All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.itextpdf.signatures.SignatureMechanisms Maven / Gradle / Ivy

There is a newer version: 9.0.0
Show newest version
/*
    This file is part of the iText (R) project.
    Copyright (c) 1998-2023 Apryse Group NV
    Authors: Apryse Software.

    This program is offered under a commercial and under the AGPL license.
    For commercial licensing, contact us at https://itextpdf.com/sales.  For AGPL licensing, see below.

    AGPL licensing:
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.

    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see .
 */
package com.itextpdf.signatures;

import com.itextpdf.bouncycastleconnector.BouncyCastleFactoryCreator;
import com.itextpdf.commons.bouncycastle.IBouncyCastleFactory;
import com.itextpdf.signatures.logs.SignLogMessageConstant;

import java.util.HashMap;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Class that contains OID mappings to extract a signature algorithm name
 * from a signature mechanism OID, and conversely, to retrieve the appropriate
 * signature mechanism OID given a signature algorithm and a digest function.
 */
public class SignatureMechanisms {

    private static final Logger LOGGER = LoggerFactory.getLogger(SignatureMechanisms.class);
    
    private static final IBouncyCastleFactory BOUNCY_CASTLE_FACTORY = BouncyCastleFactoryCreator.getFactory();

    /** Maps IDs of signature algorithms with its human-readable name. */
    static final Map algorithmNames = new HashMap<>();
    static final Map rsaOidsByDigest = new HashMap<>();
    static final Map dsaOidsByDigest = new HashMap<>();
    static final Map ecdsaOidsByDigest = new HashMap<>();

    static {
        algorithmNames.put("1.2.840.113549.1.1.1", "RSA");
        algorithmNames.put("1.2.840.10040.4.1", "DSA");
        algorithmNames.put("1.2.840.113549.1.1.2", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.4", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.5", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.11", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.12", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.13", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.14", "RSA");
        algorithmNames.put("1.2.840.10040.4.3", "DSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.1", "DSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.2", "DSA");
        algorithmNames.put("1.3.14.3.2.29", "RSA");
        algorithmNames.put("1.3.36.3.3.1.2", "RSA");
        algorithmNames.put("1.3.36.3.3.1.3", "RSA");
        algorithmNames.put("1.3.36.3.3.1.4", "RSA");
        algorithmNames.put("1.2.643.2.2.19", "ECGOST3410");

        // Elliptic curve public key cryptography
        algorithmNames.put("1.2.840.10045.2.1", "ECDSA");
        // Elliptic curve Digital Signature Algorithm (DSA) coupled with the Secure Hashing Algorithm (SHA) algorithm
        algorithmNames.put("1.2.840.10045.4.1", "ECDSA");
        // Elliptic curve Digital Signature Algorithm (DSA)
        algorithmNames.put("1.2.840.10045.4.3", "ECDSA");
        // Elliptic curve Digital Signature Algorithm (DSA) coupled with the Secure Hashing Algorithm (SHA256) algorithm
        algorithmNames.put("1.2.840.10045.4.3.2", "ECDSA");
        // Elliptic curve Digital Signature Algorithm (DSA) coupled with the Secure Hashing Algorithm (SHA384) algorithm
        algorithmNames.put("1.2.840.10045.4.3.3", "ECDSA");
        // Elliptic curve Digital Signature Algorithm (DSA) coupled with the Secure Hashing Algorithm (SHA512) algorithm
        algorithmNames.put("1.2.840.10045.4.3.4", "ECDSA");

        // Signing algorithms with SHA-3 digest functions (from NIST CSOR)
        algorithmNames.put("2.16.840.1.101.3.4.3.5", "DSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.6", "DSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.7", "DSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.8", "DSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.9", "ECDSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.10", "ECDSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.11", "ECDSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.12", "ECDSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.13", "RSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.14", "RSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.15", "RSA");
        algorithmNames.put("2.16.840.1.101.3.4.3.16", "RSA");

        /*
         * We tolerate two naming conventions for RSASSA-PSS:
         *
         *  - RSASSA-PSS
         *  - withRSA/PSS
         *
         * The former is considered the canonical one because it's the standard name in JCA,
         * the digest is required to be specified in the algorithm params anyway,
         * and the OID does not depend on the digest. BouncyCastle accepts both.
         */
        algorithmNames.put(SecurityIDs.ID_RSASSA_PSS, "RSASSA-PSS");

