clitest.java

java 实现的签名方案

/**
 *	j4sign - an open, multi-platform digital signature solution
 *	Copyright (c) 2004 Roberto Resoli - Servizio Sistema Informativo - Comune di Trento.
 *
 *	This program is free software; you can redistribute it and/or
 *	modify it under the terms of the GNU General Public License
 *	as published by the Free Software Foundation; either version 2
 *	of the License, or (at your option) any later version.
 *
 *	This program is distributed in the hope that it will be useful,
 *	but WITHOUT ANY WARRANTY; without even the implied warranty of
 *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *	GNU General Public License for more details.
 *
 *	You should have received a copy of the GNU General Public License
 *	along with this program; if not, write to the Free Software
 *	Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 *
 */
/*
 * $Header: /cvsroot/j4sign/j4sign/src/java/core/it/trento/comune/j4sign/examples/CLITest.java,v 1.12 2005/09/09 04:56:05 resoli Exp $
 * $Revision: 1.12 $
 * $Date: 2005/09/09 04:56:05 $
 */
package it.trento.comune.j4sign.examples;

import iaik.pkcs.pkcs11.wrapper.PKCS11Constants;
import it.trento.comune.j4sign.cms.ExternalSignatureCMSSignedDataGenerator;
import it.trento.comune.j4sign.cms.ExternalSignatureSignerInfoGenerator;

import it.trento.comune.j4sign.pcsc.CardInfo;
import it.trento.comune.j4sign.pcsc.PCSCHelper;
import it.trento.comune.j4sign.pkcs11.PKCS11Signer;

import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;

import java.io.FileInputStream;
import java.io.FileOutputStream;

import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;

import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROutputStream;

import org.bouncycastle.asn1.cms.ContentInfo;

import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.DigestInfo;

import org.bouncycastle.cms.CMSProcessable;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.SignerInformationStore;
import org.bouncycastle.cms.test.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

//Alternative (NOT pure java) solution for password hiding
//import jline.ConsoleReader;

/**
 * A command line interface program for testing the generation of a CMS signed
 * message, using a pkcs11 token (usually a SmartCard). This is a complete
 * example covering all aspects of digital signature, from token management to
 * CMS message generation and verification. <br>
 * This is a command line program because the need to concentrate on algorithmic
 * issues, whithout the burden of GUI stuff.
 * <p>
 * Multiple signatures are permitted, each with different token types; the
 * generated CMS message keeps signers informations at the same level (similar
 * to a paper document with multiple signatures). I call this arrangement
 * "combined signatures", in contrast with "nested signatures" (like a signed
 * paper document put in a signed envelope). A hierarchical type of multiple signatures,
 * ("CounterSignature", OID: 1.2.840.113549.1.9.6) is also contemplated by
 * CMS standard in RFC 3852, but it is not currently supported.  
 * <p>
 * The example adopts a special class for securing token PIN management
 * (Unfortunately the java language does not provide any standard method to hide
 * character input). This could cause some problem on IDEs, where the default
 * input - output streams are not the standard console, then password hiding can
 * be disabled. <br>
 * <p>
 * <b>N.B. note that in this example signature verification only ensures signed
 * data integrity; a complete verification to ensure non-repudiation requires
 * checking the full certification path including the CA root certificate, and
 * CRL verification on the CA side. <br>
 * (Good stuff for a next release ...) </b>
 * 
 * @author Roberto Resoli
 */
public class CLITest {

    private String cryptokiLib = null;

    private boolean forcingCryptoki = false;

    String signDN;

    KeyPair signKP;

    X509Certificate signCert;

    String origDN;

    KeyPair origKP;

    X509Certificate origCert;

    String reciDN;

    KeyPair reciKP;

    X509Certificate reciCert;

    KeyPair dsaSignKP;

    X509Certificate dsaSignCert;

    KeyPair dsaOrigKP;

    X509Certificate dsaOrigCert;

    byte[] msgBytes = { 'C', 'I', 'A', 'O' };

    private static int WRAP_AFTER = 16;

    private boolean makeDigestOnToken = false;

    private String digestAlg = CMSSignedDataGenerator.DIGEST_SHA1;

    private String encAlg = CMSSignedDataGenerator.ENCRYPTION_RSA;
    
    private static String PROPERTIES_FILE = "clitest.properties";

    public CLITest() {
        super();
        loadProperties();

    }
    
    private void loadProperties(){
        Properties props = new Properties();

        String propertiesFile = PROPERTIES_FILE;

        System.out.println("Trying to load properties from: '" + propertiesFile
                + "'");
        try {
            InputStream in = getClass().getResourceAsStream(
                    "/" +propertiesFile);
            if (in != null) {
                props.load(in);
                in.close();
            } else
                System.out.println("'"+propertiesFile +"' not found!");
        } catch (IOException e) {
            System.out.println(e);
        }

        if (props.size() > 0) {
            Iterator i = props.entrySet().iterator();
            System.out.println("loaded properties:");
            while (i.hasNext()) {
                Map.Entry me = (Map.Entry) i.next();
                System.out.println((me.getKey().toString() + ": " + me
                        .getValue()));
            }

            if (props.getProperty("digest.algorithm") != null)
                this.digestAlg = props.getProperty("digest.algorithm");

            if (props.getProperty("digest.ontoken") != null)
                this.makeDigestOnToken = Boolean.valueOf(props
                        .getProperty("digest.ontoken")).booleanValue();

            if (props.getProperty("encryption.algorithm") != null)
                this.encAlg = props.getProperty("encryption.algorithm");
        }
    
