/**
* Method decrypts the data with the RSA private key corresponding to this certificate (which was
* used to encrypt it). Decryption will be done with keystore
*
* @param data data to be decrypted.
* @param token index of authentication token
* @param pin PIN code
* @return decrypted data.
* @throws DigiDocException for all decryption errors
*/
public byte[] decrypt(byte[] data, int token, String pin) throws DigiDocException {
try {
if (m_keyStore == null)
throw new DigiDocException(
DigiDocException.ERR_NOT_INITED, "Keystore not initialized", null);
String alias = getTokenName(token);
if (alias == null)
throw new DigiDocException(
DigiDocException.ERR_TOKEN_LOGIN, "Invalid token nr: " + token, null);
// get key
if (m_logger.isDebugEnabled())
m_logger.debug(
"loading key: " + alias + " passwd-len: " + ((pin != null) ? pin.length() : 0));
Key key = m_keyStore.getKey(alias, pin.toCharArray());
if (m_logger.isDebugEnabled())
m_logger.debug("Key: " + ((key != null) ? "OK, algorithm: " + key.getAlgorithm() : "NULL"));
if (key == null)
throw new DigiDocException(
DigiDocException.ERR_TOKEN_LOGIN, "Invalid password for token: " + alias, null);
Cipher cipher = Cipher.getInstance("RSA");
cipher.init(Cipher.DECRYPT_MODE, key);
byte[] decdata = cipher.doFinal(data);
if (m_logger.isDebugEnabled())
m_logger.debug("Decrypted len: " + ((decdata != null) ? decdata.length : 0));
return decdata;
} catch (Exception ex) {
m_logger.error("Error decrypting: " + ex);
}
return null;
}
public static java.security.Signature sigMeth2SigSignatureInstance(Signature sig, Key key)
throws DigiDocException {
java.security.Signature instance = null;
String sigMeth = null, sigType = null;
try {
if (sig != null
&& sig.getSignedInfo() != null
&& sig.getSignedInfo().getSignatureMethod() != null)
sigMeth = sig.getSignedInfo().getSignatureMethod();
sigType = ConfigManager.instance().sigMeth2SigType(sigMeth, true); // allways use cvc ciphers
if (m_logger.isDebugEnabled())
m_logger.debug(
"Key: "
+ ((key != null) ? "OK, algorithm: " + key.getAlgorithm() : "NULL")
+ " method: "
+ sigMeth
+ " type: "
+ sigType);
if (sigType == null)
throw new DigiDocException(
DigiDocException.ERR_SIGNATURE_METHOD, "SignatureMethod not specified!", null);
instance = java.security.Signature.getInstance(sigType, ConfigManager.addProvider());
} catch (Exception ex) {
m_logger.error("Error constructing signature instance: " + ex);
}
return instance;
}
void assertPrivateKs(File file, String pass, String alias) throws Exception {
KeyStore ks = loadKeyStore("jceks", file, alias);
List aliases = ListUtil.fromIterator(new EnumerationIterator(ks.aliases()));
assertEquals(2, aliases.size());
Certificate cert = ks.getCertificate(alias + ".crt");
assertNotNull(cert);
assertEquals("X.509", cert.getType());
assertTrue(ks.isKeyEntry(alias + ".key"));
assertTrue(ks.isCertificateEntry(alias + ".crt"));
Key key = ks.getKey(alias + ".key", pass.toCharArray());
assertNotNull(key);
assertEquals("RSA", key.getAlgorithm());
}
/**
* Method returns a digital signature. It finds the RSA private key object from the active token
* and then signs the given data with this key and RSA mechanism.
*
* @param digest digest of the data to be signed.
* @param token token index
* @param passwd users pin code or in case of pkcs12 file password
* @param sig Signature object to provide info about desired signature method
* @return an array of bytes containing digital signature.
* @throws DigiDocException if signing the data fails.
*/
public byte[] sign(byte[] xml, int token, String passwd, Signature sig) throws DigiDocException {
try {
if (m_keyStore == null)
throw new DigiDocException(
DigiDocException.ERR_NOT_INITED, "Keystore not initialized", null);
String alias = getTokenName(token);
if (alias == null)
throw new DigiDocException(
DigiDocException.ERR_TOKEN_LOGIN, "Invalid token nr: " + token, null);
// get key
if (m_logger.isDebugEnabled())
m_logger.debug(
"loading key: " + alias + " passwd-len: " + ((passwd != null) ? passwd.length() : 0));
Key key = m_keyStore.getKey(alias, passwd.toCharArray());
if (m_logger.isDebugEnabled())
m_logger.debug("Key: " + ((key != null) ? "OK, algorithm: " + key.getAlgorithm() : "NULL"));
if (key == null)
throw new DigiDocException(
DigiDocException.ERR_TOKEN_LOGIN, "Invalid password for token nr: " + token, null);
String sigMeth = null;
if (sig != null
&& sig.getSignedInfo() != null
&& sig.getSignedInfo().getSignatureMethod() != null)
sigMeth = sig.getSignedInfo().getSignatureMethod();
if (m_logger.isDebugEnabled())
m_logger.debug("Signing\n---\n" + new String(xml) + "\n---\n method: " + sigMeth);
java.security.Signature instance = sigMeth2SigSignatureInstance(sig, key);
if (m_logger.isDebugEnabled())
m_logger.debug("Signature instance: " + ((instance != null) ? "OK" : "NULL"));
instance.initSign((PrivateKey) key);
instance.update(xml);
byte[] signature = instance.sign();
boolean bEcCvcKey = isCvcEcKey(sig);
if (m_logger.isDebugEnabled())
m_logger.debug(
"Signature algorithm: "
+ key.getAlgorithm()
+ " siglen: "
+ signature.length
+ " ec-key: "
+ bEcCvcKey);
if (bEcCvcKey) {
int nKeyLen = ((ECPrivateKey) key).getParams().getCurve().getField().getFieldSize();
int nReqLen = ((int) Math.ceil((double) nKeyLen / 8)) * 2;
int nSigLen = signature.length;
if (m_logger.isDebugEnabled())
m_logger.debug("EC Signature length: " + nSigLen + " required: " + nReqLen);
if (nSigLen < nReqLen) {
if (m_logger.isDebugEnabled())
m_logger.debug("Padding EC signature length: " + nSigLen + " to required: " + nReqLen);
byte[] padsig = new byte[nReqLen];
System.arraycopy(signature, 0, padsig, (nReqLen - nSigLen) / 2, nSigLen / 2);
System.arraycopy(
signature, nSigLen / 2, padsig, (nReqLen / 2) + (nReqLen - nSigLen) / 2, nSigLen / 2);
signature = padsig;
}
}
if (m_logger.isDebugEnabled() && signature != null)
m_logger.debug(
"Signature len: "
+ signature.length
+ "\n---\n sig: "
+ ConvertUtils.bin2hex(signature));
return signature;
} catch (DigiDocException ex) {
m_logger.error("DigiDoc Error signing: " + ex);
throw ex;
} catch (Exception ex) {
m_logger.error("Error signing: " + ex);
}
return null;
}
