Example 1 with XiContentSigner
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class P11ContentSignerBuilder method createSigner.
// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
Boolean isSm2p256v1 = null;
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer;
if (publicKey instanceof RSAPublicKey) {
if (i == 0 && !AlgorithmUtil.isRSASigAlgId(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid RSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
signer = createRSAContentSigner(signatureAlgId);
} else if (publicKey instanceof ECPublicKey) {
ECPublicKey ecKey = (ECPublicKey) publicKey;
if (i == 0) {
isSm2p256v1 = GMUtil.isSm2primev2Curve(ecKey.getParams().getCurve());
if (isSm2p256v1) {
if (!AlgorithmUtil.isSM2SigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid SM2 signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
} else {
if (!AlgorithmUtil.isECSigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid EC signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
}
}
if (isSm2p256v1) {
java.security.spec.ECPoint w = ecKey.getW();
signer = createSM2ContentSigner(signatureAlgId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
} else {
signer = createECContentSigner(signatureAlgId);
}
} else if (publicKey instanceof DSAPublicKey) {
if (i == 0 && !AlgorithmUtil.isDSASigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid DSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
signer = createDSAContentSigner(signatureAlgId);
} else {
throw new XiSecurityException("unsupported key " + publicKey.getClass().getName());
}
signers.add(signer);
}
// end for
final boolean mac = false;
PrivateKey privateKey = new P11PrivateKey(cryptService, identityId);
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, privateKey);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
if (certificateChain != null) {
concurrentSigner.setCertificateChain(certificateChain);
} else {
concurrentSigner.setPublicKey(publicKey);
}
return concurrentSigner;
}
Also used :
P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey)
PrivateKey(java.security.PrivateKey)
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
ECPublicKey(java.security.interfaces.ECPublicKey)
P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
XiContentSigner(org.xipki.security.XiContentSigner)
Example 2 with XiContentSigner
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class OCSPRespBuilder method buildOCSPResponse.
// CHECKSTYLE:SKIP
public byte[] buildOCSPResponse(ConcurrentContentSigner signer, TaggedCertSequence taggedCertSequence, Date producedAt) throws OCSPException, NoIdleSignerException {
ResponseData responseData = new ResponseData(0, responderId, producedAt, list, responseExtensions);
byte[] tbs = new byte[responseData.getEncodedLength()];
responseData.write(tbs, 0);
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
byte[] signature;
byte[] sigAlgId;
try {
XiContentSigner csigner0 = signer0.value();
OutputStream sigOut = csigner0.getOutputStream();
try {
sigOut.write(tbs);
sigOut.close();
} catch (IOException ex) {
throw new OCSPException("exception signing TBSRequest: " + ex.getMessage(), ex);
}
signature = csigner0.getSignature();
sigAlgId = csigner0.getEncodedAlgorithmIdentifier();
} finally {
signer.requiteSigner(signer0);
}
// ----- Get the length -----
// BasicOCSPResponse.signature
int signatureBodyLen = signature.length + 1;
int signatureLen = getLen(signatureBodyLen);
// BasicOCSPResponse
int basicResponseBodyLen = tbs.length + sigAlgId.length + signatureLen;
if (taggedCertSequence != null) {
basicResponseBodyLen += taggedCertSequence.getEncodedLength();
}
int basicResponseLen = getLen(basicResponseBodyLen);
// OCSPResponse.[0].responseBytes
int responseBytesBodyLen = responseTypeBasic.length + // Header of OCTET STRING
getLen(basicResponseLen);
int responseBytesLen = getLen(responseBytesBodyLen);
// OCSPResponse.[0]
int taggedResponseBytesLen = getLen(responseBytesLen);
// OCSPResponse
int ocspResponseBodyLen = successfulStatus.length + taggedResponseBytesLen;
int ocspResponseLen = getLen(ocspResponseBodyLen);
// encode
byte[] out = new byte[ocspResponseLen];
int offset = 0;
offset += ASN1Type.writeHeader((byte) 0x30, ocspResponseBodyLen, out, offset);
