Example 1 with P11PrivateKey
use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.
the class XiKeyStoreSpi method engineLoad.
private void engineLoad(String moduleName) throws P11TokenException, XiSecurityException {
P11CryptService p11Service = p11CryptServiceFactory.getP11CryptService(moduleName);
P11Module module = p11Service.getModule();
List<P11SlotIdentifier> slotIds = module.getSlotIds();
for (P11SlotIdentifier slotId : slotIds) {
P11Slot slot = module.getSlot(slotId);
Set<P11ObjectIdentifier> identityIds = slot.getIdentityIdentifiers();
for (P11ObjectIdentifier objId : identityIds) {
P11Identity identity = slot.getIdentity(objId);
X509Certificate[] chain = identity.certificateChain();
if (chain == null || chain.length == 0) {
continue;
}
P11PrivateKey key = new P11PrivateKey(p11Service, identity.getIdentityId());
KeyCertEntry keyCertEntry = new KeyCertEntry(key, chain);
keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keyid-" + objId.getIdHex(), keyCertEntry);
keyCerts.put(moduleName + "#slotid-" + slotId.getId() + "#keylabel-" + objId.getLabel(), keyCertEntry);
keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keyid-" + objId.getIdHex(), keyCertEntry);
keyCerts.put(moduleName + "#slotindex-" + slotId.getIndex() + "#keylabel-" + objId.getLabel(), keyCertEntry);
}
}
}
Also used :
P11Module(org.xipki.security.pkcs11.P11Module)
P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier)
P11Slot(org.xipki.security.pkcs11.P11Slot)
P11Identity(org.xipki.security.pkcs11.P11Identity)
P11CryptService(org.xipki.security.pkcs11.P11CryptService)
P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)
X509Certificate(java.security.cert.X509Certificate)
Example 2 with P11PrivateKey
use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.
the class P11ContentSignerBuilder method createSigner.
// constructor
public ConcurrentContentSigner createSigner(AlgorithmIdentifier signatureAlgId, int parallelism) throws XiSecurityException, P11TokenException {
ParamUtil.requireMin("parallelism", parallelism, 1);
List<XiContentSigner> signers = new ArrayList<>(parallelism);
Boolean isSm2p256v1 = null;
for (int i = 0; i < parallelism; i++) {
XiContentSigner signer;
if (publicKey instanceof RSAPublicKey) {
if (i == 0 && !AlgorithmUtil.isRSASigAlgId(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid RSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
signer = createRSAContentSigner(signatureAlgId);
} else if (publicKey instanceof ECPublicKey) {
ECPublicKey ecKey = (ECPublicKey) publicKey;
if (i == 0) {
isSm2p256v1 = GMUtil.isSm2primev2Curve(ecKey.getParams().getCurve());
if (isSm2p256v1) {
if (!AlgorithmUtil.isSM2SigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid SM2 signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
} else {
if (!AlgorithmUtil.isECSigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid EC signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
}
}
if (isSm2p256v1) {
java.security.spec.ECPoint w = ecKey.getW();
signer = createSM2ContentSigner(signatureAlgId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
} else {
signer = createECContentSigner(signatureAlgId);
}
} else if (publicKey instanceof DSAPublicKey) {
if (i == 0 && !AlgorithmUtil.isDSASigAlg(signatureAlgId)) {
throw new XiSecurityException("the given algorithm is not a valid DSA signature algorithm '" + signatureAlgId.getAlgorithm().getId() + "'");
}
signer = createDSAContentSigner(signatureAlgId);
} else {
throw new XiSecurityException("unsupported key " + publicKey.getClass().getName());
}
signers.add(signer);
}
// end for
final boolean mac = false;
PrivateKey privateKey = new P11PrivateKey(cryptService, identityId);
DfltConcurrentContentSigner concurrentSigner;
try {
concurrentSigner = new DfltConcurrentContentSigner(mac, signers, privateKey);
} catch (NoSuchAlgorithmException ex) {
throw new XiSecurityException(ex.getMessage(), ex);
}
if (certificateChain != null) {
concurrentSigner.setCertificateChain(certificateChain);
} else {
concurrentSigner.setPublicKey(publicKey);
}
return concurrentSigner;
}
Also used :
P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey)
PrivateKey(java.security.PrivateKey)
ArrayList(java.util.ArrayList)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
DSAPublicKey(java.security.interfaces.DSAPublicKey)
XiSecurityException(org.xipki.security.exception.XiSecurityException)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
ECPublicKey(java.security.interfaces.ECPublicKey)
P11PrivateKey(org.xipki.security.pkcs11.provider.P11PrivateKey)
DfltConcurrentContentSigner(org.xipki.security.DfltConcurrentContentSigner)
XiContentSigner(org.xipki.security.XiContentSigner)
Example 3 with P11PrivateKey
use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.
