From bde3ea7b31d76e81d666396d570f15a37bfeb884 Mon Sep 17 00:00:00 2001 From: Andreas Abraham Date: Tue, 18 Sep 2018 14:49:27 +0200 Subject: restructing member access and AlgorithmMethodFactoryImpl constructor --- .../impl/CreateCMSSignatureCommandImpl.java | 452 ++++++------- .../gv/egiz/bku/slcommands/impl/cms/Signature.java | 702 ++++++++++----------- .../impl/xsect/AlgorithmMethodFactoryImpl.java | 118 ++-- 3 files changed, 638 insertions(+), 634 deletions(-) (limited to 'bkucommon/src/main/java/at/gv/egiz/bku/slcommands') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImpl.java index 93e0eee8..6c5125aa 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImpl.java @@ -1,226 +1,226 @@ -/* - * Copyright 2013 by Graz University of Technology, Austria - * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint - * initiative of the Federal Chancellery Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egiz.bku.slcommands.impl; - -import iaik.cms.CMSException; -import iaik.cms.CMSSignatureException; - -import java.security.InvalidParameterException; -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Date; -import java.util.List; - -import org.apache.commons.configuration.Configuration; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import at.buergerkarte.namespaces.securitylayer._1_2_3.CreateCMSSignatureRequestType; -import at.gv.egiz.bku.conf.MoccaConfigurationFacade; -import at.gv.egiz.bku.slcommands.CreateCMSSignatureCommand; -import at.gv.egiz.bku.slcommands.SLCommandContext; -import at.gv.egiz.bku.slcommands.SLResult; -import at.gv.egiz.bku.slcommands.impl.cms.Signature; -import at.gv.egiz.bku.slexceptions.SLCommandException; -import at.gv.egiz.bku.slexceptions.SLException; -import at.gv.egiz.bku.slexceptions.SLRequestException; -import at.gv.egiz.bku.slexceptions.SLViewerException; -import at.gv.egiz.stal.InfoboxReadRequest; -import at.gv.egiz.stal.STALRequest; - -/** - * This class implements the security layer command - * CreateCMSSignatureRequest. - * - * @author tkellner - */ -public class CreateCMSSignatureCommandImpl extends - SLCommandImpl implements - CreateCMSSignatureCommand { - - /** - * Logging facility. - */ - private final Logger log = LoggerFactory.getLogger(CreateCMSSignatureCommandImpl.class); - - /** - * The signing certificate. - */ - protected X509Certificate signingCertificate; - - /** - * The keybox identifier of the key used for signing. - */ - protected String keyboxIdentifier; - - /** - * The to-be signed signature. - */ - protected Signature signature; - - /** - * The configuration facade used to access the MOCCA configuration. - */ - private ConfigurationFacade configurationFacade = new ConfigurationFacade(); - - private class ConfigurationFacade implements MoccaConfigurationFacade { - private Configuration configuration; - - public static final String USE_STRONG_HASH = "UseStrongHash"; - - public void setConfiguration(Configuration configuration) { - this.configuration = configuration; - } - - public boolean getUseStrongHash() { - return configuration.getBoolean(USE_STRONG_HASH, true); - } -} - - public void setConfiguration(Configuration configuration) { - configurationFacade.setConfiguration(configuration); - } - - @Override - public void prepareCMSSignature(SLCommandContext commandContext) throws SLCommandException, - SLRequestException { - - CreateCMSSignatureRequestType request = getRequestValue(); - - try { - if (request.isPAdESCompatibility()) - { - //PAdES Compatibility Request - signature = new Signature(request.getDataObject(), request.getStructure(), - signingCertificate, commandContext.getURLDereferencer(), - configurationFacade.getUseStrongHash()); - - } - else - { - // DataObject, SigningCertificate, SigningTime - - Date signingTime = request.isPAdESCompatibility() ? null : new Date(); - signature = new Signature(request.getDataObject() != null ? request.getDataObject() - : request.getReferenceObject(), request.getStructure(), signingCertificate, signingTime, - commandContext.getURLDereferencer(), - configurationFacade.getUseStrongHash()); - } - } catch (SLCommandException e) { - log.error("Error creating CMS Signature.", e); - throw e; - } catch (InvalidParameterException e) { - log.error("Error creating CMS Signature.", e); - throw new SLCommandException(3004); - } catch (Exception e) { - log.error("Error creating CMS Signature.", e); - throw new SLCommandException(4000); - } - } - - /** - * Gets the signing certificate from STAL. - * @param commandContext TODO - * - * @throws SLCommandException - * if getting the singing certificate fails - */ - private void getSigningCertificate(SLCommandContext commandContext) throws SLCommandException { - - CreateCMSSignatureRequestType request = getRequestValue(); - keyboxIdentifier = request.getKeyboxIdentifier(); - - InfoboxReadRequest stalRequest = new InfoboxReadRequest(); - stalRequest.setInfoboxIdentifier(keyboxIdentifier); - - STALHelper stalHelper = new STALHelper(commandContext.getSTAL()); - - stalHelper.transmitSTALRequest(Collections.singletonList((STALRequest) stalRequest)); - List certificates = stalHelper.getCertificatesFromResponses(); - if (certificates == null || certificates.size() != 1) { - log.info("Got an unexpected number of certificates from STAL."); - throw new SLCommandException(4000); - } - signingCertificate = certificates.get(0); - - } - - /** - * Signs the signature. - * @param commandContext TODO - * @return the CMS signature - * @throws SLCommandException - * if