        // EdDSA
        algorithmNames.put(SecurityIDs.ID_ED25519, "Ed25519");
        algorithmNames.put(SecurityIDs.ID_ED448, "Ed448");

        rsaOidsByDigest.put("SHA224", "1.2.840.113549.1.1.14");
        rsaOidsByDigest.put("SHA256", "1.2.840.113549.1.1.11");
        rsaOidsByDigest.put("SHA384", "1.2.840.113549.1.1.12");
        rsaOidsByDigest.put("SHA512", "1.2.840.113549.1.1.13");
        rsaOidsByDigest.put("SHA-224", "1.2.840.113549.1.1.14");
        rsaOidsByDigest.put("SHA-256", "1.2.840.113549.1.1.11");
        rsaOidsByDigest.put("SHA-384", "1.2.840.113549.1.1.12");
        rsaOidsByDigest.put("SHA-512", "1.2.840.113549.1.1.13");
        rsaOidsByDigest.put("SHA3-224", "2.16.840.1.101.3.4.3.13");
        rsaOidsByDigest.put("SHA3-256", "2.16.840.1.101.3.4.3.14");
        rsaOidsByDigest.put("SHA3-384", "2.16.840.1.101.3.4.3.15");
        rsaOidsByDigest.put("SHA3-512", "2.16.840.1.101.3.4.3.16");

        dsaOidsByDigest.put("SHA224", "2.16.840.1.101.3.4.3.1");
        dsaOidsByDigest.put("SHA256", "2.16.840.1.101.3.4.3.2");
        dsaOidsByDigest.put("SHA384", "2.16.840.1.101.3.4.3.3");
        dsaOidsByDigest.put("SHA512", "2.16.840.1.101.3.4.3.4");
        dsaOidsByDigest.put("SHA3-224", "2.16.840.1.101.3.4.3.5");
        dsaOidsByDigest.put("SHA3-256", "2.16.840.1.101.3.4.3.6");
        dsaOidsByDigest.put("SHA3-384", "2.16.840.1.101.3.4.3.7");
        dsaOidsByDigest.put("SHA3-512", "2.16.840.1.101.3.4.3.8");

        ecdsaOidsByDigest.put("SHA1", "1.2.840.10045.4.1");
        ecdsaOidsByDigest.put("SHA224", "1.2.840.10045.4.3.1");
        ecdsaOidsByDigest.put("SHA256", "1.2.840.10045.4.3.2");
        ecdsaOidsByDigest.put("SHA384", "1.2.840.10045.4.3.3");
        ecdsaOidsByDigest.put("SHA512", "1.2.840.10045.4.3.4");
        ecdsaOidsByDigest.put("SHA3-224", "2.16.840.1.101.3.4.3.9");
        ecdsaOidsByDigest.put("SHA3-256", "2.16.840.1.101.3.4.3.10");
        ecdsaOidsByDigest.put("SHA3-384", "2.16.840.1.101.3.4.3.11");
        ecdsaOidsByDigest.put("SHA3-512", "2.16.840.1.101.3.4.3.12");
    }

    /**
     * Attempt to look up the most specific OID for a given signature-digest combination.
     *
     * @param signatureAlgorithmName  the name of the signature algorithm
     * @param digestAlgorithmName     the name of the digest algorithm, if any
     * @return an OID string, or {@code null} if none was found.
     */
    public static String getSignatureMechanismOid(String signatureAlgorithmName, String digestAlgorithmName) {
        String resultingOId;
        switch (signatureAlgorithmName) {
            case "RSA":
                final String oId = rsaOidsByDigest.get(digestAlgorithmName);
                resultingOId = oId == null ? SecurityIDs.ID_RSA : oId;
                break;
            case "DSA":
                resultingOId = dsaOidsByDigest.get(digestAlgorithmName);
                break;
            case "ECDSA":
                resultingOId = ecdsaOidsByDigest.get(digestAlgorithmName);
                break;
            case "Ed25519":
                resultingOId = SecurityIDs.ID_ED25519;
                break;
            case "Ed448":
                resultingOId = SecurityIDs.ID_ED448;
                break;
            case "RSASSA-PSS":
            case "RSA/PSS":
                resultingOId = SecurityIDs.ID_RSASSA_PSS;
                break;
            default:
                resultingOId = null;
        }
        if (resultingOId != null) {
            return resultingOId;
        }
        LOGGER.warn(SignLogMessageConstant.ALGORITHM_NOT_FROM_SPEC);
        resultingOId = BOUNCY_CASTLE_FACTORY.getAlgorithmOid(digestAlgorithmName + "with" + signatureAlgorithmName);
        if (resultingOId == null) {
            return BOUNCY_CASTLE_FACTORY.getAlgorithmOid(signatureAlgorithmName);
        } else {
            return resultingOId;
        }
    }

    /**
     * Gets the algorithm name for a certain id.
     * @param oid	an id (for instance "1.2.840.113549.1.1.1")
     * @return	an algorithm name (for instance "RSA")
     */
    public static String getAlgorithm(String oid) {
        String ret = algorithmNames.get(oid);
        if (ret == null) {
            return oid;
        } else {
            return ret;
        }
    }

    /**
     * Get the signing mechanism name for a certain id and digest.
     * 
     * @param oid an id of an algorithm
     * @param digest digest of an algorithm
     * 
     * @return name of the mechanism
     */
    public static String getMechanism(String oid, String digest) {
        String algorithm = getAlgorithm(oid);
        if (!algorithm.equals(oid)) {
            return digest + "with" + algorithm;
        }
        LOGGER.warn(SignLogMessageConstant.ALGORITHM_NOT_FROM_SPEC);
        return BOUNCY_CASTLE_FACTORY.getAlgorithmName(oid);
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy