Example 6 with SignatureAlgorithms
use of org.openecard.crypto.common.SignatureAlgorithms in project open-ecard by ecsec.
the class MiddlewareSAL method getPKCS11Alg.
private long getPKCS11Alg(AlgorithmInfoType algInfo) throws UnsupportedAlgorithmException {
String algUri = algInfo.getAlgorithmIdentifier().getAlgorithm();
algUri = StringUtils.nullToEmpty(algUri);
SignatureAlgorithms a = SignatureAlgorithms.fromAlgId(algUri);
return a.getPkcs11Mechanism();
}
Also used :
SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms)
Example 7 with SignatureAlgorithms
use of org.openecard.crypto.common.SignatureAlgorithms in project open-ecard by ecsec.
the class CIFCreator method getSigAlgs.
private List<SignatureAlgorithms> getSigAlgs(MwPublicKey pubKey) throws CryptokiException {
ArrayList<SignatureAlgorithms> sigAlgs = new ArrayList<>();
long[] mechanisms = pubKey.getAllowedMechanisms();
if (mechanisms.length == 0) {
try {
MwPrivateKey privKey = null;
List<MwPrivateKey> privKeys = session.getPrivateKeys();
for (MwPrivateKey next : privKeys) {
if (next.getKeyLabel().equals(pubKey.getKeyLabel())) {
privKey = next;
break;
}
}
if (privKey != null) {
mechanisms = privKey.getAllowedMechanisms();
}
} catch (CryptokiException ex) {
LOG.info("Could not access private key objetcs.");
}
}
if (mechanisms.length == 0) {
// no mechanisms available, ask what the card has to offer and assume this is also what the key offers
try {
List<MwMechanism> allMechanisms = session.getSlot().getMechanismList();
for (MwMechanism mechanism : allMechanisms) {
if (!mechanism.isSignatureAlgorithm()) {
// skipping non signature mechanism
continue;
}
if (!mechanism.hasFlags(CryptokiLibrary.CKF_SIGN)) {
// sign function does not work with that
continue;
}
addMechanism(pubKey, mechanism, sigAlgs);
}
// this is usually supported despite the middleware doesn't claim it
if (sigAlgs.isEmpty()) {
LOG.info("Trying to add raw RSA algorithm.");
for (MwMechanism mechanism : allMechanisms) {
if (mechanism.getType() == CryptokiLibrary.CKM_RSA_PKCS) {
addMechanism(pubKey, mechanism, sigAlgs);
// no need to search longer if we have found it
break;
}
}
}
} catch (CryptokiException ex) {
LOG.error("Failed to read mechanisms from card.", ex);
}
// too bad we have nothing
if (sigAlgs.isEmpty()) {
LOG.error("Could not find any suitable algorithms for DID.");
}
} else {
// convert each of the mechanisms
for (long m : mechanisms) {
try {
SignatureAlgorithms sigAlg = SignatureAlgorithms.fromMechanismId(m);
LOG.debug("Key signature algorithm: {}", sigAlg);
sigAlgs.add(sigAlg);
} catch (UnsupportedAlgorithmException ex) {
String mStr = String.format("%#010x", m);
LOG.error("Skipping unknown signature algorithm ({}).", mStr);
}
}
}
return sigAlgs;
}
Also used :
CryptokiException(org.openecard.mdlw.sal.exceptions.CryptokiException)
SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms)
UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException)
ArrayList(java.util.ArrayList)
Example 8 with SignatureAlgorithms
use of org.openecard.crypto.common.SignatureAlgorithms in project open-ecard by ecsec.
the class CIFCreator method getSignatureCryptoDIDs.