signing the signature fails - * @throws SLViewerException - */ - private byte[] signCMSSignature(SLCommandContext commandContext) throws SLCommandException, SLViewerException { - - try { - return signature.sign(commandContext.getSTAL(), keyboxIdentifier); - } catch (CMSException e) { - log.error("Error creating CMSSignature", e); - throw new SLCommandException(4000); - } catch (CMSSignatureException e) { - log.error("Error creating CMSSignature", e); - throw new SLCommandException(4000); - } - } - - @Override - public SLResult execute(SLCommandContext commandContext) { - try { - - // get certificate in order to select appropriate algorithms for hashing - // and signing - log.info("Requesting signing certificate."); - getSigningCertificate(commandContext); - if (log.isDebugEnabled()) { - log.debug("Got signing certificate. {}", signingCertificate); - } else { - log.info("Got signing certificate."); - } - - // prepare the CMSSignature for signing - log.info("Preparing CMS signature."); - prepareCMSSignature(commandContext); - - // sign the CMSSignature - log.info("Signing CMS signature."); - byte[] sig = signCMSSignature(commandContext); - log.info("CMS signature signed."); - - return new CreateCMSSignatureResultImpl(sig); - - } catch (SLException e) { - return new ErrorResultImpl(e, commandContext.getLocale()); - } - } - - @Override - public String getName() { - return "CreateCMSSignatureRequest"; - } - -} +/* + * Copyright 2013 by Graz University of Technology, Austria + * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint + * initiative of the Federal Chancellery Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egiz.bku.slcommands.impl; + +import iaik.cms.CMSException; +import iaik.cms.CMSSignatureException; + +import java.security.InvalidParameterException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Date; +import java.util.List; + +import org.apache.commons.configuration.Configuration; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.buergerkarte.namespaces.securitylayer._1_2_3.CreateCMSSignatureRequestType; +import at.gv.egiz.bku.conf.MoccaConfigurationFacade; +import at.gv.egiz.bku.slcommands.CreateCMSSignatureCommand; +import at.gv.egiz.bku.slcommands.SLCommandContext; +import at.gv.egiz.bku.slcommands.SLResult; +import at.gv.egiz.bku.slcommands.impl.cms.Signature; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.slexceptions.SLException; +import at.gv.egiz.bku.slexceptions.SLRequestException; +import at.gv.egiz.bku.slexceptions.SLViewerException; +import at.gv.egiz.stal.InfoboxReadRequest; +import at.gv.egiz.stal.STALRequest; + +/** + * This class implements the security layer command + * CreateCMSSignatureRequest. + * + * @author tkellner + */ +public class CreateCMSSignatureCommandImpl extends + SLCommandImpl implements + CreateCMSSignatureCommand { + + /** + * Logging facility. + */ + protected final Logger log = LoggerFactory.getLogger(CreateCMSSignatureCommandImpl.class); + + /** + * The signing certificate. + */ + protected X509Certificate signingCertificate; + + /** + * The keybox identifier of the key used for signing. + */ + protected String keyboxIdentifier; + + /** + * The to-be signed signature. + */ + protected Signature signature; + + /** + * The configuration facade used to access the MOCCA configuration. + */ + protected ConfigurationFacade configurationFacade = new ConfigurationFacade(); + + protected class ConfigurationFacade implements MoccaConfigurationFacade { + protected Configuration configuration; + + public static final String USE_STRONG_HASH = "UseStrongHash"; + + public void setConfiguration(Configuration configuration) { + this.configuration = configuration; + } + + public boolean getUseStrongHash() { + return configuration.getBoolean(USE_STRONG_HASH, true); + } +} + + public void setConfiguration(Configuration configuration) { + configurationFacade.setConfiguration(configuration); + } + + @Override + public void prepareCMSSignature(SLCommandContext commandContext) throws SLCommandException, + SLRequestException { + + CreateCMSSignatureRequestType request = getRequestValue(); + + try { + if (request.isPAdESCompatibility()) + { + //PAdES Compatibility Request + signature = new Signature(request.getDataObject(), request.getStructure(), + signingCertificate, commandContext.getURLDereferencer(), + configurationFacade.getUseStrongHash()); + + } + else + { + // DataObject, SigningCertificate, SigningTime + + Date signingTime = request.isPAdESCompatibility() ? null : new Date(); + signature = new Signature(request.getDataObject() != null ? request.getDataObject() + : request.getReferenceObject(), request.getStructure(), signingCertificate, signingTime, + commandContext.getURLDereferencer(), + configurationFacade.getUseStrongHash()); + } + } catch (SLCommandException e) { + log.error("Error creating CMS Signature.", e); + throw e; + } catch (InvalidParameterException e) { + log.error("Error creating CMS Signature.", e); + throw new SLCommandException(3004); + } catch (Exception e) { + log.error("Error creating CMS Signature.", e); + throw new SLCommandException(4000); + } + } + + /** + * Gets the signing certificate from STAL. + * @param commandContext TODO + * + * @throws SLCommandException + * if getting the singing certificate fails + */ + protected void getSigningCertificate(SLCommandContext commandContext) throws SLCommandException { + + CreateCMSSignatureRequestType request = getRequestValue(); + keyboxIdentifier = request.getKeyboxIdentifier(); + + InfoboxReadRequest stalRequest = new InfoboxReadRequest(); + stalRequest.setInfoboxIdentifier(keyboxIdentifier); + + STALHelper stalHelper = new STALHelper(commandContext.getSTAL()); + + stalHelper.transmitSTALRequest(Collections.singletonList((STALRequest) stalRequest)); + List certificates = stalHelper.getCertificatesFromResponses(); + if (certificates == null || certificates.size() != 1) { + log.info("Got an unexpected number of certificates from STAL."); + throw new SLCommandException(4000); + } + signingCertificate = certificates.get(0); + + } + + /** + * Signs the signature. + * @param commandContext TODO + * @return the CMS signature + * @throws SLCommandException + * if signing the signature fails + * @throws SLViewerException + */ + protected byte[] signCMSSignature(SLCommandContext commandContext) throws SLCommandException, SLViewerException { + + try { + return signature.sign(commandContext.getSTAL(), keyboxIdentifier); + } catch (CMSException e) { + log.error("Error creating CMSSignature", e); + throw new SLCommandException(4000); + } catch (CMSSignatureException e) { + log.error("Error creating CMSSignature", e); + throw new SLCommandException(4000); + } + } + + @Override + public SLResult execute(SLCommandContext commandContext) { + try { + + // get certificate in order to select appropriate algorithms for hashing + // and signing + log.info("Requesting signing certificate."); + getSigningCertificate(commandContext); + if (log.isDebugEnabled()) { + log.debug("Got signing certificate. {}", signingCertificate); + } else { + log.info("Got signing certificate."); + } + + // prepare the CMSSignature for signing + log.info("Preparing CMS signature."); + prepareCMSSignature(commandContext); + + // sign the CMSSignature + log.info("Signing CMS signature."); + byte[] sig = signCMSSignature(commandContext); + log.info("CMS signature signed."); + + return new CreateCMSSignatureResultImpl(sig); + + } catch (SLException e) { + return new ErrorResultImpl(e, commandContext.getLocale()); + } + } + + @Override + public String getName() { + return "CreateCMSSignatureRequest"; + } + +} diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java index 4a94ca7f..97cae9a2 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java @@ -1,351 +1,351 @@ -/* - * Copyright 2013 by Graz University of Technology, Austria - * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint - * initiative of the Federal Chancellery Austria and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ - - -package at.gv.egiz.bku.slcommands.impl.cms; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStream; -import java.net.URI; -import java.net.URISyntaxException; -import java.security.InvalidParameterException; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.cert.CertificateEncodingException; -import java.security.cert.CertificateException; -import java.security.cert.X509Certificate; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Date; -import java.util.List; - -import javax.xml.crypto.dsig.DigestMethod; - -import org.apache.commons.lang.ArrayUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.w3._2000._09.xmldsig_.DigestMethodType; - -import at.buergerkarte.namespaces.securitylayer._1_2_3.CMSDataObjectOptionalMetaType; -import at.buergerkarte.namespaces.securitylayer._1_2_3.CMSDataObjectRequiredMetaType; -import at.buergerkarte.namespaces.securitylayer._1_2_3.DigestAndRefType; -import at.buergerkarte.namespaces.securitylayer._1_2_3.ExcludedByteRangeType; -import at.gv.egiz.bku.slcommands.impl.xsect.AlgorithmMethodFactory; -import at.gv.egiz.bku.slcommands.impl.xsect.AlgorithmMethodFactoryImpl; -import at.gv.egiz.bku.slcommands.impl.xsect.STALSignatureException; -import at.gv.egiz.bku.slexceptions.SLCommandException; -import at.gv.egiz.bku.utils.urldereferencer.URLDereferencer; -import at.gv.egiz.stal.HashDataInput; -import at.gv.egiz.stal.STAL; -import iaik.asn1.ASN1Object; -import iaik.asn1.CodingException; -import iaik.asn1.ObjectID; -import iaik.asn1.SEQUENCE; -import iaik.asn1.UTF8String; -import iaik.asn1.structures.AlgorithmID; -import iaik.asn1.structures.Attribute; -import iaik.asn1.structures.ChoiceOfTime; -import iaik.cms.CMSException; -import iaik.cms.CMSSignatureException; -import iaik.cms.CertificateIdentifier; -import iaik.cms.ContentInfo; -import iaik.cms.IssuerAndSerialNumber; -import iaik.cms.SignedData; -import iaik.cms.SignerInfo; -import iaik.smime.ess.ESSCertID; -import iaik.smime.ess.ESSCertIDv2; -import iaik.x509.X509ExtensionException; - -/** - * This class represents a CMS-Signature as to be created by the - * security layer command CreateCMSSignatureRequest. - * - * @author tkellner - */ -public class Signature { - - public final static String ID_AA_ETS_MIMETYPE = "0.4.0.1733.2.1"; - - /** - * Logging facility. - */ - private final Logger log = LoggerFactory.getLogger(Signature.class); - - protected SignedData signedData; - protected SignerInfo signerInfo; - protected byte[] signedDocument; - protected String mimeType; - protected AlgorithmID signatureAlgorithm; - protected AlgorithmID digestAlgorithm; - protected byte[] digestValue; - protected String signatureAlgorithmURI; - protected String digestAlgorithmURI; - protected ExcludedByteRangeType excludedByteRange; - private HashDataInput hashDataInput; - - -public Signature(CMSDataObjectOptionalMetaType dataObject, String structure, - X509Certificate signingCertificate, Date signingTime, URLDereferencer