public static String getKeystoreSignerConfWithoutAlgo(
final String keystoreFile,
final String password,
final int parallelism,
final String keyLabel) {
ParamChecker.assertNotBlank("keystoreFile", keystoreFile);
ParamChecker.assertNotBlank("password", password);
CmpUtf8Pairs conf = new CmpUtf8Pairs("password", password);
conf.putUtf8Pair("parallelism", Integer.toString(parallelism));
if (keyLabel != null) {
conf.putUtf8Pair("key-label", keyLabel);
}
conf.putUtf8Pair("keystore", "file:" + keystoreFile);
return conf.getEncoded();
}
public static String getPkcs11SignerConfWithoutAlgo(
final String pkcs11ModuleName,
final P11SlotIdentifier slotId,
final P11KeyIdentifier keyId,
final int parallelism) {
ParamChecker.assertNotNull("keyId", keyId);
CmpUtf8Pairs conf = new CmpUtf8Pairs();
conf.putUtf8Pair("parallelism", Integer.toString(parallelism));
if (pkcs11ModuleName != null && pkcs11ModuleName.length() > 0) {
conf.putUtf8Pair("module", pkcs11ModuleName);
}
if (slotId.getSlotId() != null) {
conf.putUtf8Pair("slot-id", slotId.getSlotId().toString());
} else {
conf.putUtf8Pair("slot", slotId.getSlotIndex().toString());
}
if (keyId.getKeyId() != null) {
conf.putUtf8Pair("key-id", Hex.toHexString(keyId.getKeyId()));
}
if (keyId.getKeyLabel() != null) {
conf.putUtf8Pair("key-label", keyId.getKeyLabel());
}
return conf.getEncoded();
}
private static void validateSigner(
final ConcurrentContentSigner signer,
final X509Certificate[] certificateChain,
final String signerType,
final String signerConf)
throws SignerException {
X509Certificate cert = signer.getCertificate();
if (certificateChain == null) {
return;
}
String signatureAlgoName;
try {
signatureAlgoName = AlgorithmUtil.getSignatureAlgoName(signer.getAlgorithmIdentifier());
} catch (NoSuchAlgorithmException e) {
throw new SignerException(e.getMessage(), e);
}
ContentSigner csigner;
try {
csigner = signer.borrowContentSigner();
} catch (NoIdleSignerException e) {
throw new SignerException(e.getMessage(), e);
}
try {
byte[] dummyContent = new byte[] {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
Signature verifier = Signature.getInstance(signatureAlgoName, "BC");
OutputStream signatureStream = csigner.getOutputStream();
signatureStream.write(dummyContent);
byte[] signatureValue = csigner.getSignature();
verifier.initVerify(cert.getPublicKey());
verifier.update(dummyContent);
boolean valid = verifier.verify(signatureValue);
if (valid == false) {
String subject = X509Util.getRFC4519Name(cert.getSubjectX500Principal());
StringBuilder sb = new StringBuilder();
sb.append("key and certificate not match. ");
sb.append("key type='").append(signerType).append("'; ");
CmpUtf8Pairs keyValues = new CmpUtf8Pairs(signerConf);
String pwd = keyValues.getValue("password");
if (pwd != null) {
keyValues.putUtf8Pair("password", "****");
}
keyValues.putUtf8Pair("algo", signatureAlgoName);
sb.append("conf='").append(keyValues.getEncoded()).append("', ");
sb.append("certificate subject='").append(subject).append("'");
throw new SignerException(sb.toString());
}
} catch (IOException
| NoSuchAlgorithmException
| InvalidKeyException
| SignatureException
| NoSuchProviderException e) {
throw new SignerException(e.getMessage(), e);
} finally {
if (csigner != null) {
signer.returnContentSigner(csigner);
}
}
}