private List<DIDInfoType> getSignatureCryptoDIDs() throws WSMarshallerException, CryptokiException {
LOG.debug("Reading infos for CryptoDID generation.");
ArrayList<DIDInfoType> didInfos = new ArrayList<>();
List<MwPublicKey> pubKeys = session.getPublicKeys();
for (MwPublicKey pubKey : pubKeys) {
LOG.debug("Found key object {}.", pubKey);
if (!Boolean.TRUE.equals(pubKey.getVerify())) {
LOG.info("Skipping non-signing key {}.", pubKey.getKeyLabel());
continue;
}
// look up certificates
try {
List<MwCertificate> mwCerts = createChain(session.getCertificates(), pubKey.getKeyID());
if (mwCerts.isEmpty()) {
LOG.info("No certificates available for the key object.");
continue;
}
MwCertificate eeCert = mwCerts.get(0);
// check certType
switch(eeCert.getCertificateCategory()) {
case CK_CERTIFICATE_CATEGORY_TOKEN_USER:
case CK_CERTIFICATE_CATEGORY_UNSPECIFIED:
break;
default:
LOG.info("Skipping key '{}' as certificate has wrong category.", pubKey.getKeyLabel());
}
// check certificate usage flags
if (!canSign(eeCert)) {
LOG.info("Certificate '{}' can not be used to perform a signature.", eeCert.getLabel());
continue;
}
// determine available algorithms
List<SignatureAlgorithms> sigalgs = getSigAlgs(pubKey);
for (SignatureAlgorithms sigalg : sigalgs) {
DIDInfoType did = createCryptoDID(mwCerts, sigalg);
didInfos.add(did);
}
} catch (NoCertificateChainException ex) {
LOG.warn("Could not create a certificate chain for requested key.", ex);
} catch (CryptokiException ex) {
LOG.warn("Failed to read DID data from middleware, skipping this key entry.", ex);
}
}
return didInfos;
}
Also used :
DIDInfoType(iso.std.iso_iec._24727.tech.schema.DIDInfoType)
CryptokiException(org.openecard.mdlw.sal.exceptions.CryptokiException)
SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms)
ArrayList(java.util.ArrayList)
NoCertificateChainException(org.openecard.mdlw.sal.exceptions.NoCertificateChainException)
Example 9 with SignatureAlgorithms
use of org.openecard.crypto.common.SignatureAlgorithms in project open-ecard by ecsec.
the class SmartCardCredentialFactory method getClientCredentials.
@Override
public List<TlsCredentialedSigner> getClientCredentials(CertificateRequest cr) {
ArrayList<TlsCredentialedSigner> credentials = new ArrayList<>();
TlsCryptoParameters tlsCrypto = new TlsCryptoParameters(context);
LOG.debug("Selecting a suitable DID for the following requested algorithms:");
ArrayList<SignatureAndHashAlgorithm> crSigAlgs = getCrSigAlgs(cr);
removeUnsupportedAlgs(crSigAlgs);
for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
String reqAlgStr = String.format("%s-%s", SignatureAlgorithm.getText(reqAlg.getSignature()), HashAlgorithm.getText(reqAlg.getHash()));
LOG.debug(" {}", reqAlgStr);
}
try {
DidInfos didInfos = tokenCache.getInfo(null, handle);
List<DidInfo> infos = didInfos.getCryptoDidInfos();
printCerts(infos);
// remove unsuitable DIDs
LOG.info("Sorting out DIDs not able to handle the TLS request.");
infos = removeSecretCertDids(infos);
infos = removeNonAuthDids(infos);
infos = removeUnsupportedAlgs(infos);
infos = removeUnsupportedCerts(cr, infos);
// infos = nonRawFirst(infos);
LOG.info("Creating signer instances for the TLS Client Certificate signature.");
// TLS < 1.2
if (crSigAlgs.isEmpty()) {
LOG.info("Looking for a raw RSA DID.");
for (DidInfo info : infos) {
try {
LOG.debug("Checking DID= {}.", info.getDidName());
TlsCredentialedSigner cred;
List<X509Certificate> chain = info.getRelatedCertificateChain();
Certificate clientCert = convertCert(context.getCrypto(), chain);
if (isRawRSA(info)) {
LOG.debug("Adding raw RSA signer.");
TlsSigner signer = new SmartCardSignerCredential(info);
cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, null);
credentials.add(cred);
}
} catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
} catch (UnsupportedAlgorithmException ex) {
LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
} catch (WSHelper.WSException ex) {
LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
}
}
} else {
// TLS >= 1.2
LOG.info("Looking for most specific DIDs.");
// looping over the servers alg list preserves its ordering
for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
for (DidInfo info : infos) {
LOG.debug("Checking DID={}.", info.getDidName());
try {
AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
TlsCredentialedSigner cred;
List<X509Certificate> chain = info.getRelatedCertificateChain();
Certificate clientCert = convertCert(context.getCrypto(), chain);
// find one DID for this problem, then continue with the next algorithm
