Search in sources :

Example 1 with XiContentSigner

use of org.xipki.security.XiContentSigner in project xipki by xipki.

the class P11ContentSignerBuilder method createSigner.

// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
    ParamUtil.requireMin("parallelism", parallelism, 1);
    List<XiContentSigner> signers = new ArrayList<>(parallelism);
    Boolean isSm2p256v1 = null;
    for (int i = 0; i < parallelism; i++) {
        XiContentSigner signer;
        if (publicKey instanceof RSAPublicKey) {
            if (i == 0 && !AlgorithmUtil.isRSASigAlgId(signatureAlgId)) {
                throw new XiSecurityException("the given algorithm is not a valid RSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
            }
            signer = createRSAContentSigner(signatureAlgId);
        } else if (publicKey instanceof ECPublicKey) {
            ECPublicKey ecKey = (ECPublicKey) publicKey;
            if (i == 0) {
                isSm2p256v1 = GMUtil.isSm2primev2Curve(ecKey.getParams().getCurve());
                if (isSm2p256v1) {
                    if (!AlgorithmUtil.isSM2SigAlg(signatureAlgId)) {
                        throw new XiSecurityException("the given algorithm is not a valid SM2 signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
                    }
                } else {
                    if (!AlgorithmUtil.isECSigAlg(signatureAlgId)) {
                        throw new XiSecurityException("the given algorithm is not a valid EC signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
                    }
                }
            }
            if (isSm2p256v1) {
                java.security.spec.ECPoint w = ecKey.getW();
                signer = createSM2ContentSigner(signatureAlgId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
            } else {
                signer = createECContentSigner(signatureAlgId);
            }
        } else if (publicKey instanceof DSAPublicKey) {
            if (i == 0 && !AlgorithmUtil.isDSASigAlg(signatureAlgId)) {
                throw new XiSecurityException("the given algorithm is not a valid DSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
            }
            signer = createDSAContentSigner(signatureAlgId);
        } else {
            throw new XiSecurityException("unsupported key " + publicKey.getClass().getName());
        }
        signers.add(signer);
    }
    // end for
    final boolean mac = false;
    PrivateKey privateKey = new P11PrivateKey(cryptService, identityId);
    DfltConcurrentContentSigner concurrentSigner;
    try {
        concurrentSigner = new DfltConcurrentContentSigner(mac, signers, privateKey);
    } catch (NoSuchAlgorithmException ex) {
        throw new XiSecurityException(ex.getMessage(), ex);
    }
    if (certificateChain != null) {
        concurrentSigner.setCertificateChain(certificateChain);
    } else {
        concurrentSigner.setPublicKey(publicKey);
    }
    return concurrentSigner;
}
Also used : P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey) PrivateKey(java.security.PrivateKey) ArrayList(java.util.ArrayList) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) DSAPublicKey(java.security.interfaces.DSAPublicKey) XiSecurityException(org.xipki.security.exception.XiSecurityException) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) XiContentSigner(org.xipki.security.XiContentSigner)

Example 2 with XiContentSigner

use of org.xipki.security.XiContentSigner in project xipki by xipki.

the class OCSPRespBuilder method buildOCSPResponse.