    }

    /**
     * @param cryptokiLib
     */
    public CLITest(String cryptokiLib) {
        this();
        this.cryptokiLib = cryptokiLib;
        this.forcingCryptoki = true;
    }

    /**
     * the main method Adds BouncyCastle cryptographic provider, instantiates
     * the CLITest class, and launches the signature process. The class require
     * no arguments; the message to sign is the fixed word "CIAO".
     * 
     * @param args
     */
    public static void main(String[] args) {
        //Security.insertProviderAt(new MyPKCS11Provider(), 2);
        Security.insertProviderAt(new BouncyCastleProvider(), 3);

        CLITest rt = null;

        if (args.length == 1)
            rt = new CLITest(args[0]);
        else
            rt = new CLITest();

        //non per SC
        //rt.initSW();

        //rt.initHW();

        //test sw
        //rt.testSHA1WithRSAEncapsulated();

        //per SC
        //rt.testMD5WithRSAEncapsulated();

        //per provider SMARTCARD
        //rt.testSCProvider();

        //Firma esterna
        rt.testExternalSignature();
    }

    /**
     * The cryptoki library currently used, as set in
     * {@link #detectCardAndCriptoki()}method.
     * 
     * @return the cryptoki native library to use to access the current PKCS#11
     *         token.
     */

    public String getCryptokiLib() {
        return cryptokiLib;
    }

    /**
     * Sets th cryptoki library to use to access the current PKCS#11 token; This
     * method is used internally in {@link #detectCardAndCriptoki()}method.
     * 
     * @param lib
     */
    private void setCryptokiLib(String lib) {
        this.cryptokiLib = lib;
    }

    /**
     * This triggers the PCSC wrapper stuff; a {@link PCSCHelper}class is used
     * to detect reader and token presence, trying also to provide a candidate
     * PKCS#11 cryptoki for it.
     * 
     * @return true if a token with corresponding candidate cryptoki was
     *         detected.
     * @throws IOException
     */
    private boolean detectCardAndCriptoki() throws IOException {
        CardInfo ci = null;
        boolean cardPresent = false;
        System.out.println("\n\n========= DETECTING CARD ===========");

        PCSCHelper pcsc = new PCSCHelper(true);
        List cards = pcsc.findCards();
        cardPresent = !cards.isEmpty();

        if (!isForcingCryptoki()) {
            if (cardPresent) {
                ci = (CardInfo) cards.get(0);
                System.out.println("\n\nFor signing we will use card: '"
                        + ci.getProperty("description") + "' with criptoki '"
                        + ci.getProperty("lib") + "'");
                System.out.println(ci.getProperty("lib"));

                setCryptokiLib(ci.getProperty("lib"));
            } else
                System.out.println("Sorry, no card detected!");
        } else
            System.out
                    .println("\n\nFor signing we are forcing use of cryptoki: '"
                            + getCryptokiLib() + "'");

        System.out.println("=================================");
        return (getCryptokiLib() != null);
    }

    /**
     * Currently not used.; initializes sw keys and certificate for a signature
     * test completely in sw.
     *  
     */
    public void initSW() {
        try {
            System.out.println("Init test with SW keys an certs ...");
            signDN = "O=Bouncy Castle, C=AU";
            signKP = CMSTestUtil.makeKeyPair();
            signCert = CMSTestUtil.makeCertificate(signKP, signDN, signKP,
                    signDN);

            origDN = "CN=Eric H. Echidna, E=eric@bouncycastle.org, O=Bouncy Castle, C=AU";
            origKP = CMSTestUtil.makeKeyPair();
            origCert = CMSTestUtil.makeCertificate(origKP, origDN, signKP,
                    signDN);
        } catch (Exception ex) {
            System.out.println(ex);
        }
    }

    /*
     * public void initHW(String criptoki) { try { System.out.println("Init test
     * with PKCS11 token ...");
     * 
     * MessageDigest md = MessageDigest.getInstance("MD5");
     * 
     * md.update(this.msgBytes);
     * 
     * ByteArrayInputStream bais = new ByteArrayInputStream(md.digest());
     * 
     * SmartCardHandler tokenTest = new SmartCardHandler(criptoki, bais);
     * 
     * tokenTest.doTest(); } catch (Exception ex) { System.out.println(ex); } }
     * 
     * public void testMD5WithRSAEncapsulated() { try { // if(this.tokenTest ==
     * null) // return;
     * 
     * CMSProcessable msg = //new CMSProcessableByteArray("Hello
     * World!".getBytes()); new CMSProcessableByteArray(this.msgBytes);
     * 
     *