the class P11RSAPSSSignatureSpi method engineInitSign.
protected void engineInitSign(PrivateKey privateKey, SecureRandom random) throws InvalidKeyException {
if (!(privateKey instanceof P11PrivateKey)) {
throw new InvalidKeyException("privateKey is not instanceof " + P11PrivateKey.class.getName());
}
String algo = privateKey.getAlgorithm();
if (!"RSA".equals(algo)) {
throw new InvalidKeyException("privateKey is not an RSA private key: " + algo);
}
this.signingKey = (P11PrivateKey) privateKey;
pss = new org.bouncycastle.crypto.signers.PSSSigner(signer, contentDigest, mgfDigest, saltLength, trailer);
P11RSAKeyParameter p11KeyParam = P11RSAKeyParameter.getInstance(signingKey.getP11CryptService(), signingKey.getIdentityId());
if (random == null) {
pss.init(true, p11KeyParam);
} else {
pss.init(true, new ParametersWithRandom(p11KeyParam, random));
}
}
Also used :
ParametersWithRandom(org.bouncycastle.crypto.params.ParametersWithRandom)
InvalidKeyException(java.security.InvalidKeyException)
P11RSAKeyParameter(org.xipki.security.pkcs11.P11RSAKeyParameter)
Example 4 with P11PrivateKey
use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.
the class P11SM3WithSM2SignatureSpi method engineInitSign.
@Override
protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
if (!(privateKey instanceof P11PrivateKey)) {
throw new InvalidKeyException("privateKey is not instanceof " + P11PrivateKey.class.getName());
}
this.signingKey = (P11PrivateKey) privateKey;
if (!(signingKey.getPublicKey() instanceof ECPublicKey)) {
throw new InvalidKeyException("only EC key is allowed");
}
ECPublicKey pubKey = (ECPublicKey) signingKey.getPublicKey();
if (!GMUtil.isSm2primev2Curve(pubKey.getParams().getCurve())) {
throw new InvalidKeyException("only EC key of curve sm2primev2 is allowed");
}
String algo = privateKey.getAlgorithm();
if (!("EC".equals(algo) || "ECDSA".equals(algo))) {
throw new InvalidKeyException("privateKey is not an EC private key: " + algo);
}
byte[] userId = (paramSpec == null) ? "1234567812345678".getBytes() : paramSpec.getId();
if (signingKey.supportsMechanism(PKCS11Constants.CKM_VENDOR_SM2)) {
mechanism = PKCS11Constants.CKM_VENDOR_SM2;
outputStream = new DigestOutputStream(HashAlgo.SM3.createDigest());
p11Params = null;
ECPoint w = pubKey.getW();
sm2Z = GMUtil.getSM2Z(userId, GMObjectIdentifiers.sm2p256v1, w.getAffineX(), w.getAffineY());
try {
outputStream.write(sm2Z, 0, sm2Z.length);
} catch (IOException ex) {
throw new InvalidKeyException("could not compute Z of SM2");
}
} else if (signingKey.supportsMechanism(PKCS11Constants.CKM_VENDOR_SM2_SM3)) {
mechanism = PKCS11Constants.CKM_VENDOR_SM2_SM3;
outputStream = new ByteArrayOutputStream();
p11Params = new P11ByteArrayParams(userId);
} else {
throw new InvalidKeyException("privateKey and algorithm does not match");
}
this.signingKey = (P11PrivateKey) privateKey;
}
Also used :
ECPublicKey(java.security.interfaces.ECPublicKey)
P11ByteArrayParams(org.xipki.security.pkcs11.P11ByteArrayParams)
DigestOutputStream(org.xipki.security.pkcs11.DigestOutputStream)
IOException(java.io.IOException)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
InvalidKeyException(java.security.InvalidKeyException)
ECPoint(java.security.spec.ECPoint)
Example 5 with P11PrivateKey
use of org.xipki.security.pkcs11.provider.P11PrivateKey in project xipki by xipki.
the class P11DSASignatureSpi method engineInitSign.
@Override
protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
if (!(privateKey instanceof P11PrivateKey)) {
throw new InvalidKeyException("privateKey is not instanceof " + P11PrivateKey.class.getName());
}
String algo = privateKey.getAlgorithm();
if (!"DSA".equals(algo)) {
throw new InvalidKeyException("privateKey is not a DSA private key: " + algo);
}
this.signingKey = (P11PrivateKey) privateKey;
if (signingKey.supportsMechanism(PKCS11Constants.CKM_DSA)) {
mechanism = PKCS11Constants.CKM_DSA;
if (hashAlgo == null) {
outputStream = new ByteArrayOutputStream();
} else {
outputStream = new DigestOutputStream(hashAlgo.createDigest());
}
} else {
if (hashAlgo == HashAlgo.SHA1 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA1)) {
mechanism = PKCS11Constants.CKM_DSA_SHA1;
} else if (hashAlgo == HashAlgo.SHA224 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA224)) {
mechanism = PKCS11Constants.CKM_DSA_SHA224;
} else if (hashAlgo == HashAlgo.SHA256 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA256)) {
mechanism = PKCS11Constants.CKM_DSA_SHA256;
} else if (hashAlgo == HashAlgo.SHA384 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA384)) {
mechanism = PKCS11Constants.CKM_DSA_SHA384;
} else if (hashAlgo == HashAlgo.SHA512 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA512)) {
mechanism = PKCS11Constants.CKM_DSA_SHA512;
} else if (hashAlgo == HashAlgo.SHA3_224 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_224)) {
mechanism = PKCS11Constants.CKM_DSA_SHA3_224;
} else if (hashAlgo == HashAlgo.SHA3_256 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_256)) {
mechanism = PKCS11Constants.CKM_DSA_SHA3_256;
} else if (hashAlgo == HashAlgo.SHA3_384 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_384)) {
mechanism = PKCS11Constants.CKM_DSA_SHA3_384;
} else if (hashAlgo == HashAlgo.SHA3_512 && signingKey.supportsMechanism(PKCS11Constants.CKM_DSA_SHA3_512)) {
mechanism = PKCS11Constants.CKM_DSA_SHA3_512;
} else {
throw new InvalidKeyException("privateKey and algorithm does not match");
}
outputStream = new ByteArrayOutputStream();
}
this.signingKey = (P11PrivateKey) privateKey;
}
Also used :
DigestOutputStream(org.xipki.security.pkcs11.DigestOutputStream)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
InvalidKeyException(java.security.InvalidKeyException)
Aggregations
InvalidKeyException (java.security.InvalidKeyException)4
ByteArrayOutputStream (java.io.ByteArrayOutputStream)3
DigestOutputStream (org.xipki.security.pkcs11.DigestOutputStream)3
ECPublicKey (java.security.interfaces.ECPublicKey)2
IOException (java.io.IOException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
PrivateKey (java.security.PrivateKey)1
X509Certificate (java.security.cert.X509Certificate)1
DSAPublicKey (java.security.interfaces.DSAPublicKey)1
RSAPublicKey (java.security.interfaces.RSAPublicKey)1
ECPoint (java.security.spec.ECPoint)1
ArrayList (java.util.ArrayList)1
ParametersWithRandom (org.bouncycastle.crypto.params.ParametersWithRandom)1
DfltConcurrentContentSigner (org.xipki.security.DfltConcurrentContentSigner)1
XiContentSigner (org.xipki.security.XiContentSigner)1
XiSecurityException (org.xipki.security.exception.XiSecurityException)1
P11ByteArrayParams (org.xipki.security.pkcs11.P11ByteArrayParams)1
P11CryptService (org.xipki.security.pkcs11.P11CryptService)1
P11Identity (org.xipki.security.pkcs11.P11Identity)1
P11Module (org.xipki.security.pkcs11.P11Module)1