// CHECKSTYLE:SKIP
public byte[] buildOCSPResponse(ConcurrentContentSigner signer, TaggedCertSequence taggedCertSequence, Date producedAt) throws OCSPException, NoIdleSignerException {
    ResponseData responseData = new ResponseData(0, responderId, producedAt, list, responseExtensions);
    byte[] tbs = new byte[responseData.getEncodedLength()];
    responseData.write(tbs, 0);
    ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
    byte[] signature;
    byte[] sigAlgId;
    try {
        XiContentSigner csigner0 = signer0.value();
        OutputStream sigOut = csigner0.getOutputStream();
        try {
            sigOut.write(tbs);
            sigOut.close();
        } catch (IOException ex) {
            throw new OCSPException("exception signing TBSRequest: " + ex.getMessage(), ex);
        }
        signature = csigner0.getSignature();
        sigAlgId = csigner0.getEncodedAlgorithmIdentifier();
    } finally {
        signer.requiteSigner(signer0);
    }
    // ----- Get the length -----
    // BasicOCSPResponse.signature
    int signatureBodyLen = signature.length + 1;
    int signatureLen = getLen(signatureBodyLen);
    // BasicOCSPResponse
    int basicResponseBodyLen = tbs.length + sigAlgId.length + signatureLen;
    if (taggedCertSequence != null) {
        basicResponseBodyLen += taggedCertSequence.getEncodedLength();
    }
    int basicResponseLen = getLen(basicResponseBodyLen);
    // OCSPResponse.[0].responseBytes
    int responseBytesBodyLen = responseTypeBasic.length + // Header of OCTET STRING
    getLen(basicResponseLen);
    int responseBytesLen = getLen(responseBytesBodyLen);
    // OCSPResponse.[0]
    int taggedResponseBytesLen = getLen(responseBytesLen);
    // OCSPResponse
    int ocspResponseBodyLen = successfulStatus.length + taggedResponseBytesLen;
    int ocspResponseLen = getLen(ocspResponseBodyLen);
    // encode
    byte[] out = new byte[ocspResponseLen];
    int offset = 0;
    offset += ASN1Type.writeHeader((byte) 0x30, ocspResponseBodyLen, out, offset);
    // OCSPResponse.responseStatus
    offset += arraycopy(successfulStatus, out, offset);
    // OCSPResponse.[0]
    offset += ASN1Type.writeHeader((byte) 0xA0, responseBytesLen, out, offset);
    // OCSPResponse.[0]responseBytes
    offset += ASN1Type.writeHeader((byte) 0x30, responseBytesBodyLen, out, offset);
    // OCSPResponse.[0]responseBytes.responseType
    offset += arraycopy(responseTypeBasic, out, offset);
    // OCSPResponse.[0]responseBytes.responseType
    // OCET STRING
    offset += ASN1Type.writeHeader((byte) 0x04, basicResponseLen, out, offset);
    // BasicOCSPResponse
    offset += ASN1Type.writeHeader((byte) 0x30, basicResponseBodyLen, out, offset);
    // BasicOCSPResponse.tbsResponseData
    offset += arraycopy(tbs, out, offset);
    // BasicOCSPResponse.signatureAlgorithm
    offset += arraycopy(sigAlgId, out, offset);
    // BasicOCSPResponse.signature
    offset += ASN1Type.writeHeader((byte) 0x03, signatureBodyLen, out, offset);
    // skipping bits
    out[offset++] = 0x00;
    offset += arraycopy(signature, out, offset);
    if (taggedCertSequence != null) {
        offset += taggedCertSequence.write(out, offset);
    }
    return out;
}
Also used : OCSPException(org.bouncycastle.cert.ocsp.OCSPException) ResponseData(org.xipki.ocsp.server.impl.type.ResponseData) OutputStream(java.io.OutputStream) IOException(java.io.IOException) ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner) XiContentSigner(org.xipki.security.XiContentSigner)

Example 3 with XiContentSigner

use of org.xipki.security.XiContentSigner in project xipki by xipki.

the class SoftTokenMacContentSignerBuilder method createSigner.

