Example 1 with P11IVParams
use of org.xipki.security.pkcs11.P11Params.P11IVParams in project xipki by xipki.
the class P11ProxyResponder method processRequest.
/**
* The request is constructed as follows:
* <pre>
* 0 - - - 1 - - - 2 - - - 3 - - - 4 - - - 5 - - - 6 - - - 7 - - - 8
* | Version | Transaction ID | Body ... |
* | ... Length | Action | Module ID | Content... |
* | .Content | <-- 10 + Length (offset).
*
* </pre>
*/
byte[] processRequest(LocalP11CryptServicePool pool, byte[] request) {
int reqLen = request.length;
// TransactionID
byte[] transactionId = new byte[4];
if (reqLen > 5) {
System.arraycopy(request, 2, transactionId, 0, 4);
}
// Action
short action = P11ProxyConstants.ACTION_NOPE;
if (reqLen > 11) {
action = IoUtil.parseShort(request, 10);
}
if (reqLen < 14) {
LOG.error("response too short");
return getResp(P11ProxyConstants.VERSION_V1_0, transactionId, action, P11ProxyConstants.RC_BAD_REQUEST);
}
// Version
short version = IoUtil.parseShort(request, 0);
if (!versions.contains(version)) {
LOG.error("unsupported version {}", version);
return getResp(P11ProxyConstants.VERSION_V1_0, transactionId, action, P11ProxyConstants.RC_UNSUPPORTED_VERSION);
}
// Length
int reqBodyLen = IoUtil.parseInt(request, 6);
if (reqBodyLen + 10 != reqLen) {
LOG.error("message length unmatch");
return getResp(version, transactionId, action, P11ProxyConstants.RC_BAD_REQUEST);
}
short moduleId = IoUtil.parseShort(request, 12);
int contentLen = reqLen - 14;
byte[] content;
if (contentLen == 0) {
if (actionsRequireNonNullRequest.contains(action)) {
LOG.error("content is not present but is required");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
content = null;
} else {
if (actionsRequireNullRequest.contains(action)) {
LOG.error("content is present but is not permitted");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
content = new byte[contentLen];
System.arraycopy(request, 14, content, 0, contentLen);
}
P11CryptService p11CryptService = pool.getP11CryptService(moduleId);
if (p11CryptService == null) {
LOG.error("no module {} available", moduleId);
return getResp(version, transactionId, P11ProxyConstants.RC_UNKNOWN_MODULE, action);
}
try {
switch(action) {
case P11ProxyConstants.ACTION_ADD_CERT:
{
Asn1EntityIdAndCert asn1 = Asn1EntityIdAndCert.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getEntityId());
X509Certificate cert = X509Util.toX509Cert(asn1.getCertificate());
slot.addCert(asn1.getEntityId().getObjectId().getObjectId(), cert);
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_DIGEST_SECRETKEY:
{
Asn1DigestSecretKeyTemplate template = Asn1DigestSecretKeyTemplate.getInstance(content);
long mechanism = template.getMechanism().getMechanism();
P11Identity identity = p11CryptService.getIdentity(template.getIdentityId().getEntityId());
byte[] hashValue = identity.digestSecretKey(mechanism);
ASN1Object obj = new DEROctetString(hashValue);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_DSA:
{
Asn1GenDSAKeypairParams asn1 = Asn1GenDSAKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateDSAKeypair(asn1.getP(), asn1.getQ(), asn1.getG(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC:
{
Asn1GenECKeypairParams asn1 = Asn1GenECKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateECKeypair(asn1.getCurveId().getId(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_RSA:
{
Asn1GenRSAKeypairParams asn1 = Asn1GenRSAKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateRSAKeypair(asn1.getKeysize(), asn1.getPublicExponent(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_SM2:
{
Asn1GenSM2KeypairParams asn1 = Asn1GenSM2KeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateSM2Keypair(asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_SECRET_KEY:
{
Asn1GenSecretKeyParams asn1 = Asn1GenSecretKeyParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.generateSecretKey(asn1.getKeyType(), asn1.getKeysize(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_CERT:
{
P11EntityIdentifier entityId = Asn1P11EntityIdentifier.getInstance(content).getEntityId();
X509Certificate cert = p11CryptService.getIdentity(entityId).getCertificate();
return getSuccessResp(version, transactionId, action, cert.getEncoded());
}
case P11ProxyConstants.ACTION_GET_CERT_IDS:
case P11ProxyConstants.ACTION_GET_IDENTITY_IDS:
{
Asn1P11SlotIdentifier slotId = Asn1P11SlotIdentifier.getInstance(content);
P11Slot slot = p11CryptService.getModule().getSlot(slotId.getSlotId());
Set<P11ObjectIdentifier> objectIds;
if (P11ProxyConstants.ACTION_GET_CERT_IDS == action) {
objectIds = slot.getCertIdentifiers();
} else {
objectIds = slot.getIdentityIdentifiers();
}
ASN1EncodableVector vec = new ASN1EncodableVector();
for (P11ObjectIdentifier objectId : objectIds) {
vec.add(new Asn1P11ObjectIdentifier(objectId));
}
ASN1Object obj = new DERSequence(vec);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_MECHANISMS:
{
P11SlotIdentifier slotId = Asn1P11SlotIdentifier.getInstance(content).getSlotId();
Set<Long> mechs = p11CryptService.getSlot(slotId).getMechanisms();
ASN1EncodableVector vec = new ASN1EncodableVector();
for (Long mech : mechs) {
vec.add(new ASN1Integer(mech));
}
ASN1Object obj = new DERSequence(vec);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_PUBLICKEY:
{
P11EntityIdentifier identityId = Asn1P11EntityIdentifier.getInstance(content).getEntityId();
PublicKey pubKey = p11CryptService.getIdentity(identityId).getPublicKey();
if (pubKey == null) {
throw new P11UnknownEntityException(identityId);
}
ASN1Object obj = KeyUtil.createSubjectPublicKeyInfo(pubKey);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_SERVER_CAPS:
{
boolean readOnly = p11CryptService.getModule().isReadOnly();
ASN1Object obj = new Asn1ServerCaps(readOnly, versions);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_SLOT_IDS:
{
List<P11SlotIdentifier> slotIds = p11CryptService.getModule().getSlotIds();
ASN1EncodableVector vector = new ASN1EncodableVector();
for (P11SlotIdentifier slotId : slotIds) {
vector.add(new Asn1P11SlotIdentifier(slotId));
}
ASN1Object obj = new DERSequence(vector);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_IMPORT_SECRET_KEY:
{
Asn1ImportSecretKeyParams asn1 = Asn1ImportSecretKeyParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.importSecretKey(asn1.getKeyType(), asn1.getKeyValue(), asn1.getLabel(), asn1.getControl());
ASN1Object obj = new Asn1P11EntityIdentifier(asn1.getSlotId(), keyId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_REMOVE_CERTS:
{
Asn1P11EntityIdentifier asn1 = Asn1P11EntityIdentifier.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1);
slot.removeCerts(asn1.getObjectId().getObjectId());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_REMOVE_IDENTITY:
{
Asn1P11EntityIdentifier asn1 = Asn1P11EntityIdentifier.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1);
slot.removeIdentity(asn1.getObjectId().getObjectId());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_REMOVE_OBJECTS:
{
Asn1RemoveObjectsParams asn1 = Asn1RemoveObjectsParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
int num = slot.removeObjects(asn1.getOjectId(), asn1.getObjectLabel());
ASN1Object obj = new ASN1Integer(num);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_SIGN:
{
Asn1SignTemplate signTemplate = Asn1SignTemplate.getInstance(content);
long mechanism = signTemplate.getMechanism().getMechanism();
Asn1P11Params asn1Params = signTemplate.getMechanism().getParams();
P11Params params = null;
if (asn1Params != null) {
switch(asn1Params.getTagNo()) {
case Asn1P11Params.TAG_RSA_PKCS_PSS:
params = Asn1RSAPkcsPssParams.getInstance(asn1Params).getPkcsPssParams();
break;
case Asn1P11Params.TAG_OPAQUE:
params = new P11ByteArrayParams(ASN1OctetString.getInstance(asn1Params).getOctets());
break;
case Asn1P11Params.TAG_IV:
params = new P11IVParams(ASN1OctetString.getInstance(asn1Params).getOctets());
break;
default:
throw new BadAsn1ObjectException("unknown SignTemplate.params: unknown tag " + asn1Params.getTagNo());
}
}
byte[] message = signTemplate.getMessage();
P11Identity identity = p11CryptService.getIdentity(signTemplate.getIdentityId().getEntityId());
byte[] signature = identity.sign(mechanism, params, message);
ASN1Object obj = new DEROctetString(signature);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_UPDATE_CERT:
{
Asn1EntityIdAndCert asn1 = Asn1EntityIdAndCert.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getEntityId());
slot.updateCertificate(asn1.getEntityId().getObjectId().getObjectId(), X509Util.toX509Cert(asn1.getCertificate()));
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
default:
{
LOG.error("unsupported XiPKI action code '{}'", action);
return getResp(version, transactionId, action, P11ProxyConstants.RC_UNSUPPORTED_ACTION);
}
}
} catch (BadAsn1ObjectException ex) {
LogUtil.error(LOG, ex, "could not process decode requested content (tid=" + Hex.encode(transactionId) + ")");
return getResp(version, transactionId, action, P11ProxyConstants.RC_BAD_REQUEST);
} catch (P11TokenException ex) {
LogUtil.error(LOG, ex, buildErrorMsg(action, transactionId));
short rc;
if (ex instanceof P11UnknownEntityException) {
rc = P11ProxyConstants.RC_DUPLICATE_ENTITY;
} else if (ex instanceof P11DuplicateEntityException) {
rc = P11ProxyConstants.RC_DUPLICATE_ENTITY;
} else if (ex instanceof P11UnsupportedMechanismException) {
rc = P11ProxyConstants.RC_UNSUPPORTED_MECHANISM;
} else {
rc = P11ProxyConstants.RC_P11_TOKENERROR;
}
return getResp(version, transactionId, action, rc);
} catch (XiSecurityException | CertificateException | InvalidKeyException ex) {
LogUtil.error(LOG, ex, buildErrorMsg(action, transactionId));
return getResp(version, transactionId, action, P11ProxyConstants.RC_INTERNAL_ERROR);
} catch (Throwable th) {
LogUtil.error(LOG, th, buildErrorMsg(action, transactionId));
return getResp(version, transactionId, action, P11ProxyConstants.RC_INTERNAL_ERROR);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
Asn1ServerCaps(org.xipki.p11proxy.msg.Asn1ServerCaps)
P11TokenException(org.xipki.security.exception.P11TokenException)
Asn1P11EntityIdentifier(org.xipki.p11proxy.msg.Asn1P11EntityIdentifier)
P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier)
CertificateException(java.security.cert.CertificateException)
Asn1P11Params(org.xipki.p11proxy.msg.Asn1P11Params)
P11Params(org.xipki.security.pkcs11.P11Params)
Asn1RemoveObjectsParams(org.xipki.p11proxy.msg.Asn1RemoveObjectsParams)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
P11DuplicateEntityException(org.xipki.security.exception.P11DuplicateEntityException)
Asn1GenSecretKeyParams(org.xipki.p11proxy.msg.Asn1GenSecretKeyParams)
Asn1P11EntityIdentifier(org.xipki.p11proxy.msg.Asn1P11EntityIdentifier)
DERSequence(org.bouncycastle.asn1.DERSequence)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
P11ByteArrayParams(org.xipki.security.pkcs11.P11ByteArrayParams)
P11UnknownEntityException(org.xipki.security.exception.P11UnknownEntityException)
Asn1DigestSecretKeyTemplate(org.xipki.p11proxy.msg.Asn1DigestSecretKeyTemplate)
Asn1GenDSAKeypairParams(org.xipki.p11proxy.msg.Asn1GenDSAKeypairParams)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
List(java.util.List)
Asn1ImportSecretKeyParams(org.xipki.p11proxy.msg.Asn1ImportSecretKeyParams)
ASN1Object(org.bouncycastle.asn1.ASN1Object)
Asn1P11Params(org.xipki.p11proxy.msg.Asn1P11Params)
