internal static ICipherParameters GetSigKeyParams(IKey key)
{
if (key is AsymmetricRsaPublicKey)
{
AsymmetricRsaPublicKey rsaPubKey = (AsymmetricRsaPublicKey)key;
if (CryptoServicesRegistrar.IsInApprovedOnlyMode())
{
int bitLength = rsaPubKey.Modulus.BitLength;
if (bitLength != 2048 && bitLength != 3072 && bitLength != 1024 && bitLength != 4096 && bitLength != 1536) // includes 186-2 legacy sizes
{
throw new CryptoUnapprovedOperationError("Attempt to use RSA key with non-approved size: " + bitLength, key.Algorithm);
}
}
return(GetPublicKeyParameters(rsaPubKey, AsymmetricRsaKey.Usage.SignOrVerify));
}
else
{
AsymmetricRsaPrivateKey rsaPrivKey = GetPrivateKey(key);
if (CryptoServicesRegistrar.IsInApprovedOnlyMode())
{
int bitLength = rsaPrivKey.Modulus.BitLength;
if (bitLength != 2048 && bitLength != 3072)
{
throw new CryptoUnapprovedOperationError("Attempt to use RSA key with non-approved size: " + bitLength, key.Algorithm);
}
}
return(GetPrivateParameters(key, AsymmetricRsaKey.Usage.SignOrVerify));
}
}
private static IAsymmetricBlockCipher createCipher(bool forEncryption, IAsymmetricKey key, IParameters <Algorithm> parameters, SecureRandom random)
{
IAsymmetricBlockCipher engine = FipsRsa.ENGINE_PROVIDER.CreateEngine(EngineUsage.GENERAL);
ICipherParameters lwParams;
if (key is AsymmetricRsaPublicKey)
{
AsymmetricRsaPublicKey k = (AsymmetricRsaPublicKey)key;
lwParams = FipsRsa.GetPublicKeyParameters(k, AsymmetricRsaKey.Usage.EncryptOrDecrypt);
}
else
{
AsymmetricRsaPrivateKey k = (AsymmetricRsaPrivateKey)key;
lwParams = FipsRsa.GetPrivateKeyParameters(k, AsymmetricRsaKey.Usage.EncryptOrDecrypt);
}
if (parameters.Algorithm.Equals(WrapPkcs1v15.Algorithm))
{
engine = new Pkcs1Encoding(engine);
}
if (random != null)
{
lwParams = new ParametersWithRandom(lwParams, random);
}
engine.Init(forEncryption, lwParams);
return(engine);
}
protected override byte[] GenerateWrappedKey(ISymmetricKey contentKey)
{
AsymmetricRsaPublicKey rsaKey = asymmetricPublicKey as AsymmetricRsaPublicKey;
if (rsaKey != null)
{
IKeyWrapper <FipsRsa.OaepWrapParameters> wrapper = CryptoServicesRegistrar.CreateService(rsaKey, new Security.SecureRandom()).CreateKeyWrapper(FipsRsa.WrapOaep.WithDigest(FipsShs.Sha1));
byte[] encKey = wrapper.Wrap(contentKey.GetKeyBytes()).Collect();
return(encKey);
}
throw new InvalidOperationException("algorithm for public key not matched");
}
internal RsaKeyWrapper(OaepWrapParameters algorithmDetails, IKey rsaPublicKey)
{
this.algorithmDetails = algorithmDetails;
this.wrapper = new OaepEncoding(ENGINE_PROVIDER.CreateEngine(EngineUsage.ENCRYPTION), FipsShs.CreateDigest(algorithmDetails.DigestAlgorithm), FipsShs.CreateDigest(algorithmDetails.MgfDigestAlgorithm), algorithmDetails.GetEncodingParams());
if (CryptoServicesRegistrar.IsInApprovedOnlyMode())
{
AsymmetricRsaPublicKey rsaKey = GetPublicKey(rsaPublicKey);
int bitLength = rsaKey.Modulus.BitLength;
if (bitLength != 2048 && bitLength != 3072)
{
throw new CryptoUnapprovedOperationError("Attempt to use RSA key with non-approved size: " + bitLength, rsaKey.Algorithm);
}
}