urlDereferencer, - boolean useStrongHash) - throws NoSuchAlgorithmException, CertificateEncodingException, - CertificateException, X509ExtensionException, InvalidParameterException, - CodingException, SLCommandException, IOException, CMSException { - int mode = structure.equalsIgnoreCase("enveloping") ? SignedData.IMPLICIT : SignedData.EXPLICIT; - if (dataObject.getContent() != null) { - byte[] dataToBeSigned = getContent(dataObject, urlDereferencer); - this.signedData = new SignedData(dataToBeSigned, mode); - if (dataObject.getMetaInfo() != null) { - this.mimeType = dataObject.getMetaInfo().getMimeType(); - } - - hashDataInput = new CMSHashDataInput(signedDocument, mimeType); - - } else { - DigestAndRefType digestAndRef = dataObject.getDigestAndRef(); - DigestMethodType digestMethod = digestAndRef.getDigestMethod(); - - hashDataInput = new ReferencedHashDataInput(dataObject.getMetaInfo().getMimeType(), urlDereferencer, - digestAndRef.getReference(), dataObject.getExcludedByteRange()); - - try { - digestAlgorithm = getAlgorithmID(digestMethod.getAlgorithm()); - } catch (URISyntaxException e) { - //TODO: choose proper execption - throw new NoSuchAlgorithmException(e); - } - digestValue = digestAndRef.getDigestValue(); - this.signedData = new SignedData(ObjectID.pkcs7_data); - } - setAlgorithmIDs(signingCertificate, useStrongHash); - createSignerInfo(signingCertificate); - setSignerCertificate(signingCertificate); - this.mimeType = dataObject.getMetaInfo().getMimeType(); - - setAttributes(this.mimeType, signingCertificate, signingTime); - } - - public Signature(CMSDataObjectRequiredMetaType dataObject, String structure, - X509Certificate signingCertificate, URLDereferencer urlDereferencer, - boolean useStrongHash) - throws NoSuchAlgorithmException, CertificateEncodingException, - CertificateException, X509ExtensionException, InvalidParameterException, - CodingException, SLCommandException, IOException { - byte[] dataToBeSigned = getContent(dataObject, urlDereferencer); - int mode = structure.equalsIgnoreCase("enveloping") ? SignedData.IMPLICIT : SignedData.EXPLICIT; - this.signedData = new SignedData(dataToBeSigned, mode); - setAlgorithmIDs(signingCertificate, useStrongHash); - createSignerInfo(signingCertificate); - setSignerCertificate(signingCertificate); - - - setAttributes(signingCertificate); - } - - - - private void createSignerInfo(X509Certificate signingCertificate) throws CertificateEncodingException, CertificateException { - iaik.x509.X509Certificate sigcert = - new iaik.x509.X509Certificate(signingCertificate.getEncoded()); - CertificateIdentifier signerIdentifier = - new IssuerAndSerialNumber(sigcert); - PrivateKey privateKey = new STALPrivateKey(signatureAlgorithmURI, digestAlgorithmURI); - signerInfo = new SignerInfo(signerIdentifier, digestAlgorithm, - signatureAlgorithm, privateKey); - } - - private void setSignerCertificate(X509Certificate signingCertificate) { - X509Certificate[] sigcerts = new X509Certificate[] { signingCertificate }; - signedData.addCertificates(sigcerts); - } - - private void setAttributes(String mimeType, X509Certificate signingCertificate, Date signingTime) throws CertificateException, NoSuchAlgorithmException, CodingException { - List attributes = new ArrayList(); - setMimeTypeAttrib(attributes, mimeType); - setContentTypeAttrib(attributes); - setSigningCertificateAttrib(attributes, signingCertificate); - if (signingTime != null) - setSigningTimeAttrib(attributes, signingTime); - Attribute[] attributeArray = attributes.toArray(new Attribute[attributes.size()]); - signerInfo.setSignedAttributes(attributeArray); - } - - private void setAttributes(X509Certificate signingCertificate) throws CertificateException, NoSuchAlgorithmException, CodingException { - List attributes = new ArrayList(); - setContentTypeAttrib(attributes); - setSigningCertificateAttrib(attributes, signingCertificate); - Attribute[] attributeArray = attributes.toArray(new Attribute[attributes.size()]); - signerInfo.setSignedAttributes(attributeArray); - } - - - - private void setMimeTypeAttrib(List attributes, String mimeType) { - String oidStr = ID_AA_ETS_MIMETYPE; - String name = "mime-type"; - ObjectID mimeTypeOID = new ObjectID(oidStr, name); - - Attribute mimeTypeAtt = new Attribute(mimeTypeOID, new ASN1Object[] {new UTF8String(mimeType)}); - attributes.add(mimeTypeAtt); - } - - private void setContentTypeAttrib(List attributes) { - Attribute contentType = new Attribute(ObjectID.contentType, new ASN1Object[] {ObjectID.cms_data}); - attributes.add(contentType); - } - - private void setSigningCertificateAttrib(List attributes, X509Certificate signingCertificate) throws CertificateException, NoSuchAlgorithmException, CodingException { - ObjectID id; - ASN1Object value = new SEQUENCE(); - if (digestAlgorithm.equals(AlgorithmID.sha1)) { - id = ObjectID.signingCertificate; - value.addComponent(new ESSCertID(signingCertificate, true).toASN1Object()); - } - else { - id = ObjectID.signingCertificateV2; - value.addComponent(new ESSCertIDv2(digestAlgorithm, signingCertificate, true).toASN1Object()); - } - ASN1Object signingCert = new SEQUENCE(); - signingCert.addComponent(value); - Attribute signingCertificateAttrib = new Attribute(id, new ASN1Object[] {signingCert}); - attributes.add(signingCertificateAttrib); - } - - private void setSigningTimeAttrib(List attributes, Date date) { - Attribute signingTime = new Attribute(ObjectID.signingTime, new ASN1Object[] {new