summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java19
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java3
-rw-r--r--smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java33
3 files changed, 39 insertions, 16 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java
index 061fe707..8391e450 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java
@@ -41,7 +41,12 @@ import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec;
* @author mcentner
*/
public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
-
+
+ /**
+ * Use SHA-2?
+ */
+ private static boolean SHA2 = false;
+
/**
* The signature algorithm URI.
*/
@@ -82,7 +87,7 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
keyLength = ((RSAPublicKey) publicKey).getModulus().bitLength();
}
- if (keyLength >= 2048) {
+ if (SHA2 && keyLength >= 2048) {
signatureAlgorithmURI = XmldsigMore.SIGNATURE_RSA_SHA256;
digestAlgorithmURI = DigestMethod.SHA256;
} else {
@@ -100,14 +105,14 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
fieldSize = params.getCurve().getField().getFieldSize();
}
- if (fieldSize < 256) {
- signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1;
- } else if (fieldSize < 512) {
+ if (SHA2 && fieldSize >= 512) {
+ signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512;
+ digestAlgorithmURI = DigestMethod.SHA512;
+ } else if (SHA2 && fieldSize >= 256) {
signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA256;
digestAlgorithmURI = DigestMethod.SHA256;
} else {
- signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512;
- digestAlgorithmURI = DigestMethod.SHA512;
+ signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1;
}
} else {
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java
index 42c6a4c5..9fb9a3f1 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java
@@ -54,6 +54,9 @@ public class STALProvider extends Provider {
IMPL_PACKAGE_NAME + ".STALSignature");
map.put("Signature." + XmldsigMore.SIGNATURE_ECDSA_SHA256,
IMPL_PACKAGE_NAME + ".STALSignature");
+ map.put("Signature." + XmldsigMore.SIGNATURE_ECDSA_SHA512,
+ IMPL_PACKAGE_NAME + ".STALSignature");
+
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
index 880cab4b..9047fa54 100644
--- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
+++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java
@@ -308,11 +308,26 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
MessageDigest md = null;
try {
- if (version < 1.2 && (alg == null || "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg))) {
+ if (alg == null || "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg)) {
// local key ID '02' version '00'
dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00});
- // algorithm ID ECDSA with SHA-1
- dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10});
+ if (version < 1.2) {
+ // algorithm ID ECDSA with SHA-1
+ dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10});
+ } else {
+ // portable algorithm reference
+ dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x04});
+ // hash template
+ ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x10};
+ }
+ md = MessageDigest.getInstance("SHA-1");
+ } else if (version >= 1.2 && "http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg)) {
+ // local key ID '03' version '00'
+ dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x03, (byte) 0x00});
+ // portable algorithm reference
+ dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x02});
+ // hash template
+ ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x10};
md = MessageDigest.getInstance("SHA-1");
} else if (version >= 1.2 && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(alg)) {
// local key ID '02' version '00'
@@ -331,7 +346,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x40};
md = MessageDigest.getInstance("SHA256");
} else {
- throw new SignatureCardException("e-card versio " + version + " does not support signature algorithm " + alg + ".");
+ throw new SignatureCardException("e-card version " + version + " does not support signature algorithm " + alg + ".");
}
} catch (NoSuchAlgorithmException e) {
log.error("Failed to get MessageDigest.", e);
@@ -361,16 +376,16 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
verifyPINLoop(channel, spec, provider);
// MANAGE SECURITY ENVIRONMENT : SET DST
execMSE(channel, 0x41, 0xb6, dst.toByteArray());
- if (ht != null) {
- // PERFORM SECURITY OPERATION : SET HT
- execMSE(channel, 0x41, 0xaa, ht);
- }
if (version < 1.2) {
// PERFORM SECURITY OPERATION : HASH
execPSO_HASH(channel, digest);
// PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, null);
} else {
+ if (ht != null) {
+ // PERFORM SECURITY OPERATION : SET HT
+ execMSE(channel, 0x41, 0xaa, ht);
+ }
// PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE
return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, digest);
}
@@ -384,7 +399,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu
execSELECT_AID(channel, AID_DF_GS);
// MANAGE SECURITY ENVIRONMENT : SET DST
execMSE(channel, 0x41, 0xb6, dst.toByteArray());
- if (ht != null) {
+ if (version >= 1.2 && ht != null) {
// PERFORM SECURITY OPERATION : SET HT
execMSE(channel, 0x41, 0xaa, ht);
}