if (matchesAlg(reqAlg, alg) && (alg.getHashAlg() != null || isSafeForNoneDid(reqAlg))) {
LOG.debug("Adding {} signer.", alg.getJcaAlg());
TlsSigner signer = new SmartCardSignerCredential(info);
cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, reqAlg);
credentials.add(cred);
// break;
return credentials;
}
} catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
} catch (UnsupportedAlgorithmException ex) {
LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
} catch (WSHelper.WSException ex) {
LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
}
}
}
}
} catch (NoSuchDid | WSHelper.WSException ex) {
LOG.error("Failed to access DIDs of smartcard. Proceeding without client authentication.", ex);
}
return credentials;
}
Also used :
ArrayList(java.util.ArrayList)
SecurityConditionUnsatisfiable(org.openecard.common.SecurityConditionUnsatisfiable)
CertificateException(java.security.cert.CertificateException)
SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)
DidInfo(org.openecard.crypto.common.sal.did.DidInfo)
AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)
DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)
TlsCryptoParameters(org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters)
TlsSigner(org.openecard.bouncycastle.tls.crypto.TlsSigner)
WSHelper(org.openecard.common.WSHelper)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException)
SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms)
DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)
TlsCredentialedSigner(org.openecard.bouncycastle.tls.TlsCredentialedSigner)
NoSuchDid(org.openecard.crypto.common.sal.did.NoSuchDid)
DidInfos(org.openecard.crypto.common.sal.did.DidInfos)
X509Certificate(java.security.cert.X509Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Certificate(org.openecard.bouncycastle.tls.Certificate)
Example 10 with SignatureAlgorithms
use of org.openecard.crypto.common.SignatureAlgorithms in project open-ecard by ecsec.
the class SmartCardCredentialFactory method removeUnsupportedAlgs.
private List<DidInfo> removeUnsupportedAlgs(List<DidInfo> infos) {
ArrayList<DidInfo> result = new ArrayList<>();
for (DidInfo next : infos) {
try {
AlgorithmInfoType algInfo = next.getGenericCryptoMarker().getAlgorithmInfo();
String algStr = algInfo.getAlgorithmIdentifier().getAlgorithm();
SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algStr);
switch(alg) {
case CKM_ECDSA:
// case CKM_ECDSA_SHA1: // too weak
case CKM_ECDSA_SHA256:
case CKM_ECDSA_SHA384:
case CKM_ECDSA_SHA512:
case CKM_RSA_PKCS:
// case CKM_SHA1_RSA_PKCS: // too weak
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
result.add(next);
}
} catch (UnsupportedAlgorithmException ex) {
LOG.error("Unsupported algorithm used in CIF. Skipping DID " + next.getDidName() + ".", ex);
} catch (WSHelper.WSException ex) {
LOG.error("Unknown error accessing DID " + next.getDidName() + ".", ex);
}
}
return result;
}
Also used :
WSHelper(org.openecard.common.WSHelper)
DidInfo(org.openecard.crypto.common.sal.did.DidInfo)
AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)
SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms)
UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException)
ArrayList(java.util.ArrayList)
Aggregations
SignatureAlgorithms (org.openecard.crypto.common.SignatureAlgorithms)12
UnsupportedAlgorithmException (org.openecard.crypto.common.UnsupportedAlgorithmException)8
AlgorithmInfoType (iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)4
ArrayList (java.util.ArrayList)4
WSHelper (org.openecard.common.WSHelper)4
IOException (java.io.IOException)3
SecurityConditionUnsatisfiable (org.openecard.common.SecurityConditionUnsatisfiable)3
CryptoMarkerType (org.openecard.crypto.common.sal.did.CryptoMarkerType)3
DidInfo (org.openecard.crypto.common.sal.did.DidInfo)3
ASN1ObjectIdentifier (org.openecard.bouncycastle.asn1.ASN1ObjectIdentifier)2
AlgorithmIdentifier (org.openecard.bouncycastle.asn1.x509.AlgorithmIdentifier)2
DigestInfo (org.openecard.bouncycastle.asn1.x509.DigestInfo)2
DidInfos (org.openecard.crypto.common.sal.did.DidInfos)2
NoSuchDid (org.openecard.crypto.common.sal.did.NoSuchDid)2
CryptokiException (org.openecard.mdlw.sal.exceptions.CryptokiException)2
ConnectionHandleType (iso.std.iso_iec._24727.tech.schema.ConnectionHandleType)1
DIDInfoType (iso.std.iso_iec._24727.tech.schema.DIDInfoType)1
DIDStructureType (iso.std.iso_iec._24727.tech.schema.DIDStructureType)1
HashGenerationInfoType (iso.std.iso_iec._24727.tech.schema.HashGenerationInfoType)1
HashResponse (iso.std.iso_iec._24727.tech.schema.HashResponse)1