// OCSPResponse.responseStatus
offset += arraycopy(successfulStatus, out, offset);
// OCSPResponse.[0]
offset += ASN1Type.writeHeader((byte) 0xA0, responseBytesLen, out, offset);
// OCSPResponse.[0]responseBytes
offset += ASN1Type.writeHeader((byte) 0x30, responseBytesBodyLen, out, offset);
// OCSPResponse.[0]responseBytes.responseType
offset += arraycopy(responseTypeBasic, out, offset);
// OCSPResponse.[0]responseBytes.responseType
// OCET STRING
offset += ASN1Type.writeHeader((byte) 0x04, basicResponseLen, out, offset);
// BasicOCSPResponse
offset += ASN1Type.writeHeader((byte) 0x30, basicResponseBodyLen, out, offset);
// BasicOCSPResponse.tbsResponseData
offset += arraycopy(tbs, out, offset);
// BasicOCSPResponse.signatureAlgorithm
offset += arraycopy(sigAlgId, out, offset);
// BasicOCSPResponse.signature
offset += ASN1Type.writeHeader((byte) 0x03, signatureBodyLen, out, offset);
// skipping bits
out[offset++] = 0x00;
offset += arraycopy(signature, out, offset);
if (taggedCertSequence != null) {
offset += taggedCertSequence.write(out, offset);
}
return out;
}
Also used :
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
ResponseData(org.xipki.ocsp.server.impl.type.ResponseData)
OutputStream(java.io.OutputStream)
IOException(java.io.IOException)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
XiContentSigner(org.xipki.security.XiContentSigner)
Example 3 with XiContentSigner
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class SoftTokenMacContentSignerBuilder method createSigner.
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException {
ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
boolean gmac = false;
ASN1ObjectIdentifier oid = signatureAlgId.getAlgorithm();
if (oid.equals(NISTObjectIdentifiers.id_aes128_GCM) || oid.equals(NISTObjectIdentifiers.id_aes192_GCM) || oid.equals(NISTObjectIdentifiers.id_aes256_GCM)) {
gmac = true;
}
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer;
if (gmac) {
signer = new AESGmacContentSigner(oid, key);
} else {
signer = new HmacContentSigner(signatureAlgId, key);
}
signers.add(signer);
}
final boolean mac = true;
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
concurrentSigner.setSha1DigestOfMacKey(HashAlgo.SHA1.hash(key.getEncoded()));
return concurrentSigner;
}
Also used :
XiSecurityException(org.xipki.security.exception.XiSecurityException)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
XiContentSigner(org.xipki.security.XiContentSigner)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 4 with XiContentSigner
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class SoftTokenContentSignerBuilder method createSigner.
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException, NoSuchPaddingException {
ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
final String provName = "SunJCE";
if (Security.getProvider(provName) != null) {
String algoName;
try {
algoName = AlgorithmUtil.getSignatureAlgoName(signatureAlgId);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage());
}
try {
for (int i = 0; i < parallelism; i++) {
Signature signature = Signature.getInstance(algoName, provName);
signature.initSign(key);
if (i == 0) {
signature.update(new byte[] { 1, 2, 3, 4 });
signature.sign();
}
XiContentSigner signer = new SignatureSigner(signatureAlgId, signature, key);
signers.add(signer);
}
} catch (Exception ex) {
signers.clear();
}
}
if (CollectionUtil.isEmpty(signers)) {
BcContentSignerBuilder signerBuilder;
AsymmetricKeyParameter keyparam;
try {
if (key instanceof RSAPrivateKey) {
keyparam = SignerUtil.generateRSAPrivateKeyParameter((RSAPrivateKey) key);
signerBuilder = new RSAContentSignerBuilder(signatureAlgId);
} else if (key instanceof DSAPrivateKey) {
keyparam = DSAUtil.generatePrivateKeyParameter(key);
signerBuilder = new DSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
} else if (key instanceof ECPrivateKey) {
keyparam = ECUtil.generatePrivateKeyParameter(key);
EllipticCurve curve = ((ECPrivateKey) key).getParams().getCurve();
if (GMUtil.isSm2primev2Curve(curve)) {
signerBuilder = new SM2ContentSignerBuilder();
} else {
signerBuilder = new ECDSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