public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException {
    ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
    ParamUtil.requireMin("parallelism", parallelism, 1);
    List<XiContentSigner> signers = new ArrayList<>(parallelism);
    boolean gmac = false;
    ASN1ObjectIdentifier oid = signatureAlgId.getAlgorithm();
    if (oid.equals(NISTObjectIdentifiers.id_aes128_GCM) || oid.equals(NISTObjectIdentifiers.id_aes192_GCM) || oid.equals(NISTObjectIdentifiers.id_aes256_GCM)) {
        gmac = true;
    }
    for (int i = 0; i < parallelism; i++) {
        XiContentSigner signer;
        if (gmac) {
            signer = new AESGmacContentSigner(oid, key);
        } else {
            signer = new HmacContentSigner(signatureAlgId, key);
        }
        signers.add(signer);
    }
    final boolean mac = true;
    DfltConcurrentContentSigner concurrentSigner;
    try {
        concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
    } catch (NoSuchAlgorithmException ex) {
        throw new XiSecurityException(ex.getMessage(), ex);
    }
    concurrentSigner.setSha1DigestOfMacKey(HashAlgo.SHA1.hash(key.getEncoded()));
    return concurrentSigner;
}
Also used : XiSecurityException(org.xipki.security.exception.XiSecurityException) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) ArrayList(java.util.ArrayList) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) XiContentSigner(org.xipki.security.XiContentSigner) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 4 with XiContentSigner

use of org.xipki.security.XiContentSigner in project xipki by xipki.

the class SoftTokenContentSignerBuilder method createSigner.

public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException, NoSuchPaddingException {
    ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
    ParamUtil.requireMin("parallelism", parallelism, 1);
    List<XiContentSigner> signers = new ArrayList<>(parallelism);
    final String provName = "SunJCE";
    if (Security.getProvider(provName) != null) {
        String algoName;
        try {
            algoName = AlgorithmUtil.getSignatureAlgoName(signatureAlgId);
        } catch (NoSuchAlgorithmException ex) {
            throw new XiSecurityException(ex.getMessage());
        }
        try {
            for (int i = 0; i < parallelism; i++) {
                Signature signature = Signature.getInstance(algoName, provName);
                signature.initSign(key);
                if (i == 0) {
                    signature.update(new byte[] { 1, 2, 3, 4 });
                    signature.sign();
                }
                XiContentSigner signer = new SignatureSigner(signatureAlgId, signature, key);
                signers.add(signer);
            }
        } catch (Exception ex) {
            signers.clear();
        }
    }
    if (CollectionUtil.isEmpty(signers)) {
        BcContentSignerBuilder signerBuilder;
        AsymmetricKeyParameter keyparam;
        try {
            if (key instanceof RSAPrivateKey) {
                keyparam = SignerUtil.generateRSAPrivateKeyParameter((RSAPrivateKey) key);
                signerBuilder = new RSAContentSignerBuilder(signatureAlgId);
            } else if (key instanceof DSAPrivateKey) {
                keyparam = DSAUtil.generatePrivateKeyParameter(key);
                signerBuilder = new DSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
            } else if (key instanceof ECPrivateKey) {
                keyparam = ECUtil.generatePrivateKeyParameter(key);
                EllipticCurve curve = ((ECPrivateKey) key).getParams().getCurve();
                if (GMUtil.isSm2primev2Curve(curve)) {
                    signerBuilder = new SM2ContentSignerBuilder();
                } else {
                    signerBuilder = new ECDSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
                }
            } else {
                throw new XiSecurityException("unsupported key " + key.getClass().getName());
            }
        } catch (InvalidKeyException ex) {
            throw new XiSecurityException("invalid key", ex);
        } catch (NoSuchAlgorithmException ex) {
            throw new XiSecurityException("no such algorithm", ex);
        }
        for (int i = 0; i < parallelism; i++) {
            if (random != null) {
                signerBuilder.setSecureRandom(random);
            }
            ContentSigner signer;
            try {
                signer = signerBuilder.build(keyparam);
            } catch (OperatorCreationException ex) {
                throw new XiSecurityException("operator creation error", ex);
            }
            signers.add(new XiWrappedContentSigner(signer, true));
        }
    }
    final boolean mac = false;
    ConcurrentContentSigner concurrentSigner;
    try {
        concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
    } catch (NoSuchAlgorithmException ex) {
        throw new XiSecurityException(ex.getMessage(), ex);
    }
    if (certificateChain != null) {
        concurrentSigner.setCertificateChain(certificateChain);
    } else {
        concurrentSigner.setPublicKey(publicKey);
    }
    return concurrentSigner;
}
Also used : ArrayList(java.util.ArrayList) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) XiSecurityException(org.xipki.security.exception.XiSecurityException) XiWrappedContentSigner(org.xipki.security.XiWrappedContentSigner) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) XiContentSigner(org.xipki.security.XiContentSigner) BcContentSignerBuilder(org.bouncycastle.operator.bc.BcContentSignerBuilder) ECPrivateKey(java.security.interfaces.ECPrivateKey) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) ContentSigner(org.bouncycastle.operator.ContentSigner) XiContentSigner(org.xipki.security.XiContentSigner) XiWrappedContentSigner(org.xipki.security.XiWrappedContentSigner) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) InvalidKeyException(java.security.InvalidKeyException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) XiSecurityException(org.xipki.security.exception.XiSecurityException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) NoSuchProviderException(java.security.NoSuchProviderException) SignatureSigner(org.xipki.security.SignatureSigner) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner) AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter) EllipticCurve(java.security.spec.EllipticCurve) Signature(java.security.Signature) DSAPrivateKey(java.security.interfaces.DSAPrivateKey) RSAPrivateKey(java.security.interfaces.RSAPrivateKey)

