diff options
3 files changed, 39 insertions, 16 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java index 061fe707..8391e450 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java @@ -41,7 +41,12 @@ import javax.xml.crypto.dsig.spec.SignatureMethodParameterSpec; * @author mcentner
*/
public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory {
-
+ + /** + * Use SHA-2? + */ + private static boolean SHA2 = false; +
/**
* The signature algorithm URI.
*/
@@ -82,7 +87,7 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory { keyLength = ((RSAPublicKey) publicKey).getModulus().bitLength(); } - if (keyLength >= 2048) { + if (SHA2 && keyLength >= 2048) { signatureAlgorithmURI = XmldsigMore.SIGNATURE_RSA_SHA256; digestAlgorithmURI = DigestMethod.SHA256; } else { @@ -100,14 +105,14 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory { fieldSize = params.getCurve().getField().getFieldSize(); } - if (fieldSize < 256) { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1; - } else if (fieldSize < 512) { + if (SHA2 && fieldSize >= 512) { + signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512; + digestAlgorithmURI = DigestMethod.SHA512; + } else if (SHA2 && fieldSize >= 256) { signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA256; digestAlgorithmURI = DigestMethod.SHA256; } else { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512; - digestAlgorithmURI = DigestMethod.SHA512; + signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1; } } else {
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java index 42c6a4c5..9fb9a3f1 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/STALProvider.java @@ -54,6 +54,9 @@ public class STALProvider extends Provider { IMPL_PACKAGE_NAME + ".STALSignature"); map.put("Signature." + XmldsigMore.SIGNATURE_ECDSA_SHA256, IMPL_PACKAGE_NAME + ".STALSignature"); + map.put("Signature." + XmldsigMore.SIGNATURE_ECDSA_SHA512, + IMPL_PACKAGE_NAME + ".STALSignature"); + AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java index 880cab4b..9047fa54 100644 --- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java +++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java @@ -308,11 +308,26 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu MessageDigest md = null; try { - if (version < 1.2 && (alg == null || "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg))) { + if (alg == null || "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg)) { // local key ID '02' version '00' dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00}); - // algorithm ID ECDSA with SHA-1 - dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10}); + if (version < 1.2) { + // algorithm ID ECDSA with SHA-1 + dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10}); + } else { + // portable algorithm reference + dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x04}); + // hash template + ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x10}; + } + md = MessageDigest.getInstance("SHA-1"); + } else if (version >= 1.2 && "http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg)) { + // local key ID '03' version '00' + dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x03, (byte) 0x00}); + // portable algorithm reference + dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x02}); + // hash template + ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x10}; md = MessageDigest.getInstance("SHA-1"); } else if (version >= 1.2 && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(alg)) { // local key ID '02' version '00' @@ -331,7 +346,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x40}; md = MessageDigest.getInstance("SHA256"); } else { - throw new SignatureCardException("e-card versio " + version + " does not support signature algorithm " + alg + "."); + throw new SignatureCardException("e-card version " + version + " does not support signature algorithm " + alg + "."); } } catch (NoSuchAlgorithmException e) { log.error("Failed to get MessageDigest.", e); @@ -361,16 +376,16 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu verifyPINLoop(channel, spec, provider); // MANAGE SECURITY ENVIRONMENT : SET DST execMSE(channel, 0x41, 0xb6, dst.toByteArray()); - if (ht != null) { - // PERFORM SECURITY OPERATION : SET HT - execMSE(channel, 0x41, 0xaa, ht); - } if (version < 1.2) { // PERFORM SECURITY OPERATION : HASH execPSO_HASH(channel, digest); // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, null); } else { + if (ht != null) { + // PERFORM SECURITY OPERATION : SET HT + execMSE(channel, 0x41, 0xaa, ht); + } // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATURE return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel, digest); } @@ -384,7 +399,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu execSELECT_AID(channel, AID_DF_GS); // MANAGE SECURITY ENVIRONMENT : SET DST execMSE(channel, 0x41, 0xb6, dst.toByteArray()); - if (ht != null) { + if (version >= 1.2 && ht != null) { // PERFORM SECURITY OPERATION : SET HT execMSE(channel, 0x41, 0xaa, ht); } |