From f1cba2de17ba136292291f38021dd8c9f10de740 Mon Sep 17 00:00:00 2001 From: tkellner Date: Tue, 30 Aug 2011 10:30:26 +0000 Subject: smcc update for ECDSA/RIPEMD160 * RIPEMD160 support for old cards which don't support SHA-256 yet * Rename CERITIFIED_KEYPAIR -> CERTIFIED_KEYPAIR git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@960 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java | 12 ++++++--- .../src/main/java/at/gv/egiz/smcc/STARCOSCard.java | 31 +++++++++++++++++----- smcc/src/main/java/at/gv/egiz/smcc/SWCard.java | 6 ++--- .../main/java/at/gv/egiz/smcc/SignatureCard.java | 6 ++--- .../at/gv/egiz/smcc/test/AbstractCardTest.java | 14 +++++----- .../gv/egiz/smcc/test/AbstractInvalidCardTest.java | 2 +- .../smcc/test/AbstractNotActivatedCardTest.java | 2 +- .../bku/smccstal/InfoBoxReadRequestHandler.java | 4 +-- smccTest/pom.xml | 4 +-- .../main/java/at/gv/egiz/smcctest/CardTest.java | 2 +- 10 files changed, 53 insertions(+), 30 deletions(-) diff --git a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java index 70a1e06c..6af5aac8 100644 --- a/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java +++ b/smcc/src/main/java/at/gv/egiz/smcc/ACOSCard.java @@ -224,7 +224,7 @@ PINMgmtSignatureCard { if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) { aid = AID_SIG; fid = EF_C_CH_DS; - } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) { + } else if (keyboxName == KeyboxName.CERTIFIED_KEYPAIR) { aid = AID_DEC; fid = EF_C_CH_EKEY; } else { @@ -286,7 +286,7 @@ PINMgmtSignatureCard { && (alg == null || "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg))) { dst.write((byte) 0x14); // SHA-1/ECC md = MessageDigest.getInstance("SHA-1"); - } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName) + } else if (KeyboxName.CERTIFIED_KEYPAIR.equals(keyboxName) && (alg == null || "http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg))) { dst.write((byte) 0x12); // SHA-1 with padding according to PKCS#1 block type 01 md = MessageDigest.getInstance("SHA-1"); @@ -295,11 +295,15 @@ PINMgmtSignatureCard { && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(alg)) { dst.write((byte) 0x44); // SHA-256/ECC md = MessageDigest.getInstance("SHA256"); - } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName) + } else if (KeyboxName.CERTIFIED_KEYPAIR.equals(keyboxName) && appVersion >= 2 && "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".equals(alg)) { dst.write((byte) 0x41); // SHA-256 with padding according to PKCS#1 md = MessageDigest.getInstance("SHA256"); + } else if (KeyboxName.SECURE_SIGNATURE_KEYPAIR.equals(keyboxName) + && "http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160".equals(alg)) { + dst.write((byte) 0x14); // No RIPEMD support - use SHA-1/ECC + md = MessageDigest.getInstance("RIPEMD160"); } else { throw new SignatureCardException("Card does not support signature algorithm " + alg + "."); } @@ -331,7 +335,7 @@ PINMgmtSignatureCard { // PERFORM SECURITY OPERATION : COMPUTE DIGITAL SIGNATRE return execPSO_COMPUTE_DIGITAL_SIGNATURE(channel); - } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) { + } else if (KeyboxName.CERTIFIED_KEYPAIR.equals(keyboxName)) { // SELECT application execSELECT_AID(channel, AID_DEC); diff --git a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java index da016d29..1de5c75c 100644 --- a/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java +++ b/smcc/src/main/java/at/gv/egiz/smcc/STARCOSCard.java @@ -194,7 +194,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu if (keyboxName == KeyboxName.SECURE_SIGNATURE_KEYPAIR) { aid = AID_DF_SS; fid = EF_C_X509_CH_DS; - } else if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) { + } else if (keyboxName == KeyboxName.CERTIFIED_KEYPAIR) { aid = AID_DF_GS; fid = EF_C_X509_CH_AUT; } else { @@ -357,10 +357,12 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu byte[] ht = null; MessageDigest md = null; + + dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80}); try { if (alg == null || "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1".equals(alg)) { // local key ID '02' version '00' - dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00}); + dst.write(new byte[] {(byte) 0x02, (byte) 0x00}); if (version < 1.2) { // algorithm ID ECDSA with SHA-1 dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10}); @@ -373,7 +375,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu md = MessageDigest.getInstance("SHA-1"); } else if (version >= 1.2 && "http://www.w3.org/2000/09/xmldsig#rsa-sha1".equals(alg)) { // local key ID '03' version '00' - dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x03, (byte) 0x00}); + dst.write(new byte[] {(byte) 0x03, (byte) 0x00}); // portable algorithm reference dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x02}); // hash template @@ -381,7 +383,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu md = MessageDigest.getInstance("SHA-1"); } else if (version >= 1.2 && "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256".equals(alg)) { // local key ID '02' version '00' - dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x02, (byte) 0x00}); + dst.write(new byte[] {(byte) 0x02, (byte) 0x00}); // portable algorithm reference dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x04}); // hash template @@ -389,12 +391,29 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu md = MessageDigest.getInstance("SHA256"); } else if (version >= 1.2 && "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256".equals(alg)) { // local key ID '03' version '00' - dst.write(new byte[] {(byte) 0x84, (byte) 0x03, (byte) 0x80, (byte) 0x03, (byte) 0x00}); + dst.write(new byte[] {(byte) 0x03, (byte) 0x00}); // portable algorithm reference dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x02}); // hash template ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x40}; md = MessageDigest.getInstance("SHA256"); + } else if ("http://www.w3.org/2007/05/xmldsig-more#ecdsa-ripemd160".equals(alg)) { + // local key ID '02' version '00' + dst.write(new byte[] {(byte) 0x02, (byte) 0x00}); + if (version < 1.2) { + // algorithm ID ECDSA with RIPEMD160 doesn't work + //dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x20}); + // algorithm ID ECDSA with SHA-1 + dst.write(new byte[] {(byte) 0x89, (byte) 0x03, (byte) 0x13, (byte) 0x35, (byte) 0x10}); + } else { + // portable algorithm reference + dst.write(new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x04}); + // hash template (SHA-1 - no EF_ALIAS for RIPEMD160) + //ht = new byte[] {(byte) 0x80, (byte) 0x01, (byte) 0x10}; + // hash template for RIPEMD160 + ht = new byte[] {(byte) 0x89, (byte) 0x02, (byte) 0x14, (byte) 0x30}; + } + md = MessageDigest.getInstance("RIPEMD160"); } else { throw new SignatureCardException("e-card version " + version + " does not support signature algorithm " + alg + "."); } @@ -439,7 +458,7 @@ public class STARCOSCard extends AbstractSignatureCard implements PINMgmtSignatu } - } else if (KeyboxName.CERITIFIED_KEYPAIR.equals(keyboxName)) { + } else if (KeyboxName.CERTIFIED_KEYPAIR.equals(keyboxName)) { // SELECT application execSELECT_AID(channel, AID_DF_GS); diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java index a0a7523d..273fb779 100644 --- a/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java +++ b/smcc/src/main/java/at/gv/egiz/smcc/SWCard.java @@ -227,7 +227,7 @@ public class SWCard implements SignatureCard { private KeyStore getKeyStore(KeyboxName keyboxName, char[] password) throws