ChoiceOfTime(date).toASN1Object()}); - attributes.add(signingTime); - } - - private byte[] getContent(CMSDataObjectOptionalMetaType dataObject, URLDereferencer urlDereferencer) - throws InvalidParameterException, SLCommandException, IOException { - byte[] data = dataObject.getContent().getBase64Content(); - if (data == null) { - String reference = dataObject.getContent().getReference(); - if (reference == null) - throw new SLCommandException(4003); - InputStream is = urlDereferencer.dereference(reference).getStream(); - ByteArrayOutputStream baos = new ByteArrayOutputStream(); - byte[] buffer = new byte[1024]; - for (int i = is.read(buffer); i > -1; i = is.read(buffer)) { - baos.write(buffer, 0, i); - } - data = baos.toByteArray(); - is.close(); - } - this.signedDocument = data.clone(); - - this.excludedByteRange = dataObject.getExcludedByteRange(); - if (this.excludedByteRange == null) - return data; - - int from = this.excludedByteRange.getFrom().intValue(); - int to = this.excludedByteRange.getTo().intValue(); - if (from > data.length || to > data.length || from > to) - throw new InvalidParameterException("ExcludedByteRange contains invalid data: [" + - from + "-" + to + "], Content length: " + data.length); - - // Fill ExcludedByteRange with 0s for document to display in viewer - Arrays.fill(this.signedDocument, from, to+1, (byte)0); - - // Remove ExcludedByteRange from data to be signed - byte[] first = null; - byte[] second = null; - if (from > 0) - first = Arrays.copyOfRange(data, 0, from); - if ((to + 1) < data.length) - second = Arrays.copyOfRange(data, to + 1, data.length); - data = ArrayUtils.addAll(first, second); - log.debug("ExcludedByteRange [" + from + "-" + to + "], Content length: " + data.length); - return data; - } - - private void setAlgorithmIDs(X509Certificate signingCertificate, boolean useStrongHash) throws NoSuchAlgorithmException { - AlgorithmMethodFactory amf = new AlgorithmMethodFactoryImpl(signingCertificate, useStrongHash); - signatureAlgorithmURI = amf.getSignatureAlgorithmURI(); - signatureAlgorithm = amf.getSignatureAlgorithmID(); - if (digestAlgorithm != null) { - if (AlgorithmID.sha1.equals(digestAlgorithm)) { - digestAlgorithmURI = DigestMethod.SHA1; - } else if (AlgorithmID.sha256.equals(digestAlgorithm)) { - digestAlgorithmURI = DigestMethod.SHA256; - } else if (AlgorithmID.sha512.equals(digestAlgorithm)) { - digestAlgorithmURI = DigestMethod.SHA512; - } else if (AlgorithmID.ripeMd160.equals(digestAlgorithm)) { - digestAlgorithmURI = DigestMethod.RIPEMD160; - } else { - throw new NoSuchAlgorithmException("Algorithm '" + digestAlgorithm + "' not supported."); - } - } else { - digestAlgorithmURI = amf.getDigestAlgorithmURI(); - digestAlgorithm = amf.getDigestAlgorithmID(); - } - } - - public HashDataInput getHashDataInput() { - - if (hashDataInput != null) { - return hashDataInput; - } else { - return new CMSHashDataInput(signedDocument, mimeType); - } - } - - - public byte[] sign(STAL stal, String keyboxIdentifier) throws CMSException, CMSSignatureException, SLCommandException { - STALSecurityProvider securityProvider = new STALSecurityProvider(stal, keyboxIdentifier, getHashDataInput(), this.excludedByteRange); - signedData.setSecurityProvider(securityProvider); - try { - signedData.addSignerInfo(signerInfo); - } catch (NoSuchAlgorithmException e) { - STALSignatureException stalSignatureException = securityProvider.getStalSignatureException(); - if (stalSignatureException != null) { - throw new SLCommandException(stalSignatureException.getErrorCode()); - } - throw new CMSSignatureException(e); - } - if (digestValue != null) { - try { - signedData.setMessageDigest(digestAlgorithm, digestValue); - } catch (NoSuchAlgorithmException e) { - throw new CMSSignatureException(e); - } - } - ContentInfo contentInfo = new ContentInfo(signedData); - return contentInfo.getEncoded(); - } - - protected AlgorithmID getAlgorithmID(String uri) throws URISyntaxException { - String oid = null; - URI urn = new URI(uri); - String scheme = urn.getScheme(); - if ("URN".equalsIgnoreCase(scheme)) { - String schemeSpecificPart = urn.getSchemeSpecificPart().toLowerCase(); - if (schemeSpecificPart.startsWith("oid:")) { - oid = schemeSpecificPart.substring(4, schemeSpecificPart.length()); -} - } - return new AlgorithmID(new ObjectID(oid)); - } -} - - +/* + * Copyright 2013 by Graz University of Technology, Austria + * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint + * initiative of the Federal Chancellery Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egiz.bku.slcommands.impl.cms; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.net.URI; +import java.net.URISyntaxException; +import java.security.InvalidParameterException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Date; +import java.util.List; + +import javax.xml.crypto.dsig.DigestMethod; + +import org.apache.commons.lang.ArrayUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.w3._2000._09.xmldsig_.DigestMethodType; + +import at.buergerkarte.namespaces.securitylayer._1_2_3.CMSDataObjectOptionalMetaType; +import at.buergerkarte.namespaces.securitylayer._1_2_3.CMSDataObjectRequiredMetaType; +import at.buergerkarte.namespaces.securitylayer._1_2_3.DigestAndRefType; +import at.buergerkarte.namespaces.securitylayer._1_2_3.ExcludedByteRangeType; +import at.gv.egiz.bku.slcommands.impl.xsect.AlgorithmMethodFactory; +import at.gv.egiz.bku.slcommands.impl.xsect.AlgorithmMethodFactoryImpl; +import at.gv.egiz.bku.slcommands.impl.xsect.STALSignatureException; +import