Example 5 with XiContentSigner

use of org.xipki.security.XiContentSigner in project xipki by xipki.

the class P11MacContentSignerBuilder method createSigner.

// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
    ParamUtil.requireMin("parallelism", parallelism, 1);
    List<XiContentSigner> signers = new ArrayList<>(parallelism);
    for (int i = 0; i < parallelism; i++) {
        XiContentSigner signer = new P11MacContentSigner(cryptService, identityId, signatureAlgId);
        signers.add(signer);
    }
    // end for
    final boolean mac = true;
    DfltConcurrentContentSigner concurrentSigner;
    try {
        concurrentSigner = new DfltConcurrentContentSigner(mac, signers, null);
    } catch (NoSuchAlgorithmException ex) {
        throw new XiSecurityException(ex.getMessage(), ex);
    }
    try {
        byte[] sha1HashOfKey = cryptService.getIdentity(identityId).digestSecretKey(PKCS11Constants.CKM_SHA_1);
        concurrentSigner.setSha1DigestOfMacKey(sha1HashOfKey);
    } catch (P11TokenException | XiSecurityException ex) {
        LogUtil.warn(LOG, ex, "could not compute the digest of secret key " + identityId);
    }
    return concurrentSigner;
}
Also used : XiSecurityException(org.xipki.security.exception.XiSecurityException) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) P11TokenException(org.xipki.security.exception.P11TokenException) ArrayList(java.util.ArrayList) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) XiContentSigner(org.xipki.security.XiContentSigner)

Aggregations

XiContentSigner (org.xipki.security.XiContentSigner)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 ArrayList (java.util.ArrayList)4 DfltConcurrentContentSigner (org.xipki.security.DfltConcurrentContentSigner)4 XiSecurityException (org.xipki.security.exception.XiSecurityException)4 IOException (java.io.IOException)2 OutputStream (java.io.OutputStream)1 InvalidKeyException (java.security.InvalidKeyException)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 PrivateKey (java.security.PrivateKey)1 Signature (java.security.Signature)1 UnrecoverableKeyException (java.security.UnrecoverableKeyException)1 CertificateException (java.security.cert.CertificateException)1 DSAPrivateKey (java.security.interfaces.DSAPrivateKey)1 DSAPublicKey (java.security.interfaces.DSAPublicKey)1 ECPrivateKey (java.security.interfaces.ECPrivateKey)1 ECPublicKey (java.security.interfaces.ECPublicKey)1 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1 RSAPublicKey (java.security.interfaces.RSAPublicKey)1