Search in sources :

Example 1 with P11PrivateKey

use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.

the class XiKeyStoreSpi method engineLoad.

private void engineLoad(String moduleName) throws P11TokenException, XiSecurityException {
    P11CryptService p11Service = p11CryptServiceFactory.getP11CryptService(moduleName);
    P11Module module = p11Service.getModule();
    List<P11SlotIdentifier> slotIds = module.getSlotIds();
    for (P11SlotIdentifier slotId : slotIds) {
        P11Slot slot = module.getSlot(slotId);
        Set<P11ObjectIdentifier> identityIds = slot.getIdentityIdentifiers();
        for (P11ObjectIdentifier objId : identityIds) {
            P11Identity identity = slot.getIdentity(objId);
            X509Certificate[] chain = identity.certificateChain();
            if (chain == null || chain.length == 0) {
                continue;
            }
            P11PrivateKey key = new P11PrivateKey(p11Service, identity.getIdentityId());
            KeyCertEntry keyCertEntry = new KeyCertEntry(key, chain);
            keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keyid-" + objId.getIdHex(), keyCertEntry);
            keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keylabel-" + objId.getLabel(), keyCertEntry);
            keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keyid-" + objId.getIdHex(), keyCertEntry);
            keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keylabel-" + objId.getLabel(), keyCertEntry);
        }
    }
}
Also used : P11Module(org.xipki.security.pkcs11.P11Module) P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier) P11Slot(org.xipki.security.pkcs11.P11Slot) P11Identity(org.xipki.security.pkcs11.P11Identity) P11CryptService(org.xipki.security.pkcs11.P11CryptService) P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier) X509Certificate(java.security.cert.X509Certificate)

Example 2 with P11PrivateKey

use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.

the class P11ContentSignerBuilder method createSigner.

// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
    ParamUtil.requireMin("parallelism", parallelism, 1);
    List<XiContentSigner> signers = new ArrayList<>(parallelism);
    Boolean isSm2p256v1 = null;
    for (int i = 0; i < parallelism; i++) {
        XiContentSigner signer;
        if (publicKey instanceof RSAPublicKey) {
            if (i == 0 && !AlgorithmUtil.isRSASigAlgId(signatureAlgId)) {
                throw new XiSecurityException("the given algorithm is not a valid RSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
            }
            signer = createRSAContentSigner(signatureAlgId);
        } else if (publicKey instanceof ECPublicKey) {
            ECPublicKey ecKey = (ECPublicKey) publicKey;
            if (i == 0) {
                isSm2p256v1 = GMUtil.isSm2primev2Curve(ecKey.getParams().getCurve());
                if (isSm2p256v1) {
                    if (!AlgorithmUtil.isSM2SigAlg(signatureAlgId)) {
                        throw new XiSecurityException("the given algorithm is not a valid SM2 signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
                    }
                } else {
                    if (!AlgorithmUtil.isECSigAlg(signatureAlgId)) {
                        throw new XiSecurityException("the given algorithm is not a valid EC signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
                    }
                }
            }
            if (isSm2p256v1) {
                java.security.spec.ECPoint w = ecKey.getW();
                signer = createSM2ContentSigner(signatureAlgId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
            } else {
                signer = createECContentSigner(signatureAlgId);
            }
        } else if (publicKey instanceof DSAPublicKey) {
            if (i == 0 && !AlgorithmUtil.isDSASigAlg(signatureAlgId)) {
                throw new XiSecurityException("the given algorithm is not a valid DSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
            }
            signer = createDSAContentSigner(signatureAlgId);
        } else {
            throw new XiSecurityException("unsupported key " + publicKey.getClass().getName());
        }
        signers.add(signer);
    }
    // end for
    final boolean mac = false;
    PrivateKey privateKey = new P11PrivateKey(cryptService, identityId);
    DfltConcurrentContentSigner concurrentSigner;
    try {
        concurrentSigner = new DfltConcurrentContentSigner(mac, signers, privateKey);
    } catch (NoSuchAlgorithmException ex) {
        throw new XiSecurityException(ex.getMessage(), ex);
    }
    if (certificateChain != null) {
        concurrentSigner.setCertificateChain(certificateChain);
    } else {
        concurrentSigner.setPublicKey(publicKey);
    }
    return concurrentSigner;
}
Also used : P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey) PrivateKey(java.security.PrivateKey) ArrayList(java.util.ArrayList) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) DSAPublicKey(java.security.interfaces.DSAPublicKey) XiSecurityException(org.xipki.security.exception.XiSecurityException) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey) DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner) XiContentSigner(org.xipki.security.XiContentSigner)