at.gv.egiz.bku.slexceptions.SLCommandException; +import at.gv.egiz.bku.utils.urldereferencer.URLDereferencer; +import at.gv.egiz.stal.HashDataInput; +import at.gv.egiz.stal.STAL; +import iaik.asn1.ASN1Object; +import iaik.asn1.CodingException; +import iaik.asn1.ObjectID; +import iaik.asn1.SEQUENCE; +import iaik.asn1.UTF8String; +import iaik.asn1.structures.AlgorithmID; +import iaik.asn1.structures.Attribute; +import iaik.asn1.structures.ChoiceOfTime; +import iaik.cms.CMSException; +import iaik.cms.CMSSignatureException; +import iaik.cms.CertificateIdentifier; +import iaik.cms.ContentInfo; +import iaik.cms.IssuerAndSerialNumber; +import iaik.cms.SignedData; +import iaik.cms.SignerInfo; +import iaik.smime.ess.ESSCertID; +import iaik.smime.ess.ESSCertIDv2; +import iaik.x509.X509ExtensionException; + +/** + * This class represents a CMS-Signature as to be created by the + * security layer command CreateCMSSignatureRequest. + * + * @author tkellner + */ +public class Signature { + + public final static String ID_AA_ETS_MIMETYPE = "0.4.0.1733.2.1"; + + /** + * Logging facility. + */ + private final Logger log = LoggerFactory.getLogger(Signature.class); + + protected SignedData signedData; + protected SignerInfo signerInfo; + protected byte[] signedDocument; + protected String mimeType; + protected AlgorithmID signatureAlgorithm; + protected AlgorithmID digestAlgorithm; + protected byte[] digestValue; + protected String signatureAlgorithmURI; + protected String digestAlgorithmURI; + protected ExcludedByteRangeType excludedByteRange; + private HashDataInput hashDataInput; + + +public Signature(CMSDataObjectOptionalMetaType dataObject, String structure, + X509Certificate signingCertificate, Date signingTime, URLDereferencer urlDereferencer, + boolean useStrongHash) + throws NoSuchAlgorithmException, CertificateEncodingException, + CertificateException, X509ExtensionException, InvalidParameterException, + CodingException, SLCommandException, IOException, CMSException { + int mode = structure.equalsIgnoreCase("enveloping") ? SignedData.IMPLICIT : SignedData.EXPLICIT; + if (dataObject.getContent() != null) { + byte[] dataToBeSigned = getContent(dataObject, urlDereferencer); + this.signedData = new SignedData(dataToBeSigned, mode); + if (dataObject.getMetaInfo() != null) { + this.mimeType = dataObject.getMetaInfo().getMimeType(); + } + + hashDataInput = new CMSHashDataInput(signedDocument, mimeType); + + } else { + DigestAndRefType digestAndRef = dataObject.getDigestAndRef(); + DigestMethodType digestMethod = digestAndRef.getDigestMethod(); + + hashDataInput = new ReferencedHashDataInput(dataObject.getMetaInfo().getMimeType(), urlDereferencer, + digestAndRef.getReference(), dataObject.getExcludedByteRange()); + + try { + digestAlgorithm = getAlgorithmID(digestMethod.getAlgorithm()); + } catch (URISyntaxException e) { + //TODO: choose proper execption + throw new NoSuchAlgorithmException(e); + } + digestValue = digestAndRef.getDigestValue(); + this.signedData = new SignedData(ObjectID.pkcs7_data); + } + setAlgorithmIDs(signingCertificate, useStrongHash); + createSignerInfo(signingCertificate); + setSignerCertificate(signingCertificate); + this.mimeType = dataObject.getMetaInfo().getMimeType(); + + setAttributes(this.mimeType, signingCertificate, signingTime); + } + + public Signature(CMSDataObjectRequiredMetaType dataObject, String structure, + X509Certificate signingCertificate, URLDereferencer urlDereferencer, + boolean useStrongHash) + throws NoSuchAlgorithmException, CertificateEncodingException, + CertificateException, X509ExtensionException, InvalidParameterException, + CodingException, SLCommandException, IOException { + byte[] dataToBeSigned = getContent(dataObject, urlDereferencer); + int mode = structure.equalsIgnoreCase("enveloping") ? SignedData.IMPLICIT : SignedData.EXPLICIT; + this.signedData = new SignedData(dataToBeSigned, mode); + setAlgorithmIDs(signingCertificate, useStrongHash); + createSignerInfo(signingCertificate); + setSignerCertificate(signingCertificate); + + + setAttributes(signingCertificate); + } + + + + private void createSignerInfo(X509Certificate signingCertificate) throws CertificateEncodingException, CertificateException { + iaik.x509.X509Certificate sigcert = + new iaik.x509.X509Certificate(signingCertificate.getEncoded()); + CertificateIdentifier signerIdentifier = + new IssuerAndSerialNumber(sigcert); + PrivateKey privateKey = new STALPrivateKey(signatureAlgorithmURI, digestAlgorithmURI); + signerInfo = new SignerInfo(signerIdentifier, digestAlgorithm, + signatureAlgorithm, privateKey); + } + + private void setSignerCertificate(X509Certificate signingCertificate) { + X509Certificate[] sigcerts = new X509Certificate[] { signingCertificate }; + signedData.addCertificates(sigcerts); + } + + private void setAttributes(String mimeType, X509Certificate signingCertificate, Date signingTime) throws CertificateException, NoSuchAlgorithmException, CodingException { + List attributes = new ArrayList(); + setMimeTypeAttrib(attributes, mimeType); + setContentTypeAttrib(attributes); + setSigningCertificateAttrib(attributes, signingCertificate); + if (signingTime != null) + setSigningTimeAttrib(attributes, signingTime); + Attribute[] attributeArray = attributes.toArray(new Attribute[attributes.size()]); + signerInfo.setSignedAttributes(attributeArray); + } + + private void setAttributes(X509Certificate signingCertificate) throws CertificateException, NoSuchAlgorithmException, CodingException { + List attributes = new ArrayList(); + setContentTypeAttrib(attributes); + setSigningCertificateAttrib(attributes, signingCertificate); + Attribute[] attributeArray = attributes.toArray(new Attribute[attributes.size()]); + signerInfo.setSignedAttributes(attributeArray); + } + + + + private void setMimeTypeAttrib(List attributes, String mimeType) { + String oidStr = ID_AA_ETS_MIMETYPE; + String name = "mime-type"; + ObjectID mimeTypeOID = new ObjectID(oidStr, name); + + Attribute mimeTypeAtt = new Attribute(mimeTypeOID, new ASN1Object[] {new UTF8String(mimeType)}); + attributes.add(mimeTypeAtt); + } + + private void setContentTypeAttrib(List attributes) { + Attribute contentType = new Attribute(ObjectID.contentType, new ASN1Object[] {ObjectID.cms_data}); + attributes.add(contentType); + } + + private void setSigningCertificateAttrib(List attributes, X509Certificate signingCertificate) throws CertificateException, NoSuchAlgorithmException, CodingException { + ObjectID id; + ASN1Object value = new SEQUENCE(); + if (digestAlgorithm.equals(AlgorithmID.sha1)) { + id = ObjectID.signingCertificate; + value.addComponent(new ESSCertID(signingCertificate, true).toASN1Object()); + } + else { + id = ObjectID.signingCertificateV2; + value.addComponent(new ESSCertIDv2(digestAlgorithm, signingCertificate, true).toASN1Object()); + } + ASN1Object signingCert = new SEQUENCE(); + signingCert.addComponent(value); + Attribute signingCertificateAttrib = new Attribute(id, new ASN1Object[] {signingCert}); + attributes.add(signingCertificateAttrib); + } + + private void setSigningTimeAttrib(List attributes, Date date) { + Attribute signingTime = new Attribute(ObjectID.signingTime, new ASN1Object[] {new ChoiceOfTime(date).toASN1Object()}); + attributes.add(signingTime); + } + + private byte[] getContent(CMSDataObjectOptionalMetaType dataObject, URLDereferencer urlDereferencer) + throws InvalidParameterException, SLCommandException, IOException { + byte[] data = dataObject.getContent().getBase64Content(); + if (data == null) { + String reference = dataObject.getContent().getReference(); + if (reference == null) + throw new SLCommandException(4003); + InputStream is = urlDereferencer.dereference(reference).getStream(); + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + byte[] buffer = new byte[1024]; + for (int i = is.read(buffer); i > -1; i = is.read(buffer)) { + baos.write(buffer, 0, i); + } + data = baos.toByteArray(); + is.close(); + } + this.signedDocument = data.clone(); + + this.excludedByteRange = dataObject.getExcludedByteRange(); + if (this.excludedByteRange == null) + return data; + + int from = this.excludedByteRange.getFrom().intValue(); + int to = this.excludedByteRange.getTo().intValue(); + if (from > data.length || to > data.length || from > to) + throw new InvalidParameterException("ExcludedByteRange contains invalid data: [" + + from + "-" + to + "], Content length: " + data.length); + + // Fill ExcludedByteRange with 0s for document to display in viewer + Arrays.fill(this.signedDocument, from, to+1, (byte)0); + + // Remove ExcludedByteRange from data to be signed + byte[] first = null; + byte[] second = null; + if (from > 0) + first = Arrays.copyOfRange(data, 0, from); + if ((to + 1) < data.length) + second = Arrays.copyOfRange(data, to + 1, data.length); + data = ArrayUtils.addAll(first, second); + log.debug("ExcludedByteRange [" + from + "-" + to + "], Content length: " + data.length); + return data; + } + + protected void setAlgorithmIDs(X509Certificate signingCertificate, boolean useStrongHash) throws NoSuchAlgorithmException { + AlgorithmMethodFactory amf = new AlgorithmMethodFactoryImpl(signingCertificate, useStrongHash); + signatureAlgorithmURI = amf.getSignatureAlgorithmURI(); + signatureAlgorithm = amf.getSignatureAlgorithmID(); + if (digestAlgorithm != null) { + if (AlgorithmID.sha1.equals(digestAlgorithm)) { + digestAlgorithmURI = DigestMethod.SHA1; + } else if (AlgorithmID.sha256.equals(digestAlgorithm)) { + digestAlgorithmURI = DigestMethod.SHA256; + } else if (AlgorithmID.sha512.equals(digestAlgorithm)) { + digestAlgorithmURI = DigestMethod.SHA512; + } else if (AlgorithmID.ripeMd160.equals(digestAlgorithm)) { + digestAlgorithmURI = DigestMethod.RIPEMD160; + } else { + throw new NoSuchAlgorithmException("Algorithm '" + digestAlgorithm + "' not supported."); + } + } else { + digestAlgorithmURI = amf.getDigestAlgorithmURI(); + digestAlgorithm = amf.getDigestAlgorithmID(); + } + } + + public HashDataInput getHashDataInput() { + + if (hashDataInput != null) { + return hashDataInput; + } else { + return new CMSHashDataInput(signedDocument, mimeType); + } + } + + + public byte[] sign(STAL stal, String keyboxIdentifier) throws CMSException, CMSSignatureException, SLCommandException { + STALSecurityProvider securityProvider = new STALSecurityProvider(stal, keyboxIdentifier, getHashDataInput(), this.excludedByteRange); + signedData.setSecurityProvider(securityProvider); + try { + signedData.addSignerInfo(signerInfo); + } catch (NoSuchAlgorithmException e) { + STALSignatureException stalSignatureException = securityProvider.getStalSignatureException(); + if (stalSignatureException != null) { + throw new SLCommandException(stalSignatureException.getErrorCode()); + } + throw new CMSSignatureException(e); + } + if (digestValue != null) { + try { + signedData.setMessageDigest(digestAlgorithm, digestValue); + } catch (NoSuchAlgorithmException e) { + throw new