SignatureCardException { - if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) { + if (keyboxName == KeyboxName.CERTIFIED_KEYPAIR) { if (certifiedKeyStore == null) { certifiedKeyStore = loadKeyStore(KEYSTORE_CERTIFIED_KEYPAIR, password); } @@ -245,7 +245,7 @@ public class SWCard implements SignatureCard { private char[] getPassword(KeyboxName keyboxName) throws SignatureCardException { - if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) { + if (keyboxName == KeyboxName.CERTIFIED_KEYPAIR) { if (certifiedKeyStorePassword == null) { certifiedKeyStorePassword = loadKeyStorePassword(KEYSTORE_PASSWORD_CERTIFIED_KEYPAIR); } @@ -265,7 +265,7 @@ public class SWCard implements SignatureCard { throws SignatureCardException { try { - if (keyboxName == KeyboxName.CERITIFIED_KEYPAIR) { + if (keyboxName == KeyboxName.CERTIFIED_KEYPAIR) { if (certifiedCertificate == null) { certifiedCertificate = loadCertificate(CERTIFICATE_CERTIFIED_KEYPAIR); } diff --git a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java index ea389d41..56ae7b74 100644 --- a/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java +++ b/smcc/src/main/java/at/gv/egiz/smcc/SignatureCard.java @@ -39,7 +39,7 @@ public interface SignatureCard { public static KeyboxName SECURE_SIGNATURE_KEYPAIR = new KeyboxName( "SecureSignatureKeypair"); - public static KeyboxName CERITIFIED_KEYPAIR = new KeyboxName( + public static KeyboxName CERTIFIED_KEYPAIR = new KeyboxName( "CertifiedKeypair"); private String keyboxName_; @@ -51,8 +51,8 @@ public interface SignatureCard { public static KeyboxName getKeyboxName(String keyBox) { if (SECURE_SIGNATURE_KEYPAIR.equals(keyBox)) { return SECURE_SIGNATURE_KEYPAIR; - } else if (CERITIFIED_KEYPAIR.equals(keyBox)) { - return CERITIFIED_KEYPAIR; + } else if (CERTIFIED_KEYPAIR.equals(keyBox)) { + return CERTIFIED_KEYPAIR; } else { return new KeyboxName(keyBox); } diff --git a/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractCardTest.java index f47afcfa..28ad9090 100644 --- a/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractCardTest.java +++ b/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractCardTest.java @@ -62,7 +62,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { byte[] certificateGSRef = (byte[]) applicationContext.getBean("certificateGS", byte[].class); - byte[] certificateGS = signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR, null); + byte[] certificateGS = signatureCard.getCertificate(KeyboxName.CERTIFIED_KEYPAIR, null); assertArrayEquals(certificateGSRef, certificateGS); @@ -113,7 +113,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA" .getBytes("ASCII")), - KeyboxName.CERITIFIED_KEYPAIR, new SMCCTestPINProvider(pin), null); + KeyboxName.CERTIFIED_KEYPAIR, new SMCCTestPINProvider(pin), null); assertNotNull(signature); @@ -126,7 +126,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { byte[] signature = signatureCard.createSignature(new ByteArrayInputStream("MOCCA" .getBytes("ASCII")), - KeyboxName.CERITIFIED_KEYPAIR, new SMCCTestPINProvider(pin), null); + KeyboxName.CERTIFIED_KEYPAIR, new SMCCTestPINProvider(pin), null); assertNotNull(signature); @@ -140,7 +140,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { PINGUI pinProvider = new CancelPINProvider(); signatureCard.createSignature(new ByteArrayInputStream(MOCCA), - KeyboxName.CERITIFIED_KEYPAIR, pinProvider, null); + KeyboxName.CERTIFIED_KEYPAIR, pinProvider, null); } @@ -164,7 +164,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { PINGUI pinProvider = new InterruptPINProvider(); signatureCard.createSignature(new ByteArrayInputStream(MOCCA), - KeyboxName.CERITIFIED_KEYPAIR, pinProvider, null); + KeyboxName.CERTIFIED_KEYPAIR, pinProvider, null); } @@ -206,7 +206,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { throws CancelledException, InterruptedException { try { - signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR, null); + signatureCard.getCertificate(KeyboxName.CERTIFIED_KEYPAIR, null); assertTrue(false); return null; } catch (SignatureCardException e) { @@ -217,7 +217,7 @@ public abstract class AbstractCardTest extends AbstractCardTestBase { }; signatureCard.createSignature(new ByteArrayInputStream(MOCCA), - KeyboxName.CERITIFIED_KEYPAIR, pinProvider, null); + KeyboxName.CERTIFIED_KEYPAIR, pinProvider, null); } diff --git a/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractInvalidCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractInvalidCardTest.java index d9aa4b87..e586f951 100644 --- a/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractInvalidCardTest.java +++ b/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractInvalidCardTest.java @@ -50,7 +50,7 @@ public abstract class AbstractInvalidCardTest extends AbstractCardTestBase { } try { - signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR, null); + signatureCard.getCertificate(KeyboxName.CERTIFIED_KEYPAIR, null); fail(); } catch (SignatureCardException e) { // expected diff --git a/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractNotActivatedCardTest.java b/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractNotActivatedCardTest.java index 53eb6692..fb86a773 100644 --- a/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractNotActivatedCardTest.java +++ b/smcc/src/test/java/at/gv/egiz/smcc/test/AbstractNotActivatedCardTest.java @@ -56,7 +56,7 @@ public abstract class AbstractNotActivatedCardTest extends AbstractCardTestBase } try { - signatureCard.getCertificate(KeyboxName.CERITIFIED_KEYPAIR, null); + signatureCard.getCertificate(KeyboxName.CERTIFIED_KEYPAIR, null); fail(); } catch (NotActivatedException e) { // expected diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java index 94de392e..7e1b42fe 100644 --- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java +++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/InfoBoxReadRequestHandler.java @@ -72,11 +72,11 @@ public class InfoBoxReadRequestHandler extends AbstractRequestHandler { InfoboxReadResponse stalResp = new InfoboxReadResponse(); stalResp.setInfoboxValue(resp); return stalResp; - } else if (SignatureCard.KeyboxName.CERITIFIED_KEYPAIR.equals(infoBox + } else if (SignatureCard.KeyboxName.CERTIFIED_KEYPAIR.equals(infoBox .getInfoboxIdentifier())) { log.debug("Handling certified keypair infobox."); byte[] resp = card - .getCertificate(SignatureCard.KeyboxName.CERITIFIED_KEYPAIR, new VerifyPINGUI(gui)); + .getCertificate(SignatureCard.KeyboxName.CERTIFIED_KEYPAIR, new VerifyPINGUI(gui)); if (resp == null) { return new ErrorResponse(6001); } diff --git a/smccTest/pom.xml b/smccTest/pom.xml index fc4ceaa4..a7d2df92 100644 --- a/smccTest/pom.xml +++ b/smccTest/pom.xml @@ -3,11 +3,11 @@ mocca at.gv.egiz - 1.3.5-SNAPSHOT + 1.3.6-SNAPSHOT at.gv.egiz smccTest - 1.3.5-SNAPSHOT + 1.3.6-SNAPSHOT SMCC Test Card Terminal and Smart Card Tests diff --git a/smccTest/src/main/java/at/gv/egiz/smcctest/CardTest.java b/smccTest/src/main/java/at/gv/egiz/smcctest/CardTest.java index 1f079528..b25370a4 100644 --- a/smccTest/src/main/java/at/gv/egiz/smcctest/CardTest.java +++ b/smccTest/src/main/java/at/gv/egiz/smcctest/CardTest.java @@ -47,7 +47,7 @@ import at.gv.egiz.smcc.util.SMCCHelper; public class CardTest { - private static KeyboxName[] keyboxNames = { KeyboxName.SECURE_SIGNATURE_KEYPAIR, KeyboxName.CERITIFIED_KEYPAIR }; + private static KeyboxName[] keyboxNames = { KeyboxName.SECURE_SIGNATURE_KEYPAIR, KeyboxName.CERTIFIED_KEYPAIR }; private static String[] infoboxes = { "IdentityLink" }; -- cgit v1.2.3