Example 3 with P11PrivateKey

use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.

the class P11RSAPSSSignatureSpi method engineInitSign.

protected void engineInitSign(PrivateKey privateKey, SecureRandom random) throws InvalidKeyException {
    if (!(privateKey instanceof P11PrivateKey)) {
        throw new InvalidKeyException("privateKey is not instanceof " + P11PrivateKey.class.getName());
    }
    String algo = privateKey.getAlgorithm();
    if (!"RSA".equals(algo)) {
        throw new InvalidKeyException("privateKey is not an RSA private key: " + algo);
    }
    this.signingKey = (P11PrivateKey) privateKey;
    pss = new org.bouncycastle.crypto.signers.PSSSigner(signer, contentDigest, mgfDigest, saltLength, trailer);
    P11RSAKeyParameter p11KeyParam = P11RSAKeyParameter.getInstance(signingKey.getP11CryptService(), signingKey.getIdentityId());
    if (random == null) {
        pss.init(true, p11KeyParam);
    } else {
        pss.init(true, new ParametersWithRandom(p11KeyParam, random));
    }
}
Also used : ParametersWithRandom(org.bouncycastle.crypto.params.ParametersWithRandom) InvalidKeyException(java.security.InvalidKeyException) P11RSAKeyParameter(org.xipki.security.pkcs11.P11RSAKeyParameter)

Example 4 with P11PrivateKey

use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.

the class P11SM3WithSM2SignatureSpi method engineInitSign.

@Override
protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
    if (!(privateKey instanceof P11PrivateKey)) {
        throw new InvalidKeyException("privateKey is not instanceof " + P11PrivateKey.class.getName());
    }
    this.signingKey = (P11PrivateKey) privateKey;
    if (!(signingKey.getPublicKey() instanceof ECPublicKey)) {
        throw new InvalidKeyException("only EC key is allowed");
    }
    ECPublicKey pubKey = (ECPublicKey) signingKey.getPublicKey();
    if (!GMUtil.isSm2primev2Curve(pubKey.getParams().getCurve())) {
        throw new InvalidKeyException("only EC key of curve sm2primev2 is allowed");
    }
    String algo = privateKey.getAlgorithm();
    if (!("EC".equals(algo) || "ECDSA".equals(algo))) {
        throw new InvalidKeyException("privateKey is not an EC private key: " + algo);
    }
    byte[] userId = (paramSpec == null) ? "1234567812345678".getBytes() : paramSpec.getId();
    if (signingKey.supportsMechanism(PKCS11Constants.CKM_VENDOR_SM2)) {
        mechanism = PKCS11Constants.CKM_VENDOR_SM2;
        outputStream = new DigestOutputStream(HashAlgo.SM3.createDigest());
        p11Params = null;
        ECPoint w = pubKey.getW();
        sm2Z = GMUtil.getSM2Z(userId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
        try {
            outputStream.write(sm2Z, 0, sm2Z.length);
        } catch (IOException ex) {
            throw new InvalidKeyException("could not compute Z of SM2");
        }
    } else if (signingKey.supportsMechanism(PKCS11Constants.CKM_VENDOR_SM2_SM3)) {
        mechanism = PKCS11Constants.CKM_VENDOR_SM2_SM3;
        outputStream = new ByteArrayOutputStream();
        p11Params = new P11ByteArrayParams(userId);
    } else {
        throw new InvalidKeyException("privateKey and algorithm does not match");
    }
    this.signingKey = (P11PrivateKey) privateKey;
}
Also used : ECPublicKey(java.security.interfaces.ECPublicKey) P11ByteArrayParams(org.xipki.security.pkcs11.P11ByteArrayParams) DigestOutputStream(org.xipki.security.pkcs11.DigestOutputStream) IOException(java.io.IOException) ByteArrayOutputStream(java.io.ByteArrayOutputStream) InvalidKeyException(java.security.InvalidKeyException) ECPoint(java.security.spec.ECPoint)