CMSSignatureException(e); + } + } + ContentInfo contentInfo = new ContentInfo(signedData); + return contentInfo.getEncoded(); + } + + protected AlgorithmID getAlgorithmID(String uri) throws URISyntaxException { + String oid = null; + URI urn = new URI(uri); + String scheme = urn.getScheme(); + if ("URN".equalsIgnoreCase(scheme)) { + String schemeSpecificPart = urn.getSchemeSpecificPart().toLowerCase(); + if (schemeSpecificPart.startsWith("oid:")) { + oid = schemeSpecificPart.substring(4, schemeSpecificPart.length()); +} + } + return new AlgorithmID(new ObjectID(oid)); + } +} + + diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java index 249172e7..60e50d98 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/AlgorithmMethodFactoryImpl.java @@ -93,65 +93,69 @@ public class AlgorithmMethodFactoryImpl implements AlgorithmMethodFactory { */ public AlgorithmMethodFactoryImpl(X509Certificate signingCertificate, boolean useStrongHash) throws NoSuchAlgorithmException { + + setAlgorithmURIs(signingCertificate, useStrongHash); + } + + protected void setAlgorithmURIs(X509Certificate signingCertificate, boolean useStrongHash) throws NoSuchAlgorithmException{ + + PublicKey publicKey = signingCertificate.getPublicKey(); + String algorithm = publicKey.getAlgorithm(); - PublicKey publicKey = signingCertificate.getPublicKey(); - String algorithm = publicKey.getAlgorithm(); - - if ("DSA".equals(algorithm)) { - signatureAlgorithmURI = SignatureMethod.DSA_SHA1; - signatureAlgorithmID = AlgorithmID.dsaWithSHA1; - } else if ("RSA".equals(algorithm)) { - - int keyLength = 0; - if (publicKey instanceof RSAPublicKey) { - keyLength = ((RSAPublicKey) publicKey).getModulus().bitLength(); - } - - if (useStrongHash && keyLength >= 2048) { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_RSA_SHA256; - signatureAlgorithmID = AlgorithmID.sha256WithRSAEncryption; - digestAlgorithmURI = DigestMethod.SHA256; - digestAlgorithmID = AlgorithmID.sha256; - } else { - signatureAlgorithmURI = SignatureMethod.RSA_SHA1; - signatureAlgorithmID = AlgorithmID.sha1WithRSAEncryption; - } - - } else if (("EC".equals(algorithm)) || ("ECDSA".equals(algorithm))) { - - int fieldSize = 0; - if (publicKey instanceof ECPublicKey) { - ECParameterSpec params = ((ECPublicKey) publicKey).getParams(); - fieldSize = params.getCurve().getField().getFieldSize(); - } else { - throw new NoSuchAlgorithmException("Public key type not supported."); - } + if ("DSA".equals(algorithm)) { + signatureAlgorithmURI = SignatureMethod.DSA_SHA1; + signatureAlgorithmID = AlgorithmID.dsaWithSHA1; + } else if ("RSA".equals(algorithm)) { + + int keyLength = 0; + if (publicKey instanceof RSAPublicKey) { + keyLength = ((RSAPublicKey) publicKey).getModulus().bitLength(); + } + + if (useStrongHash && keyLength >= 2048) { + signatureAlgorithmURI = XmldsigMore.SIGNATURE_RSA_SHA256; + signatureAlgorithmID = AlgorithmID.sha256WithRSAEncryption; + digestAlgorithmURI = DigestMethod.SHA256; + digestAlgorithmID = AlgorithmID.sha256; + } else { + signatureAlgorithmURI = SignatureMethod.RSA_SHA1; + signatureAlgorithmID = AlgorithmID.sha1WithRSAEncryption; + } + + } else if (("EC".equals(algorithm)) || ("ECDSA".equals(algorithm))) { + + int fieldSize = 0; + if (publicKey instanceof ECPublicKey) { + ECParameterSpec params = ((ECPublicKey) publicKey).getParams(); + fieldSize = params.getCurve().getField().getFieldSize(); + } else { + throw new NoSuchAlgorithmException("Public key type not supported."); + } - if (useStrongHash && fieldSize >= 512) { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512; - signatureAlgorithmID = AlgorithmID.ecdsa_With_SHA512; - digestAlgorithmURI = DigestMethod.SHA512; - digestAlgorithmID = AlgorithmID.sha512; - } else if (useStrongHash && fieldSize >= 256) { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA256; - signatureAlgorithmID = AlgorithmID.ecdsa_With_SHA256; - digestAlgorithmURI = DigestMethod.SHA256; - digestAlgorithmID = AlgorithmID.sha256; - } else if (useStrongHash) { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_RIPEMD160; - signatureAlgorithmID = AlgorithmID.ecdsa_plain_With_RIPEMD160; - digestAlgorithmURI = DigestMethod.RIPEMD160; - digestAlgorithmID = AlgorithmID.ripeMd160; - } else { - signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1; - signatureAlgorithmID = AlgorithmID.ecdsa_With_SHA1; - } - - } else { - throw new NoSuchAlgorithmException("Public key algorithm '" + algorithm - + "' not supported."); - } - + if (useStrongHash && fieldSize >= 512) { + signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA512; + signatureAlgorithmID = AlgorithmID.ecdsa_With_SHA512; + digestAlgorithmURI = DigestMethod.SHA512; + digestAlgorithmID = AlgorithmID.sha512; + } else if (useStrongHash && fieldSize >= 256) { + signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA256; + signatureAlgorithmID = AlgorithmID.ecdsa_With_SHA256; + digestAlgorithmURI = DigestMethod.SHA256; + digestAlgorithmID = AlgorithmID.sha256; + } else if (useStrongHash) { + signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_RIPEMD160; + signatureAlgorithmID = AlgorithmID.ecdsa_plain_With_RIPEMD160; + digestAlgorithmURI = DigestMethod.RIPEMD160; + digestAlgorithmID = AlgorithmID.ripeMd160; + } else { + signatureAlgorithmURI = XmldsigMore.SIGNATURE_ECDSA_SHA1; + signatureAlgorithmID = AlgorithmID.ecdsa_With_SHA1; + } + + } else { + throw new NoSuchAlgorithmException("Public key algorithm '" + algorithm + + "' not supported."); + } } /* -- cgit v1.2.3