iaik.pkcs.pkcs11.provider.signatures

Class ExternalHashSignature

java.lang.Object

java.security.SignatureSpi

iaik.pkcs.pkcs11.provider.signatures.PKCS11Signature

iaik.pkcs.pkcs11.provider.signatures.ExternalHashSignature

All Implemented Interfaces:

PKCS11EngineClass

Direct Known Subclasses:

ExternalMd2RsaSignature, ExternalMd5RsaSignature, ExternalRipeMd128RsaSignature, ExternalRipeMd160EcdsaSignature, ExternalRipeMd160RsaSignature, ExternalRipeMd256RsaSignature, ExternalRsaPssSignature, ExternalSha1DsaSignature, ExternalSha1EcdsaSignature, ExternalSha1RsaPssSignature, ExternalSha1RsaSignature, ExternalSha1RsaX931Signature, ExternalSha224DsaSignature, ExternalSha224EcdsaSignature, ExternalSha224RsaPssSignature, ExternalSha224RsaSignature, ExternalSha256DsaSignature, ExternalSha256EcdsaSignature, ExternalSha256RsaPssSignature, ExternalSha256RsaSignature, ExternalSha3_224DsaSignature, ExternalSha3_224EcdsaSignature, ExternalSha3_224RsaPssSignature, ExternalSha3_224RsaSignature, ExternalSha3_256DsaSignature, ExternalSha3_256EcdsaSignature, ExternalSha3_256RsaPssSignature, ExternalSha3_256RsaSignature, ExternalSha3_384DsaSignature, ExternalSha3_384EcdsaSignature, ExternalSha3_384RsaPssSignature, ExternalSha3_384RsaSignature, ExternalSha3_512DsaSignature, ExternalSha3_512EcdsaSignature, ExternalSha3_512RsaPssSignature, ExternalSha3_512RsaSignature, ExternalSha384DsaSignature, ExternalSha384EcdsaSignature, ExternalSha384RsaPssSignature, ExternalSha384RsaSignature, ExternalSha512DsaSignature, ExternalSha512EcdsaSignature, ExternalSha512RsaPssSignature, ExternalSha512RsaSignature, ExternalWhirlpoolEcdsaSignature

public abstract class ExternalHashSignature
extends PKCS11Signature

This is an implementation of a Signature class that uses the IAIK PKCS#11 wrapper to access the token. It only works with IAIKPKCS11PrivateKey and IAIKPKCS11PublicKey. This version uses creates the hash off-card. This class generates the hash itself using a MessageDigest object. After hashing it send the generated hash to the token for signing. A subclass can decide which concrete algorithm to use.

Author:

Karl Scheibelhofer

Field Summary

Fields

Modifier and Type	Field and Description
protected java.security.MessageDigest	messageDigest_ Used to hash the incoming data before sending the hash to the token.

Fields inherited from class iaik.pkcs.pkcs11.provider.signatures.PKCS11Signature

currentKeyIsSoftwareKey_, initialized_, operationState_, pkcs11OperationInitialized_, privateKey_, publicKey_, session_, SIGN, softwareDelegate_, tokenManager_, usedMechanismInfos_, usedMechanisms_, VERIFY

Fields inherited from class java.security.SignatureSpi

appRandom

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	ExternalHashSignature() Default constructor for subclasses only.

Method Summary

Modifier and Type	Method and Description
protected abstract iaik.pkcs.pkcs11.Mechanism	getMechanism() Get the mechanism of this signature object.
protected java.security.MessageDigest	getMessageDigest() Returns the Message digest engine that this object uses to hash the data.
protected abstract java.lang.String	getMessageDigestName() Returns the message digest's name that this object uses to hash the data.
protected void	pkcs11InitSign(java.security.PrivateKey privateKey) SPI: Initializes this Signature object with the given RSA private key for going to sign some data.
protected void	pkcs11InitVerify(java.security.PublicKey publicKey) SPI: Initializes this Signature object with the given RSA public key for performing a signature verification.
protected byte[]	pkcs11Sign() Sign the generated hash.
protected void	pkcs11Update(byte dataByte) SPI: Updates the data to be signed or verified with the specified byte.
protected void	pkcs11Update(byte[] data, int offset, int length) SPI: Updates the data to be signed or verified with the specified number of bytes, beginning at the specified offset within the given byte array.
protected boolean	pkcs11Verify(byte[] signature) Verifies the given signature of a message according to PKCS#1.
protected byte[]	prepareHash(byte[] rawHash) Prepares the hash for input to the signature function.

Methods inherited from class iaik.pkcs.pkcs11.provider.signatures.PKCS11Signature

engineGetParameter, engineInitSign, engineInitVerify, engineSetParameter, engineSetParameter, engineSign, engineUpdate, engineUpdate, engineVerify, finalize, finalizePkcs11Operation, getAlgorithmName, getUsedMechanismFeatures, getUsedMechanisms, initializePkcs11Operation, initializeSession, initializeSoftwareDelegate, isSupportedBy, pkcs11GetParameter, pkcs11SetParameter, pkcs11SetParameter

Methods inherited from class java.security.SignatureSpi

clone, engineGetParameters, engineInitSign, engineSign, engineUpdate, engineVerify

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

messageDigest_

protected java.security.MessageDigest messageDigest_

Used to hash the incoming data before sending the hash to the token.