Example 5 with P11PrivateKey

use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.

the class P11DSASignatureSpi method engineInitSign.

@Override
protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
    if (!(privateKey instanceof P11PrivateKey)) {
        throw new InvalidKeyException("privateKey is not instanceof " + P11PrivateKey.class.getName());
    }
    String algo = privateKey.getAlgorithm();
    if (!"DSA".equals(algo)) {
        throw new InvalidKeyException("privateKey is not a DSA private key: " + algo);
    }
    this.signingKey = (P11PrivateKey) privateKey;
    if (signingKey.supportsMechanism(PKCS11Constants.CKM_DSA)) {
        mechanism = PKCS11Constants.CKM_DSA;
        if (hashAlgo == null) {
            outputStream = new ByteArrayOutputStream();
        } else {
            outputStream = new DigestOutputStream(hashAlgo.createDigest());
        }
    } else {
        if (hashAlgo == HashAlgo.SHA1 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA1)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA1;
        } else if (hashAlgo == HashAlgo.SHA224 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA224)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA224;
        } else if (hashAlgo == HashAlgo.SHA256 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA256)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA256;
        } else if (hashAlgo == HashAlgo.SHA384 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA384)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA384;
        } else if (hashAlgo == HashAlgo.SHA512 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA512)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA512;
        } else if (hashAlgo == HashAlgo.SHA3_224 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_224)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA3_224;
        } else if (hashAlgo == HashAlgo.SHA3_256 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_256)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA3_256;
        } else if (hashAlgo == HashAlgo.SHA3_384 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_384)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA3_384;
        } else if (hashAlgo == HashAlgo.SHA3_512 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_512)) {
            mechanism = PKCS11Constants.CKM_DSA_SHA3_512;
        } else {
            throw new InvalidKeyException("privateKey and algorithm does not match");
        }
        outputStream = new ByteArrayOutputStream();
    }
    this.signingKey = (P11PrivateKey) privateKey;
}
Also used : DigestOutputStream(org.xipki.security.pkcs11.DigestOutputStream) ByteArrayOutputStream(java.io.ByteArrayOutputStream) InvalidKeyException(java.security.InvalidKeyException)

Aggregations

InvalidKeyException (java.security.InvalidKeyException)4 ByteArrayOutputStream (java.io.ByteArrayOutputStream)3 DigestOutputStream (org.xipki.security.pkcs11.DigestOutputStream)3 ECPublicKey (java.security.interfaces.ECPublicKey)2 IOException (java.io.IOException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PrivateKey (java.security.PrivateKey)1 X509Certificate (java.security.cert.X509Certificate)1 DSAPublicKey (java.security.interfaces.DSAPublicKey)1 RSAPublicKey (java.security.interfaces.RSAPublicKey)1 ECPoint (java.security.spec.ECPoint)1 ArrayList (java.util.ArrayList)1 ParametersWithRandom (org.bouncycastle.crypto.params.ParametersWithRandom)1 DfltConcurrentContentSigner (org.xipki.security.DfltConcurrentContentSigner)1 XiContentSigner (org.xipki.security.XiContentSigner)1 XiSecurityException (org.xipki.security.exception.XiSecurityException)1 P11ByteArrayParams (org.xipki.security.pkcs11.P11ByteArrayParams)1 P11CryptService (org.xipki.security.pkcs11.P11CryptService)1 P11Identity (org.xipki.security.pkcs11.P11Identity)1 P11Module (org.xipki.security.pkcs11.P11Module)1