Package opencard.opt.signature

Interface SignatureCardService

  • All Superinterfaces:
    CardServiceInterface, SecureService
    All Known Subinterfaces:
    KeyGenerationCardService, KeyGenerationCardServiceWithSpec
    All Known Implementing Classes:
    SmartCardHSMCardService
    public interface SignatureCardService
extends CardServiceInterface, SecureService
    SignatureCardService The SignatureCardService offers methods to generate and verify a signature as well as key import, verification and generation methods. Many smartcard applications will work with existing keys imported during initialization or personalization instead of importing/generating them at runtime. Thus the functionality for
    • signature generation and verification
    • key import and verification
    • key generation
    is split into three interfaces "SignatureCardService", "KeyImportCardService" and "KeyGenerationCardService". Card service realizations of these interfaces need only implement the functionality needed by the application or supported by the specific card. This solution also offers potential for downsizing opencard for use in embedded devises with small memory resources.
    Author:
    Michael Baentsch (mib@zurich.ibm.com), Thomas Schaeck (schaeck@de.ibm.com), Reto Hermann (rhe@zurich.ibm.com), Peter Bendel (peter_bendel@de.ibm.com)
    See Also:
    KeyGenerationCardService, KeyImportCardService

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      byte[] signData​(PrivateKeyRef privateKey, java.lang.String signAlgorithm, byte[] data)
      Generate a digital Signature.
      byte[] signData​(PrivateKeyRef privateKey, java.lang.String signAgorithm, java.lang.String padAlgorithm, byte[] data)
      Generate a digital Signature (overload method that allows to specify the padding algorithm).
      byte[] signHash​(PrivateKeyRef privateKey, java.lang.String signAgorithm, byte[] hash)
      Generate a digital Signature on the provided hash.
      byte[] signHash​(PrivateKeyRef privateKey, java.lang.String signAgorithm, java.lang.String padAlgorithm, byte[] hash)
      Generate a digital Signature on the provided hash (Overloaded method that allows to specify the padding algorithm).
      boolean verifySignedData​(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] data, byte[] signature)
      Verify a digital Signature including hashing.
      boolean verifySignedData​(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] data, byte[] signature)
      Verify a digital Signature including hashing (overload method that allows to specify the padding algorithm to be used).
      boolean verifySignedHash​(PublicKeyRef publicKey, java.lang.String signAlgorithm, byte[] hash, byte[] signature)
      Verify a digital Signature.
      boolean verifySignedHash​(PublicKeyRef publicKey, java.lang.String signAlgorithm, java.lang.String padAlgorithm, byte[] hash, byte[] signature)
      Verify a digital Signature (overloaded method that allows to specify the padding algorithm to be used).

    • Method Detail

      • signData

        byte[] signData​(PrivateKeyRef privateKey,
                java.lang.String signAlgorithm,
                byte[] data)
         throws CardServiceException,
                java.security.InvalidKeyException,
                CardTerminalException
        Generate a digital Signature. First hash the data, then pad the hash and then apply the PKA algorithm to the padded hash.

        The padding algorithm is chosen as defined in the Java Cryptography Architecture Specification.

        The standard algorithm name must be specified as defined in the Java Cryptography Architecture API Specification & Reference, for example

        MD5withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD5 MessageDigest Algorithm.
        MD2withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD2 MessageDigest Algorithm.
        SHA1withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the SHA-1 MessageDigest Algorithm.
        SHA1withDSA
        Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. This standard defines a digital signature algorithm that uses the RawDSA asymmetric transformation along with the SHA-1 message digest algorithm.
        Parameters:
        privateKey - a reference to the private key on card to be used for signing
        signAlgorithm - standard digital signature algorithm name
        data - data to be signed
        Returns:
        signature
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • signData

        byte[] signData​(PrivateKeyRef privateKey,
                java.lang.String signAgorithm,
                java.lang.String padAlgorithm,
                byte[] data)
         throws CardServiceException,
                java.security.InvalidKeyException,
                CardTerminalException
        Generate a digital Signature (overload method that allows to specify the padding algorithm). First hash the data, then pad the hash and then apply the PKA algorithm to the padded hash.