Asn1P11SlotIdentifier(org.xipki.p11proxy.msg.Asn1P11SlotIdentifier)
P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier)
PublicKey(java.security.PublicKey)
Asn1SignTemplate(org.xipki.p11proxy.msg.Asn1SignTemplate)
P11Slot(org.xipki.security.pkcs11.P11Slot)
Asn1P11ObjectIdentifier(org.xipki.p11proxy.msg.Asn1P11ObjectIdentifier)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
P11Identity(org.xipki.security.pkcs11.P11Identity)
InvalidKeyException(java.security.InvalidKeyException)
P11CryptService(org.xipki.security.pkcs11.P11CryptService)
X509Certificate(java.security.cert.X509Certificate)
Asn1GenRSAKeypairParams(org.xipki.p11proxy.msg.Asn1GenRSAKeypairParams)
Asn1EntityIdAndCert(org.xipki.p11proxy.msg.Asn1EntityIdAndCert)
P11UnsupportedMechanismException(org.xipki.security.exception.P11UnsupportedMechanismException)
Asn1GenSM2KeypairParams(org.xipki.p11proxy.msg.Asn1GenSM2KeypairParams)
Asn1P11ObjectIdentifier(org.xipki.p11proxy.msg.Asn1P11ObjectIdentifier)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
Asn1GenECKeypairParams(org.xipki.p11proxy.msg.Asn1GenECKeypairParams)
P11IVParams(org.xipki.security.pkcs11.P11IVParams)
Asn1P11SlotIdentifier(org.xipki.p11proxy.msg.Asn1P11SlotIdentifier)
BadAsn1ObjectException(org.xipki.security.exception.BadAsn1ObjectException)
Example 2 with P11IVParams
use of org.xipki.security.pkcs11.P11Params.P11IVParams in project xipki by xipki.
the class ProxyP11Identity method sign0.
@Override
protected byte[] sign0(long mechanism, P11Params parameters, byte[] content) throws P11TokenException {
org.xipki.security.pkcs11.proxy.asn1.P11Params p11Param = null;
if (parameters != null) {
if (parameters instanceof P11RSAPkcsPssParams) {
p11Param = new org.xipki.security.pkcs11.proxy.asn1.P11Params(org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_RSA_PKCS_PSS, new RSAPkcsPssParams((P11RSAPkcsPssParams) parameters));
} else if (parameters instanceof P11ByteArrayParams) {
byte[] bytes = ((P11ByteArrayParams) parameters).getBytes();
p11Param = new org.xipki.security.pkcs11.proxy.asn1.P11Params(org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_OPAQUE, new DEROctetString(bytes));
} else if (parameters instanceof P11IVParams) {
p11Param = new org.xipki.security.pkcs11.proxy.asn1.P11Params(org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_IV, new DEROctetString(((P11IVParams) parameters).getIV()));
} else {
throw new IllegalArgumentException("unkown parameter 'parameters'");
}
}
SignTemplate signTemplate = new SignTemplate(((ProxyP11Slot) slot).getAsn1SlotId(), asn1KeyId, mechanism, p11Param, content);
byte[] result = ((ProxyP11Slot) slot).getModule().send(P11ProxyConstants.ACTION_SIGN, signTemplate);
ASN1OctetString octetString;
try {
octetString = DEROctetString.getInstance(result);
} catch (IllegalArgumentException ex) {
throw new P11TokenException("the returned result is not OCTET STRING");
}
return (octetString == null) ? null : octetString.getOctets();
}
Also used :
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
P11TokenException(org.xipki.security.pkcs11.P11TokenException)
P11Params(org.xipki.security.pkcs11.P11Params)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
P11ByteArrayParams(org.xipki.security.pkcs11.P11Params.P11ByteArrayParams)
SignTemplate(org.xipki.security.pkcs11.proxy.asn1.SignTemplate)
P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11Params.P11RSAPkcsPssParams)
P11IVParams(org.xipki.security.pkcs11.P11Params.P11IVParams)
P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11Params.P11RSAPkcsPssParams)
RSAPkcsPssParams(org.xipki.security.pkcs11.proxy.asn1.RSAPkcsPssParams)
Example 3 with P11IVParams
use of org.xipki.security.pkcs11.P11Params.P11IVParams in project xipki by xipki.
the class P11ProxyResponder method processRequest.
