com.unbound.client.pkcs11.PKCS11SignatureOper Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of unbound-java-provider Show documentation
Show all versions of unbound-java-provider Show documentation
This is a collection of JAVA libraries that implement Unbound cryptographic classes for JAVA provider, PKCS11 wrapper, cryptoki, and advapi
package com.unbound.client.pkcs11;
import com.dyadicsec.cryptoki.*;
import com.unbound.client.SignatureOper;
import com.unbound.common.Converter;
import com.unbound.common.crypto.EC;
import java.security.ProviderException;
import java.security.interfaces.ECPublicKey;
public final class PKCS11SignatureOper extends SignatureOper
{
private int getKeyHandle() { return ((PKCS11Object)keyObject).handle; }
private CK_SESSION_HANDLE getSessionHandle() { return ((PKCS11Session)session).getHandle(); }
private void markOperationStarted() { ((PKCS11Session)session).setOperationInProgress(true); }
private void markOperationFinished() { ((PKCS11Session)session).setOperationInProgress(false); }
private CK_MECHANISM getMechanism()
{
Object parameter = null;
int mech = mode.getPkcs11Mech();
switch (mech)
{
case CK.CKM_RSA_PKCS_PSS:
{
CK_RSA_PKCS_PSS_PARAMS pss = new CK_RSA_PKCS_PSS_PARAMS();
pss.sLen = pssSaltLen;
pss.hashAlg = hashType.getPkcs11Mech();
pss.mgf = mgfHashType.getPkcs11Mgf();
parameter = pss;
}
break;
case CK.CKM_RSA_PKCS:
case CK.CKM_ECDSA:
case CK.DYCKM_EDDSA:
break;
default:
throw new ProviderException("Unsupported signature mechanism");
}
return new CK_MECHANISM(mech, parameter);
}
@Override
protected byte[] hwSign(byte[] in)
{
try
{
CK_MECHANISM mechanism = getMechanism();
Library.C_SignInit(getSessionHandle(), mechanism, getKeyHandle());
markOperationStarted();
if (mechanism.mechanism==CK.CKM_RSA_PKCS && hashType!=null) in = Converter.concat(hashType.getOid(), in);
byte[] out = Library.C_Sign(getSessionHandle(), in);
if (mechanism.mechanism==CK.CKM_ECDSA)
{
EC.Curve curve = ((PKCS11ECPrivateKey)keyObject).getCurve();
out = curve.sigBinToDer(out);
}
markOperationFinished();
return out;
}
catch (CKR_Exception e) { throw new ProviderException(e); }
}
public boolean verifyEddsa(PKCS11Partition partition, byte[] pubKeyValue, byte[] sig)
{
boolean ok = false;
try
{
session = partition.acquireSession();
CK_SESSION_HANDLE sessionHandle = ((PKCS11Session)session).getHandle();
int tempHandle = Library.C_CreateObject(sessionHandle,
new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_TOKEN, false),
new CK_ATTRIBUTE(CK.CKA_CLASS, CK.CKO_PUBLIC_KEY),
new CK_ATTRIBUTE(CK.CKA_KEY_TYPE, CK.DYCKK_EDDSA),
new CK_ATTRIBUTE(CK.DYCKA_EDDSA_PUB_KEY, pubKeyValue),
});
markOperationStarted();
Library.C_VerifyInit(sessionHandle, new CK_MECHANISM(CK.DYCKM_EDDSA), tempHandle);
Library.C_Verify(sessionHandle, getBufferBytes(), sig);
ok = true;
Library.C_DestroyObject(getSessionHandle(), tempHandle);
markOperationFinished();
}
catch (CKR_Exception e) { if (e.errorCode!=CK.CKR_SIGNATURE_INVALID) throw new ProviderException(e); }
finally { reset(); }
return ok;
}
public boolean verifySchnorr(PKCS11Partition partition, ECPublicKey pubKey, byte[] sig)
{
boolean ok = false;
try
{
session = partition.acquireSession();
CK_SESSION_HANDLE sessionHandle = ((PKCS11Session)session).getHandle();
int tempHandle = Library.C_CreateObject(sessionHandle,
new CK_ATTRIBUTE[]
{
new CK_ATTRIBUTE(CK.CKA_TOKEN, false),
new CK_ATTRIBUTE(CK.CKA_CLASS, CK.CKO_PUBLIC_KEY),
new CK_ATTRIBUTE(CK.CKA_KEY_TYPE, CK.CKK_EC),
new CK_ATTRIBUTE(CK.CKA_EC_PARAMS, EC.P256k.oid),
new CK_ATTRIBUTE(CK.CKA_EC_POINT, EC.P256k.toDer(pubKey.getW())),
});
markOperationStarted();
Library.C_VerifyInit(sessionHandle, new CK_MECHANISM(CK.DYCKM_SCHNORR), tempHandle);
Library.C_Verify(sessionHandle, getBufferBytes(), sig);
ok = true;
Library.C_DestroyObject(getSessionHandle(), tempHandle);
markOperationFinished();
}
catch (CKR_Exception e) { if (e.errorCode!=CK.CKR_SIGNATURE_INVALID) throw new ProviderException(e); }
finally { reset(); }
return ok;
}
}