-
Notifications
You must be signed in to change notification settings - Fork 4
/
Pkcs11WrapperSignature.java
149 lines (134 loc) · 5.16 KB
/
Pkcs11WrapperSignature.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package com.itextpdf.signingexamples.pkcs11;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertificateException;
import com.itextpdf.signatures.DigestAlgorithms;
import com.itextpdf.signatures.IExternalSignature;
import iaik.pkcs.pkcs11.Mechanism;
import iaik.pkcs.pkcs11.TokenException;
import iaik.pkcs.pkcs11.objects.Key;
import iaik.pkcs.pkcs11.wrapper.PKCS11Constants;
import com.itextpdf.signatures.ISignatureMechanismParams;
/**
* This {@link IExternalSignature} implementation is based on the
* <a href="https://jce.iaik.tugraz.at/products/core-crypto-toolkits/pkcs11-wrapper/">
* IAIK PKCS#11 Wrapper</a>
*
* @author mkl
*/
public class Pkcs11WrapperSignature extends Pkcs11WrapperKeyAndCertificate implements IExternalSignature {
String signatureAlgorithmName;
String digestAlgorithmName;
public Pkcs11WrapperSignature(String libraryPath, long slotId) throws IOException, TokenException {
super(libraryPath, slotId);
}
public Pkcs11WrapperSignature select(String alias, String certLabel, char[] pin) throws TokenException, CertificateException {
super.select(alias, certLabel, pin);
if (Key.KeyType.RSA.equals(keyType)) {
signatureAlgorithmName = "RSA";
} else if (Key.KeyType.DSA.equals(keyType)) {
signatureAlgorithmName = "DSA";
} else if (Key.KeyType.ECDSA.equals(keyType)) {
signatureAlgorithmName = "ECDSA";
} else {
signatureAlgorithmName = null;
}
return this;
}
@Override
public String getSignatureAlgorithmName() {
return signatureAlgorithmName;
}
@Override
public ISignatureMechanismParams getSignatureMechanismParameters() {
return null;
}
@Override
public String getDigestAlgorithmName() {
return digestAlgorithmName;
}
public Pkcs11WrapperSignature setDigestAlgorithmName(String digestAlgorithmName) {
this.digestAlgorithmName = DigestAlgorithms.getDigest(DigestAlgorithms.getAllowedDigest(digestAlgorithmName));
return this;
}
@Override
public byte[] sign(byte[] message) throws GeneralSecurityException {
long mechanismId;
switch(signatureAlgorithmName) {
case "DSA":
switch(digestAlgorithmName) {
case "SHA1":
mechanismId = PKCS11Constants.CKM_DSA_SHA1;
break;
case "SHA224":
mechanismId = PKCS11Constants.CKM_DSA_SHA224;
break;
case "SHA256":
mechanismId = PKCS11Constants.CKM_DSA_SHA256;
break;
case "SHA384":
mechanismId = PKCS11Constants.CKM_DSA_SHA384;
break;
case "SHA512":
mechanismId = PKCS11Constants.CKM_DSA_SHA512;
break;
default:
throw new InvalidAlgorithmParameterException("Not supported: " + digestAlgorithmName + "with" + signatureAlgorithmName);
}
case "ECDSA":
switch (digestAlgorithmName)
{
case "SHA1":
mechanismId = PKCS11Constants.CKM_ECDSA_SHA1;
break;
case "SHA224":
mechanismId = PKCS11Constants.CKM_ECDSA_SHA224;
break;
case "SHA256":
mechanismId = PKCS11Constants.CKM_ECDSA_SHA256;
break;
case "SHA384":
mechanismId = PKCS11Constants.CKM_ECDSA_SHA384;
break;
case "SHA512":
mechanismId = PKCS11Constants.CKM_ECDSA_SHA512;
break;
default:
throw new InvalidAlgorithmParameterException("Not supported: " + digestAlgorithmName + "with" + signatureAlgorithmName);
}
break;
case "RSA":
switch (digestAlgorithmName)
{
case "SHA1":
mechanismId = PKCS11Constants.CKM_SHA1_RSA_PKCS;
break;
case "SHA224":
mechanismId = PKCS11Constants.CKM_SHA224_RSA_PKCS;
break;
case "SHA256":
mechanismId = PKCS11Constants.CKM_SHA256_RSA_PKCS;
break;
case "SHA384":
mechanismId = PKCS11Constants.CKM_SHA384_RSA_PKCS;
break;
case "SHA512":
mechanismId = PKCS11Constants.CKM_SHA512_RSA_PKCS;
break;
default:
throw new InvalidAlgorithmParameterException("Not supported: " + digestAlgorithmName + "with" + signatureAlgorithmName);
}
break;
default:
throw new InvalidAlgorithmParameterException("Not supported: " + digestAlgorithmName + "with" + signatureAlgorithmName);
}
Mechanism signatureMechanism = Mechanism.get(mechanismId);
try {
session.signInit(signatureMechanism, privateKey);
return session.sign(message);
} catch (TokenException e) {
throw new GeneralSecurityException(e);
}
}
}