/**
* The request is constructed as follows.
* <pre>
* 0 - - - 1 - - - 2 - - - 3 - - - 4 - - - 5 - - - 6 - - - 7 - - - 8
* | Version | Transaction ID | Body ... |
* | ... Length | Action | Module ID | Content... |
* | .Content | <-- 10 + Length (offset).
*
* </pre>
*
* @param pool
* The pool that holds the P11CryptService.
* @param request
* The request.
* @return response.
*/
public byte[] processRequest(LocalP11CryptServicePool pool, byte[] request) {
int reqLen = request.length;
// TransactionID
byte[] transactionId = new byte[4];
if (reqLen > 5) {
System.arraycopy(request, 2, transactionId, 0, 4);
}
// Action
short action = P11ProxyConstants.ACTION_NOPE;
if (reqLen > 11) {
action = IoUtil.parseShort(request, 10);
}
if (reqLen < 14) {
LOG.error("response too short");
return getResp(P11ProxyConstants.VERSION_V1_0, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
// Version
short version = IoUtil.parseShort(request, 0);
if (!versions.contains(version)) {
LOG.error("unsupported version {}", version);
return getResp(P11ProxyConstants.VERSION_V1_0, transactionId, P11ProxyConstants.RC_UNSUPPORTED_VERSION, action);
}
// Length
int reqBodyLen = IoUtil.parseInt(request, 6);
if (reqBodyLen + 10 != reqLen) {
LOG.error("message length unmatch");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
short moduleId = IoUtil.parseShort(request, 12);
int contentLen = reqLen - 14;
byte[] content;
if (contentLen == 0) {
if (actionsRequireNonNullRequest.contains(action)) {
LOG.error("content is not present but is required");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
content = null;
} else {
if (actionsRequireNullRequest.contains(action)) {
LOG.error("content is present but is not permitted");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
}
content = new byte[contentLen];
System.arraycopy(request, 14, content, 0, contentLen);
}
P11CryptService p11CryptService = pool.getP11CryptService(moduleId);
if (p11CryptService == null) {
LOG.error("no module {} available", moduleId);
return getResp(version, transactionId, P11ProxyConstants.RC_UNKNOWN_MODULE, action);
}
try {
switch(action) {
case P11ProxyConstants.ACTION_ADD_CERT:
{
AddCertParams asn1 = AddCertParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
X509Cert cert = new X509Cert(asn1.getCertificate());
slot.addCert(cert, asn1.getControl());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_DIGEST_SECRETKEY:
{
DigestSecretKeyTemplate template = DigestSecretKeyTemplate.getInstance(content);
long mechanism = template.getMechanism().getMechanism();
P11Identity identity = p11CryptService.getIdentity(template.getSlotId().getValue(), template.getObjectId().getValue());
byte[] hashValue = identity.digestSecretKey(mechanism);
ASN1Object obj = new DEROctetString(hashValue);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_DSA:
{
GenDSAKeypairParams asn1 = GenDSAKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateDSAKeypair(asn1.getP(), asn1.getQ(), asn1.getG(), asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC:
{
GenECKeypairParams asn1 = GenECKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateECKeypair(asn1.getCurveId(), asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC_EDWARDS:
{
GenECEdwardsOrMontgomeryKeypairParams asn1 = GenECEdwardsOrMontgomeryKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateECEdwardsKeypair(asn1.getCurveOid(), asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_EC_MONTGOMERY:
{
GenECEdwardsOrMontgomeryKeypairParams asn1 = GenECEdwardsOrMontgomeryKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateECMontgomeryKeypair(asn1.getCurveOid(), asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_RSA:
{
GenRSAKeypairParams asn1 = GenRSAKeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateRSAKeypair(asn1.getKeysize(), asn1.getPublicExponent(), asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_KEYPAIR_SM2:
{
GenSM2KeypairParams asn1 = GenSM2KeypairParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateSM2Keypair(asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GEN_SECRET_KEY:
{
GenSecretKeyParams asn1 = GenSecretKeyParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11IdentityId identityId = slot.generateSecretKey(asn1.getKeyType(), asn1.getKeysize(), asn1.getControl());
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_CERT:
{
SlotIdAndObjectId identityId = SlotIdAndObjectId.getInstance(content);
P11SlotIdentifier slotId = identityId.getSlotId().getValue();
P11ObjectIdentifier certId = identityId.getObjectId().getValue();
X509Cert cert = p11CryptService.getCert(slotId, certId);
if (cert == null) {
throw new P11UnknownEntityException(slotId, certId);
}
return getSuccessResp(version, transactionId, action, cert.getEncoded());
}
case P11ProxyConstants.ACTION_GET_CERT_IDS:
case P11ProxyConstants.ACTION_GET_PUBLICKEY_IDS:
case P11ProxyConstants.ACTION_GET_IDENTITY_IDS:
{
SlotIdentifier slotId = SlotIdentifier.getInstance(content);
P11Slot slot = p11CryptService.getModule().getSlot(slotId.getValue());
Set<P11ObjectIdentifier> objectIds;
if (P11ProxyConstants.ACTION_GET_CERT_IDS == action) {
objectIds = slot.getCertIds();
} else if (P11ProxyConstants.ACTION_GET_IDENTITY_IDS == action) {
objectIds = slot.getIdentityKeyIds();
} else {
Set<P11ObjectIdentifier> identityKeyIds = slot.getIdentityKeyIds();
objectIds = new HashSet<>();
for (P11ObjectIdentifier identityKeyId : identityKeyIds) {
objectIds.add(slot.getIdentity(identityKeyId).getId().getPublicKeyId());
}
}
ASN1EncodableVector vec = new ASN1EncodableVector();
for (P11ObjectIdentifier objectId : objectIds) {
vec.add(new ObjectIdentifier(objectId));
}
ASN1Object obj = new DERSequence(vec);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_MECHANISMS:
{
P11SlotIdentifier slotId = SlotIdentifier.getInstance(content).getValue();
Set<Long> mechs = p11CryptService.getSlot(slotId).getMechanisms();
ASN1EncodableVector vec = new ASN1EncodableVector();
for (Long mech : mechs) {
vec.add(new ASN1Integer(mech));
}
ASN1Object obj = new DERSequence(vec);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_PUBLICKEY:
{
SlotIdAndObjectId identityId = SlotIdAndObjectId.getInstance(content);
P11SlotIdentifier slotId = identityId.getSlotId().getValue();
P11ObjectIdentifier pubKeyId = identityId.getObjectId().getValue();
// find out the keyId
PublicKey pubKey = null;
P11Slot slot = getSlot(p11CryptService, slotId);
Set<P11ObjectIdentifier> identityKeyIds = slot.getIdentityKeyIds();
for (P11ObjectIdentifier identityKeyId : identityKeyIds) {
P11Identity identity = slot.getIdentity(identityKeyId);
if (pubKeyId.equals(identity.getId().getPublicKeyId())) {
pubKey = identity.getPublicKey();
}
}
if (pubKey == null) {
throw new P11UnknownEntityException(slotId, pubKeyId);
}
ASN1Object obj = KeyUtil.createSubjectPublicKeyInfo(pubKey);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_SERVER_CAPS:
{
boolean readOnly = p11CryptService.getModule().isReadOnly();
ASN1Object obj = new ServerCaps(readOnly, versions);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_GET_SLOT_IDS:
{
List<P11SlotIdentifier> slotIds = p11CryptService.getModule().getSlotIds();
ASN1EncodableVector vector = new ASN1EncodableVector();
for (P11SlotIdentifier slotId : slotIds) {
vector.add(new SlotIdentifier(slotId));
}
ASN1Object obj = new DERSequence(vector);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_IMPORT_SECRET_KEY:
{
ImportSecretKeyParams asn1 = ImportSecretKeyParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
P11ObjectIdentifier keyId = slot.importSecretKey(asn1.getKeyType(), asn1.getKeyValue(), asn1.getControl());
P11IdentityId identityId = new P11IdentityId(asn1.getSlotId(), keyId, null, null);
ASN1Object obj = new IdentityId(identityId);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_REMOVE_CERTS:
{
SlotIdAndObjectId asn1 = SlotIdAndObjectId.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId().getValue());
slot.removeCerts(asn1.getObjectId().getValue());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_REMOVE_IDENTITY:
{
SlotIdAndObjectId asn1 = SlotIdAndObjectId.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId().getValue());
slot.removeIdentityByKeyId(asn1.getObjectId().getValue());
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
case P11ProxyConstants.ACTION_REMOVE_OBJECTS:
{
RemoveObjectsParams asn1 = RemoveObjectsParams.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId());
int num = slot.removeObjects(asn1.getOjectId(), asn1.getObjectLabel());
ASN1Object obj = new ASN1Integer(num);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_SIGN:
{
SignTemplate signTemplate = SignTemplate.getInstance(content);
long mechanism = signTemplate.getMechanism().getMechanism();
org.xipki.security.pkcs11.proxy.asn1.P11Params asn1Params = signTemplate.getMechanism().getParams();
P11Params params = null;
if (asn1Params != null) {
switch(asn1Params.getTagNo()) {
case org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_RSA_PKCS_PSS:
params = RSAPkcsPssParams.getInstance(asn1Params).getPkcsPssParams();
break;
case org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_OPAQUE:
params = new P11ByteArrayParams(ASN1OctetString.getInstance(asn1Params).getOctets());
break;
case org.xipki.security.pkcs11.proxy.asn1.P11Params.TAG_IV:
params = new P11IVParams(ASN1OctetString.getInstance(asn1Params).getOctets());
break;
default:
throw new BadAsn1ObjectException("unknown SignTemplate.params: unknown tag " + asn1Params.getTagNo());
}
}
byte[] message = signTemplate.getMessage();
P11Identity identity = p11CryptService.getIdentity(signTemplate.getSlotId().getValue(), signTemplate.getObjectId().getValue());
if (identity == null) {
return getResp(version, transactionId, P11ProxyConstants.RC_UNKNOWN_ENTITY, action);
}
byte[] signature = identity.sign(mechanism, params, message);
ASN1Object obj = new DEROctetString(signature);
return getSuccessResp(version, transactionId, action, obj);
}
case P11ProxyConstants.ACTION_UPDATE_CERT:
{
ObjectIdAndCert asn1 = ObjectIdAndCert.getInstance(content);
P11Slot slot = getSlot(p11CryptService, asn1.getSlotId().getValue());
slot.updateCertificate(asn1.getObjectId().getValue(), new X509Cert(asn1.getCertificate()));
return getSuccessResp(version, transactionId, action, (byte[]) null);
}
default:
{
LOG.error("unsupported XiPKI action code '{}'", action);
return getResp(version, transactionId, P11ProxyConstants.RC_UNSUPPORTED_ACTION, action);
}
}
} catch (BadAsn1ObjectException ex) {
LogUtil.error(LOG, ex, "could not process decode requested content (tid=" + Hex.encode(transactionId) + ")");
return getResp(version, transactionId, P11ProxyConstants.RC_BAD_REQUEST, action);
} catch (P11TokenException ex) {
LogUtil.error(LOG, ex, buildErrorMsg(action, transactionId));
short rc;
if (ex instanceof P11UnknownEntityException) {
rc = P11ProxyConstants.RC_UNKNOWN_ENTITY;
} else if (ex instanceof P11DuplicateEntityException) {
rc = P11ProxyConstants.RC_DUPLICATE_ENTITY;
} else if (ex instanceof P11UnsupportedMechanismException) {
rc = P11ProxyConstants.RC_UNSUPPORTED_MECHANISM;
} else {
rc = P11ProxyConstants.RC_P11_TOKENERROR;
}
return getResp(version, transactionId, rc, action);
} catch (Throwable th) {
LogUtil.error(LOG, th, buildErrorMsg(action, transactionId));
return getResp(version, transactionId, P11ProxyConstants.RC_INTERNAL_ERROR, action);
}
}
Also used :
P11Params(org.xipki.security.pkcs11.P11Params)
List(java.util.List)
PublicKey(java.security.PublicKey)
P11IVParams(org.xipki.security.pkcs11.P11Params.P11IVParams)
Set(java.util.Set)
HashSet(java.util.HashSet)
P11ByteArrayParams(org.xipki.security.pkcs11.P11Params.P11ByteArrayParams)
X509Cert(org.xipki.security.X509Cert)
BadAsn1ObjectException(org.xipki.security.BadAsn1ObjectException)
Example 4 with P11IVParams
use of org.xipki.security.pkcs11.P11Params.P11IVParams in project xipki by xipki.
