use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class P11ContentSignerBuilder method createSigner.
// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
Boolean isSm2p256v1 = null;
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer;
if (publicKey instanceof RSAPublicKey) {
if (i == 0 && !AlgorithmUtil.isRSASigAlgId(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid RSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
signer = createRSAContentSigner(signatureAlgId);
} else if (publicKey instanceof ECPublicKey) {
ECPublicKey ecKey = (ECPublicKey) publicKey;
if (i == 0) {
isSm2p256v1 = GMUtil.isSm2primev2Curve(ecKey.getParams().getCurve());
if (isSm2p256v1) {
if (!AlgorithmUtil.isSM2SigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid SM2 signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
} else {
if (!AlgorithmUtil.isECSigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid EC signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
}
}
if (isSm2p256v1) {
java.security.spec.ECPoint w = ecKey.getW();
signer = createSM2ContentSigner(signatureAlgId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
} else {
signer = createECContentSigner(signatureAlgId);
}
} else if (publicKey instanceof DSAPublicKey) {
if (i == 0 && !AlgorithmUtil.isDSASigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid DSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
signer = createDSAContentSigner(signatureAlgId);
} else {
throw new XiSecurityException("unsupported key " + publicKey.getClass().getName());
}
signers.add(signer);
}
// end for
final boolean mac = false;
PrivateKey privateKey = new P11PrivateKey(cryptService, identityId);
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, privateKey);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
if (certificateChain != null) {
concurrentSigner.setCertificateChain(certificateChain);
} else {
concurrentSigner.setPublicKey(publicKey);
}
return concurrentSigner;
}
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class OCSPRespBuilder method buildOCSPResponse.
// CHECKSTYLE:SKIP
public byte[] buildOCSPResponse(ConcurrentContentSigner signer, TaggedCertSequence taggedCertSequence, Date producedAt) throws OCSPException, NoIdleSignerException {
ResponseData responseData = new ResponseData(0, responderId, producedAt, list, responseExtensions);
byte[] tbs = new byte[responseData.getEncodedLength()];
responseData.write(tbs, 0);
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
byte[] signature;
byte[] sigAlgId;
try {
XiContentSigner csigner0 = signer0.value();
OutputStream sigOut = csigner0.getOutputStream();
try {
sigOut.write(tbs);
sigOut.close();
} catch (IOException ex) {
throw new OCSPException("exception signing TBSRequest: " + ex.getMessage(), ex);
}
signature = csigner0.getSignature();
sigAlgId = csigner0.getEncodedAlgorithmIdentifier();
} finally {
signer.requiteSigner(signer0);
}
// ----- Get the length -----
// BasicOCSPResponse.signature
int signatureBodyLen = signature.length + 1;
int signatureLen = getLen(signatureBodyLen);
// BasicOCSPResponse
int basicResponseBodyLen = tbs.length + sigAlgId.length + signatureLen;
if (taggedCertSequence != null) {
basicResponseBodyLen += taggedCertSequence.getEncodedLength();
}
int basicResponseLen = getLen(basicResponseBodyLen);
// OCSPResponse.[0].responseBytes
int responseBytesBodyLen = responseTypeBasic.length + // Header of OCTET STRING
getLen(basicResponseLen);
int responseBytesLen = getLen(responseBytesBodyLen);
// OCSPResponse.[0]
int taggedResponseBytesLen = getLen(responseBytesLen);
// OCSPResponse
int ocspResponseBodyLen = successfulStatus.length + taggedResponseBytesLen;
int ocspResponseLen = getLen(ocspResponseBodyLen);
// encode
byte[] out = new byte[ocspResponseLen];
int offset = 0;
offset += ASN1Type.writeHeader((byte) 0x30, ocspResponseBodyLen, out, offset);
// OCSPResponse.responseStatus
offset += arraycopy(successfulStatus, out, offset);
// OCSPResponse.[0]
offset += ASN1Type.writeHeader((byte) 0xA0, responseBytesLen, out, offset);
// OCSPResponse.[0]responseBytes
offset += ASN1Type.writeHeader((byte) 0x30, responseBytesBodyLen, out, offset);
// OCSPResponse.[0]responseBytes.responseType
offset += arraycopy(responseTypeBasic, out, offset);
// OCSPResponse.[0]responseBytes.responseType
// OCET STRING
offset += ASN1Type.writeHeader((byte) 0x04, basicResponseLen, out, offset);
// BasicOCSPResponse
offset += ASN1Type.writeHeader((byte) 0x30, basicResponseBodyLen, out, offset);
// BasicOCSPResponse.tbsResponseData
offset += arraycopy(tbs, out, offset);
// BasicOCSPResponse.signatureAlgorithm
offset += arraycopy(sigAlgId, out, offset);
// BasicOCSPResponse.signature
offset += ASN1Type.writeHeader((byte) 0x03, signatureBodyLen, out, offset);
// skipping bits
out[offset++] = 0x00;
offset += arraycopy(signature, out, offset);
if (taggedCertSequence != null) {
offset += taggedCertSequence.write(out, offset);
}
return out;
}
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class SoftTokenMacContentSignerBuilder method createSigner.