Constructor Detail

ExternalHashSignature

protected ExternalHashSignature()

Default constructor for subclasses only.

Method Detail

getMessageDigest

protected java.security.MessageDigest getMessageDigest()
                                                throws IAIKPkcs11Exception

Returns the Message digest engine that this object uses to hash the data.

Returns:

A initialized message digest object ready for hashing.

Throws:

IAIKPkcs11Exception - If creating the digest object fails.

Postconditions:

(result <> null)

getMessageDigestName

protected abstract java.lang.String getMessageDigestName()

Returns the message digest's name that this object uses to hash the data. This is the JCA name.

Returns:

A message digest's JCA name.

Postconditions:

(result <> null)

prepareHash

protected byte[] prepareHash(byte[] rawHash)
                      throws IAIKPkcs11Exception

Prepares the hash for input to the signature function. This may include padding and other operations. The default implementation of this class does no wrapping.

Parameters:

rawHash - The raw hash value; i.e. the 20 bytes of a SHA-1 hash.

Returns:

The hash value prepared for input to the signature mechanism.

Throws:

IAIKPkcs11Exception - If the hash cannot be prepared for any reason.

getMechanism

protected abstract iaik.pkcs.pkcs11.Mechanism getMechanism()

Get the mechanism of this signature object. This implementation returns a mechanism with CKM_DSA as ID.

Specified by:

getMechanism in class PKCS11Signature

Returns:

The mechanism this object uses for signing and verification.

Postconditions:

(result <> null)

pkcs11InitVerify

protected void pkcs11InitVerify(java.security.PublicKey publicKey)
                         throws java.security.InvalidKeyException

SPI: Initializes this Signature object with the given RSA public key for performing a signature verification.

Overrides:

pkcs11InitVerify in class PKCS11Signature

Parameters:

publicKey - The RSA public key belonging to the RSA private key that has been used for signing.

Throws:

java.security.InvalidKeyException - If a key encoding error occurs.

Preconditions:

(publicKey instanceof IAIKPKCS11PublicKey)

pkcs11InitSign

protected void pkcs11InitSign(java.security.PrivateKey privateKey)
                       throws java.security.InvalidKeyException

SPI: Initializes this Signature object with the given RSA private key for going to sign some data.

Overrides:

pkcs11InitSign in class PKCS11Signature

Parameters:

privateKey - The RSA private key to be used for signing.

Throws:

java.security.InvalidKeyException - If a key encoding error occurs.

Preconditions:

(publicKey instanceof IAIKPKCS11PrivateKey)

pkcs11Update

protected void pkcs11Update(byte dataByte)
                     throws java.security.SignatureException

SPI: Updates the data to be signed or verified with the specified byte. This implementation updates only the internal message digest. The final hash is send to the token at the engineSign() or at the engineVerify(byte[]) call.

Overrides:

pkcs11Update in class PKCS11Signature

Parameters:

dataByte - The byte to be used for updating.

Throws:

java.security.SignatureException - If updating the signature fails.

Preconditions:

(initialized_ == true)

pkcs11Update

protected void pkcs11Update(byte[] data,
                            int offset,
                            int length)
                     throws java.security.SignatureException

SPI: Updates the data to be signed or verified with the specified number of bytes, beginning at the specified offset within the given byte array. This implementation updates only the internal message digest. The final hash is send to the token at the engineSign() or at the engineVerify(byte[]) call.

Overrides:

pkcs11Update in class PKCS11Signature

Parameters:

data - The byte array holding the data to be used for this update operation.

offset - The offset, indicating the start position within the given byte array.

length - The number of bytes to be obtained from the given byte array, starting at the given position.

Throws:

java.security.SignatureException - If updating the signature fails

Preconditions:

(initialized_ == true)

pkcs11Sign

protected byte[] pkcs11Sign()
                     throws java.security.SignatureException

Sign the generated hash.

Overrides:

pkcs11Sign in class PKCS11Signature

Returns:

A byte array holding the signature.

Throws:

java.security.SignatureException - If an error occurs when creating the signature.

Preconditions:

(operationState_ == SIGN) and (initialized_ == true)

pkcs11Verify

protected boolean pkcs11Verify(byte[] signature)
                        throws java.security.SignatureException

Verifies the given signature of a message according to PKCS#1.

Overrides:

pkcs11Verify in class PKCS11Signature

Parameters:

signature - The signature bytes to be verified.

Returns:

true if signature is OK, false otherwise.

Throws:

java.security.SignatureException - If an error occurs when verifying the signature.

Preconditions:

(operationState_ == VERIFY) and (initialized_ == true)