the class IaikP11Slot method getMechanism.
private static Mechanism getMechanism(long mechanism, P11Params parameters) throws P11TokenException {
Mechanism ret = Mechanism.get(mechanism);
if (parameters == null) {
return ret;
}
Params paramObj;
if (parameters instanceof P11RSAPkcsPssParams) {
P11RSAPkcsPssParams param = (P11RSAPkcsPssParams) parameters;
paramObj = new RSAPkcsPssParams(Mechanism.get(param.getHashAlgorithm()), param.getMaskGenerationFunction(), param.getSaltLength());
} else if (parameters instanceof P11ByteArrayParams) {
paramObj = new OpaqueParams(((P11ByteArrayParams) parameters).getBytes());
} else if (parameters instanceof P11IVParams) {
paramObj = new IVParams(((P11IVParams) parameters).getIV());
} else {
throw new P11TokenException("unknown P11Parameters " + parameters.getClass().getName());
}
if (paramObj != null) {
ret.setParams(paramObj);
}
return ret;
}
Also used :
OpaqueParams(iaik.pkcs.pkcs11.params.OpaqueParams)
P11ByteArrayParams(org.xipki.security.pkcs11.P11ByteArrayParams)
P11TokenException(org.xipki.security.exception.P11TokenException)
P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11RSAPkcsPssParams)
IVParams(iaik.pkcs.pkcs11.params.IVParams)
P11ByteArrayParams(org.xipki.security.pkcs11.P11ByteArrayParams)
RSAPkcsPssParams(iaik.pkcs.pkcs11.params.RSAPkcsPssParams)
P11IVParams(org.xipki.security.pkcs11.P11IVParams)
P11Params(org.xipki.security.pkcs11.P11Params)
Params(iaik.pkcs.pkcs11.params.Params)
OpaqueParams(iaik.pkcs.pkcs11.params.OpaqueParams)
P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11RSAPkcsPssParams)
Mechanism(iaik.pkcs.pkcs11.Mechanism)
P11IVParams(org.xipki.security.pkcs11.P11IVParams)
IVParams(iaik.pkcs.pkcs11.params.IVParams)
P11IVParams(org.xipki.security.pkcs11.P11IVParams)
P11RSAPkcsPssParams(org.xipki.security.pkcs11.P11RSAPkcsPssParams)
RSAPkcsPssParams(iaik.pkcs.pkcs11.params.RSAPkcsPssParams)
Aggregations
P11Params (org.xipki.security.pkcs11.P11Params)4
PublicKey (java.security.PublicKey)2
HashSet (java.util.HashSet)2
List (java.util.List)2
Set (java.util.Set)2
DEROctetString (org.bouncycastle.asn1.DEROctetString)2
P11TokenException (org.xipki.security.exception.P11TokenException)2
P11ByteArrayParams (org.xipki.security.pkcs11.P11ByteArrayParams)2
P11ByteArrayParams (org.xipki.security.pkcs11.P11Params.P11ByteArrayParams)2
P11IVParams (org.xipki.security.pkcs11.P11Params.P11IVParams)2
Mechanism (iaik.pkcs.pkcs11.Mechanism)1
IVParams (iaik.pkcs.pkcs11.params.IVParams)1
OpaqueParams (iaik.pkcs.pkcs11.params.OpaqueParams)1
Params (iaik.pkcs.pkcs11.params.Params)1
RSAPkcsPssParams (iaik.pkcs.pkcs11.params.RSAPkcsPssParams)1
InvalidKeyException (java.security.InvalidKeyException)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)1
ASN1Integer (org.bouncycastle.asn1.ASN1Integer)1