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException {
ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
boolean gmac = false;
ASN1ObjectIdentifier oid = signatureAlgId.getAlgorithm();
if (oid.equals(NISTObjectIdentifiers.id_aes128_GCM) || oid.equals(NISTObjectIdentifiers.id_aes192_GCM) || oid.equals(NISTObjectIdentifiers.id_aes256_GCM)) {
gmac = true;
}
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer;
if (gmac) {
signer = new AESGmacContentSigner(oid, key);
} else {
signer = new HmacContentSigner(signatureAlgId, key);
}
signers.add(signer);
}
final boolean mac = true;
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
concurrentSigner.setSha1DigestOfMacKey(HashAlgo.SHA1.hash(key.getEncoded()));
return concurrentSigner;
}
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class SoftTokenContentSignerBuilder method createSigner.
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism, SecureRandom random) throws XiSecurityException, NoSuchPaddingException {
ParamUtil.requireNonNull("signatureAlgId", signatureAlgId);
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
final String provName = "SunJCE";
if (Security.getProvider(provName) != null) {
String algoName;
try {
algoName = AlgorithmUtil.getSignatureAlgoName(signatureAlgId);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage());
}
try {
for (int i = 0; i < parallelism; i++) {
Signature signature = Signature.getInstance(algoName, provName);
signature.initSign(key);
if (i == 0) {
signature.update(new byte[] { 1, 2, 3, 4 });
signature.sign();
}
XiContentSigner signer = new SignatureSigner(signatureAlgId, signature, key);
signers.add(signer);
}
} catch (Exception ex) {
signers.clear();
}
}
if (CollectionUtil.isEmpty(signers)) {
BcContentSignerBuilder signerBuilder;
AsymmetricKeyParameter keyparam;
try {
if (key instanceof RSAPrivateKey) {
keyparam = SignerUtil.generateRSAPrivateKeyParameter((RSAPrivateKey) key);
signerBuilder = new RSAContentSignerBuilder(signatureAlgId);
} else if (key instanceof DSAPrivateKey) {
keyparam = DSAUtil.generatePrivateKeyParameter(key);
signerBuilder = new DSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
} else if (key instanceof ECPrivateKey) {
keyparam = ECUtil.generatePrivateKeyParameter(key);
EllipticCurve curve = ((ECPrivateKey) key).getParams().getCurve();
if (GMUtil.isSm2primev2Curve(curve)) {
signerBuilder = new SM2ContentSignerBuilder();
} else {
signerBuilder = new ECDSAContentSignerBuilder(signatureAlgId, AlgorithmUtil.isDSAPlainSigAlg(signatureAlgId));
}
} else {
throw new XiSecurityException("unsupported key " + key.getClass().getName());
}
} catch (InvalidKeyException ex) {
throw new XiSecurityException("invalid key", ex);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException("no such algorithm", ex);
}
for (int i = 0; i < parallelism; i++) {
if (random != null) {
signerBuilder.setSecureRandom(random);
}
ContentSigner signer;
try {
signer = signerBuilder.build(keyparam);
} catch (OperatorCreationException ex) {
throw new XiSecurityException("operator creation error", ex);
}
signers.add(new XiWrappedContentSigner(signer, true));
}
}
final boolean mac = false;
ConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, key);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
if (certificateChain != null) {
concurrentSigner.setCertificateChain(certificateChain);
} else {
concurrentSigner.setPublicKey(publicKey);
}
return concurrentSigner;
}
use of org.xipki.security.XiContentSigner in project xipki by xipki.
the class P11MacContentSignerBuilder method createSigner.
// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer = new P11MacContentSigner(cryptService, identityId, signatureAlgId);
signers.add(signer);
}
// end for
final boolean mac = true;
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, null);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
try {
byte[] sha1HashOfKey = cryptService.getIdentity(identityId).digestSecretKey(PKCS11Constants.CKM_SHA_1);
concurrentSigner.setSha1DigestOfMacKey(sha1HashOfKey);
} catch (P11TokenException | XiSecurityException ex) {
LogUtil.warn(LOG, ex, "could not compute the digest of secret key " + identityId);
}
return concurrentSigner;
}
Aggregations