        The standard algorithm name must be specified as defined in the Java Cryptography Architecture API Specification & Reference, for example

        MD5withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD5 MessageDigest Algorithm.
        MD2withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD2 MessageDigest Algorithm.
        SHA1withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the SHA-1 MessageDigest Algorithm.
        SHA1withDSA
        Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. This standard defines a digital signature algorithm that uses the RawDSA asymmetric transformation along with the SHA-1 message digest algorithm.
        Parameters:
        privateKey - a reference to the private key on card to be used for signing
        signAgorithm - standard digital signature algorithm name
        padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING
        data - data to be signed
        Returns:
        signature
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • signHash

        byte[] signHash​(PrivateKeyRef privateKey,
                java.lang.String signAgorithm,
                byte[] hash)
         throws CardServiceException,
                java.security.InvalidKeyException,
                CardTerminalException
        Generate a digital Signature on the provided hash. Since hashing of large amounts of data may be slow if performed on card this method allows to hash outside the card service and just perform the signature operation on card. Pad the hash and then apply the PKA algorithm to the padded hash.

        The padding algorithm is chosen as defined in the Java Cryptography Architecture Specification.

        Use a key algorithm name (not a digital signature algorithm name, because digital signature algorithms include hashing) a defined in the Java Cryptography Architecture API Specification & Reference, for example

        DSA
        The asymmetric transformation described in NIST FIPS 186, described as the "DSA Sign Operation" and the "DSA Verify Operation", prior to creating a digest. The input to DSA is always 20 bytes long.
        RSA
        The Rivest, Shamir and Adleman AsymmetricCipher algorithm. RSA Encryption as defined in the RSA Laboratory Technical Note PKCS#1.
        Parameters:
        privateKey - a reference to the private key on card to be used for signing
        signAgorithm - standard key algorithm name
        hash - the hash/digest to be signed
        Returns:
        signature
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • signHash

        byte[] signHash​(PrivateKeyRef privateKey,
                java.lang.String signAgorithm,
                java.lang.String padAlgorithm,
                byte[] hash)
         throws CardServiceException,
                java.security.InvalidKeyException,
                CardTerminalException
        Generate a digital Signature on the provided hash (Overloaded method that allows to specify the padding algorithm). Since hashing of large amounts of data may be slow if performed on card this method allows to hash outside the card service and just perform the signature operation on card. Pad the hash and then apply the PKA algorithm to the padded hash.

        Use a key algorithm name (not a digital signature algorithm name, because digital signature algorithms include hashing) a defined in the Java Cryptography Architecture API Specification & Reference, for example

        DSA
        The asymmetric transformation described in NIST FIPS 186, described as the "DSA Sign Operation" and the "DSA Verify Operation", prior to creating a digest. The input to DSA is always 20 bytes long.
        RSA
        The Rivest, Shamir and Adleman AsymmetricCipher algorithm. RSA Encryption as defined in the RSA Laboratory Technical Note PKCS#1.
        Parameters:
        privateKey - a reference to the private key on card to be used for signing
        signAgorithm - standard key algorithm name
        padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING
        hash - the hash/digest to be signed
        Returns:
        signature
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • verifySignedData

        boolean verifySignedData​(PublicKeyRef publicKey,
                         java.lang.String signAlgorithm,
                         byte[] data,
                         byte[] signature)
                  throws CardServiceException,
                         java.security.InvalidKeyException,
                         CardTerminalException
        Verify a digital Signature including hashing. First hash the data, then pad the hash, apply the PKA algorithm to the padded hash, then compare the result to the provided signature.

        The padding algorithm is chosen as defined in the Java Cryptography Architecture Specification.

        The standard algorithm name must be specified as defined in the Java Cryptography Architecture API Specification & Reference, for example

        MD5withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD5 MessageDigest Algorithm.
        MD2withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD2 MessageDigest Algorithm.
        SHA1withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the SHA-1 MessageDigest Algorithm.
        SHA1withDSA
        Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. This standard defines a digital signature algorithm that uses the RawDSA asymmetric transformation along with the SHA-1 message digest algorithm.
        Parameters:
        publicKey - a reference to the public key on card to be used for signature validation
        signAlgorithm - standard digital signature algorithm name
        data - the data for which the signature should be verified
        signature - signature to be verified
        Returns:
        True if signature valdidation was successfull
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • verifySignedData

        boolean verifySignedData​(PublicKeyRef publicKey,
                         java.lang.String signAlgorithm,
                         java.lang.String padAlgorithm,
                         byte[] data,
                         byte[] signature)
                  throws CardServiceException,
                         java.security.InvalidKeyException,
                         CardTerminalException
        Verify a digital Signature including hashing (overload method that allows to specify the padding algorithm to be used). First hash the data, then pad the hash, apply the PKA algorithm to the padded hash, then compare the result to the provided signature.

