG.error(e.getMessage(), e);
throwThreadKillException(e);
response.setResult(WSHelper.makeResult(e));
}
return response;
}
use of iso.std.iso_iec._24727.tech.schema.Sign in project open-ecard by ecsec.
the class CIFCreator method createCryptoDID.
private DIDInfoType createCryptoDID(List<MwCertificate> mwCerts, SignatureAlgorithms sigalg) throws WSMarshallerException, CryptokiException {
LOG.debug("Creating Crypto DID object.");
DIDInfoType di = new DIDInfoType();
String keyLabel = mwCerts.get(0).getLabel();
// create differential identity
DifferentialIdentityType did = new DifferentialIdentityType();
di.setDifferentialIdentity(did);
String didName = keyLabel + "_" + mwCerts.get(0).getLabel() + "_" + sigalg.getJcaAlg();
LOG.debug("DIDName: {}", didName);
did.setDIDName(didName);
did.setDIDProtocol("urn:oid:1.3.162.15480.3.0.25");
did.setDIDScope(DIDScopeType.LOCAL);
// create crypto marker
CryptoMarkerBuilder markerBuilder = new CryptoMarkerBuilder();
// add AlgorithmInfo
AlgorithmInfoType algInfo = new AlgorithmInfoType();
algInfo.setAlgorithm(sigalg.getJcaAlg());
AlgorithmIdentifierType algIdentifier = new AlgorithmIdentifierType();
algIdentifier.setAlgorithm(sigalg.getAlgId());
algInfo.setAlgorithmIdentifier(algIdentifier);
algInfo.getSupportedOperations().add("Compute-signature");
markerBuilder.setAlgInfo(algInfo);
markerBuilder.setLegacyKeyname(keyLabel);
// add certificates
for (MwCertificate nextCert : mwCerts) {
try {
CertificateRefType certRef = new CertificateRefType();
certRef.setDataSetName(nextCert.getLabel());
markerBuilder.getCertRefs().add(certRef);
} catch (CryptokiException ex) {
LOG.warn("Certificate chain is not complete.");
break;
}
}
// wrap crypto marker and add to parent
CryptoMarkerType marker = markerBuilder.build();
DIDMarkerType markerWrapper = new DIDMarkerType();
markerWrapper.setCryptoMarker(marker);
did.setDIDMarker(markerWrapper);
// create acl
AccessControlListType acl = new AccessControlListType();
di.setDIDACL(acl);
List<AccessRuleType> rules = acl.getAccessRule();
rules.add(createRuleTrue(AuthorizationServiceActionName.ACL_LIST));
rules.add(createRuleTrue(DifferentialIdentityServiceActionName.DID_GET));
// create sign rule with PIN reference
AccessRuleType signRule = createRuleTrue(CryptographicServiceActionName.SIGN);
signRule.setSecurityCondition(createDidCond(PIN_NAME));
rules.add(signRule);
return di;
}
use of iso.std.iso_iec._24727.tech.schema.Sign in project open-ecard by ecsec.
the class ACLResolver method getMissingDids.
private List<DIDStructureType> getMissingDids(List<AccessRuleType> acls, TargetNameType target) throws WSException, SecurityConditionUnsatisfiable {
// find the sign acl
ArrayList<AccessRuleType> tmpAcls = new ArrayList<>();
for (AccessRuleType next : acls) {
if (target.getDIDName() != null) {
CryptographicServiceActionName action = next.getAction().getCryptographicServiceAction();
if (CryptographicServiceActionName.SIGN.equals(action)) {
tmpAcls.add(next);
// there can be only one
break;
}
}
if (target.getDataSetName() != null) {
NamedDataServiceActionName action = next.getAction().getNamedDataServiceAction();
if (NamedDataServiceActionName.DATA_SET_SELECT.equals(action)) {
tmpAcls.add(next);
continue;
}
if (NamedDataServiceActionName.DSI_READ.equals(action)) {
tmpAcls.add(next);
continue;
}
}
}
ArrayList<DIDStructureType> result = new ArrayList<>();
for (AccessRuleType acl : tmpAcls) {
// get the most suitable DID in the tree
SecurityConditionType cond = normalize(acl.getSecurityCondition());
cond = getBestSecurityCondition(cond);
// flatten condition to list of unsatisfied dids
List<DIDAuthenticationStateType> authStates = flattenCondition(cond);
List<DIDStructureType> missingDIDs = filterSatisfiedDIDs(authStates);
result.addAll(missingDIDs);
}
// remove duplicates
TreeSet<String> newDids = new TreeSet<>();
Iterator<DIDStructureType> it = result.iterator();
while (it.hasNext()) {
// this code bluntly assumes, that did names are unique per cardinfo file
DIDStructureType next = it.next();
if (newDids.contains(next.getDIDName())) {
it.remove();
} else {
newDids.add(next.getDIDName());
}
}
return result;
}
Aggregations