}
} else {
throw new XiSecurityException("unsupported key " + key.getClass().getName());
}
} catch (InvalidKeyException ex) {
throw new XiSecurityException("invalid key", ex);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException("no such algorithm", ex);
}
for (int i = 0; i < parallelism; i++) {
if (random != null) {
signerBuilder.setSecureRandom(random);
}
ContentSigner signer;
try {
signer = signerBuilder.build(keyparam);
} catch (OperatorCreationException ex) {
throw new XiSecurityException("operator creation error", ex);
}
signers.add(new XiWrappedContentSigner(signer, true));
}
}
final boolean mac = false;
ConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
if (certificateChain != null) {
concurrentSigner.setCertificateChain(certificateChain);
} else {
concurrentSigner.setPublicKey(publicKey);
}
return concurrentSigner;
}
Also used :
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
XiWrappedContentSigner(org.xipki.security.XiWrappedContentSigner)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
XiContentSigner(org.xipki.security.XiContentSigner)
BcContentSignerBuilder(org.bouncycastle.operator.bc.BcContentSignerBuilder)
ECPrivateKey(java.security.interfaces.ECPrivateKey)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
ContentSigner(org.bouncycastle.operator.ContentSigner)
XiContentSigner(org.xipki.security.XiContentSigner)
XiWrappedContentSigner(org.xipki.security.XiWrappedContentSigner)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
InvalidKeyException(java.security.InvalidKeyException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
KeyStoreException(java.security.KeyStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchProviderException(java.security.NoSuchProviderException)
SignatureSigner(org.xipki.security.SignatureSigner)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
EllipticCurve(java.security.spec.EllipticCurve)
Signature(java.security.Signature)
DSAPrivateKey(java.security.interfaces.DSAPrivateKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
Example 5 with XiContentSigner
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class P11MacContentSignerBuilder method createSigner.
// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer = new P11MacContentSigner(cryptService, identityId, signatureAlgId);
signers.add(signer);
}
// end for
final boolean mac = true;
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, null);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
try {
byte[] sha1HashOfKey = cryptService.getIdentity(identityId).digestSecretKey(PKCS11Constants.CKM_SHA_1);
concurrentSigner.setSha1DigestOfMacKey(sha1HashOfKey);
} catch (P11TokenException | XiSecurityException ex) {
LogUtil.warn(LOG, ex, "could not compute the digest of secret key " + identityId);
}
return concurrentSigner;
}
Also used :
XiSecurityException(org.xipki.security.exception.XiSecurityException)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
P11TokenException(org.xipki.security.exception.P11TokenException)
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
XiContentSigner(org.xipki.security.XiContentSigner)
Aggregations
XiContentSigner (org.xipki.security.XiContentSigner)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4
ArrayList (java.util.ArrayList)4
DfltConcurrentContentSigner (org.xipki.security.DfltConcurrentContentSigner)4
XiSecurityException (org.xipki.security.exception.XiSecurityException)4
IOException (java.io.IOException)2
OutputStream (java.io.OutputStream)1
InvalidKeyException (java.security.InvalidKeyException)1
KeyStoreException (java.security.KeyStoreException)1
NoSuchProviderException (java.security.NoSuchProviderException)1
PrivateKey (java.security.PrivateKey)1
Signature (java.security.Signature)1
UnrecoverableKeyException (java.security.UnrecoverableKeyException)1
CertificateException (java.security.cert.CertificateException)1
DSAPrivateKey (java.security.interfaces.DSAPrivateKey)1
DSAPublicKey (java.security.interfaces.DSAPublicKey)1
ECPrivateKey (java.security.interfaces.ECPrivateKey)1
ECPublicKey (java.security.interfaces.ECPublicKey)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
RSAPublicKey (java.security.interfaces.RSAPublicKey)1