        The standard algorithm name must be specified as defined in the Java Cryptography Architecture API Specification & Reference, for example

        MD5withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD5 MessageDigest Algorithm.
        MD2withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the MD2 MessageDigest Algorithm.
        SHA1withRSA
        The Signature algorithm obtained by combining the RSA AsymmetricCipher algorithm with the SHA-1 MessageDigest Algorithm.
        SHA1withDSA
        Digital Signature Algorithm, as defined in Digital Signature Standard, NIST FIPS 186. This standard defines a digital signature algorithm that uses the RawDSA asymmetric transformation along with the SHA-1 message digest algorithm.
        Parameters:
        publicKey - a reference to the public key on card to be used for signature validation
        signAlgorithm - standard digital signature algorithm name
        padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING
        data - the data for which the signature should be verified
        signature - signature to be verified
        Returns:
        True if signature valdidation was successfull
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • verifySignedHash

        boolean verifySignedHash​(PublicKeyRef publicKey,
                         java.lang.String signAlgorithm,
                         byte[] hash,
                         byte[] signature)
                  throws CardServiceException,
                         java.security.InvalidKeyException,
                         CardTerminalException
        Verify a digital Signature. Since hashing of large amounts of data may be slow if performed on card this method allows to hash outside the card service and just perform the signature verificationoperation on card. Pad the provided hash, apply the PKA algorithm to the padded hash, then compare the result to the provided signature.

        The padding algorithm is chosen as defined in the Java Cryptography Architecture Specification.

        Use a key algorithm name (not a digital signature algorithm name, because digital signature algorithms include hashing) a defined in the Java Cryptography Architecture API Specification & Reference, for example

        DSA
        The asymmetric transformation described in NIST FIPS 186, described as the "DSA Sign Operation" and the "DSA Verify Operation", prior to creating a digest. The input to DSA is always 20 bytes long.
        RSA
        The Rivest, Shamir and Adleman AsymmetricCipher algorithm. RSA Encryption as defined in the RSA Laboratory Technical Note PKCS#1.
        Parameters:
        publicKey - a reference to the public key on card to be used for signature validation
        signAlgorithm - standard key algorithm name
        hash - The hash for which the signature should be verified.
        signature - signature to be verified
        Returns:
        True if signature valdidation was successfull
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames

      • verifySignedHash

        boolean verifySignedHash​(PublicKeyRef publicKey,
                         java.lang.String signAlgorithm,
                         java.lang.String padAlgorithm,
                         byte[] hash,
                         byte[] signature)
                  throws CardServiceException,
                         java.security.InvalidKeyException,
                         CardTerminalException
        Verify a digital Signature (overloaded method that allows to specify the padding algorithm to be used). Since hashing of large amounts of data may be slow if performed on card this method allows to hash outside the card service and just perform the signature verification operation on card. Pad the provided hash, apply the PKA algorithm to the padded hash, then compare the result to the provided signature.

        Use a key algorithm name (not a digital signature algorithm name, because digital signature algorithms include hashing) a defined in the Java Cryptography Architecture API Specification & Reference, for example

        DSA
        The asymmetric transformation described in NIST FIPS 186, described as the "DSA Sign Operation" and the "DSA Verify Operation", prior to creating a digest. The input to DSA is always 20 bytes long.
        RSA
        The Rivest, Shamir and Adleman AsymmetricCipher algorithm. RSA Encryption as defined in the RSA Laboratory Technical Note PKCS#1.
        Parameters:
        publicKey - a reference to the public key on card to be used for signature validation
        signAlgorithm - standard key algorithm name
        padAlgorithm - padding algorithm name, for example one of ISO9796, PKCS#1, ZEROPADDING
        hash - The hash for which the signature should be verified.
        signature - signature to be verified
        Returns:
        True if signature valdidation was successfull
        Throws:
        java.security.InvalidKeyException - Thrown when the key is not valid or does not match the requested algorithm.
        CardServiceException - any subclass of CardServiceException
        CardTerminalException - any subclass of CardTerminalException
        See Also:
        JCAStandardNames