wrapper.Init(true, GetPublicParameters(rsaPublicKey, AsymmetricRsaKey.Usage.EncryptOrDecrypt));
}
public IVerifierFactory <AlgorithmIdentifier> CreateVerifierFactory(AlgorithmIdentifier signatureAlgorithmID, AlgorithmIdentifier digestAlgorithmID)
{
IVerifierFactory <IParameters <Algorithm> > baseVerifier;
AsymmetricRsaPublicKey rsaKey = publicKey as AsymmetricRsaPublicKey;
if (rsaKey != null)
{
IVerifierFactoryService verifierService = CryptoServicesRegistrar.CreateService(rsaKey);
if (signatureAlgorithmID.Algorithm.Equals(PkcsObjectIdentifiers.IdRsassaPss))
{
FipsRsa.PssSignatureParameters pssParams = FipsRsa.Pss;
RsassaPssParameters sigParams = RsassaPssParameters.GetInstance(signatureAlgorithmID.Parameters);
pssParams = pssParams.WithDigest((FipsDigestAlgorithm)Utils.digestTable[sigParams.HashAlgorithm.Algorithm]);
AlgorithmIdentifier mgfDigAlg = AlgorithmIdentifier.GetInstance(AlgorithmIdentifier.GetInstance(sigParams.MaskGenAlgorithm).Parameters);
pssParams = pssParams.WithMgfDigest((FipsDigestAlgorithm)Utils.digestTable[mgfDigAlg.Algorithm]);
pssParams = pssParams.WithSaltLength(sigParams.SaltLength.Value.IntValue);
return(CreateVerifierFactory(signatureAlgorithmID, verifierService.CreateVerifierFactory(pssParams), certificate));
}
else if (PkixVerifierFactoryProvider.pkcs1Table.Contains(signatureAlgorithmID.Algorithm))
{
FipsRsa.SignatureParameters rsaParams = FipsRsa.Pkcs1v15.WithDigest((FipsDigestAlgorithm)PkixVerifierFactoryProvider.pkcs1Table[signatureAlgorithmID.Algorithm]);
return(CreateVerifierFactory(signatureAlgorithmID, verifierService.CreateVerifierFactory(rsaParams), certificate));
}
else if (signatureAlgorithmID.Algorithm.Equals(PkcsObjectIdentifiers.RsaEncryption))
{
FipsRsa.SignatureParameters rsaParams = FipsRsa.Pkcs1v15.WithDigest((FipsDigestAlgorithm)Utils.digestTable[digestAlgorithmID.Algorithm]);
return(CreateVerifierFactory(signatureAlgorithmID, verifierService.CreateVerifierFactory(rsaParams), certificate));
}
}
throw new ArgumentException("cannot match signature algorithm: " + signatureAlgorithmID.Algorithm);
}
internal static RsaKeyParameters GetPublicKeyParameters(AsymmetricRsaPublicKey k, AsymmetricRsaKey.Usage usage)
{
CheckKeyUsage(k, usage);
return(new RsaKeyParameters(false, k.Modulus, k.PublicExponent));
}
/// <summary>
/// Return a verifier factory that produces verifiers conforming to algorithmDetails.
/// </summary>
/// <param name="algorithmDetails">The configuration parameters for verifiers produced by the resulting factory.</param>
/// <returns>A new verifier factory.</returns>
public IVerifierFactory <AlgorithmIdentifier> CreateVerifierFactory(AlgorithmIdentifier algorithmDetails)
{
AsymmetricRsaPublicKey rsaKey = publicKey as AsymmetricRsaPublicKey;
if (rsaKey != null)
{
IVerifierFactoryService verifierService = CryptoServicesRegistrar.CreateService(rsaKey);
if (algorithmDetails.Algorithm.Equals(PkcsObjectIdentifiers.IdRsassaPss))
{
FipsRsa.PssSignatureParameters pssParams = FipsRsa.Pss;
RsassaPssParameters sigParams = RsassaPssParameters.GetInstance(algorithmDetails.Parameters);
pssParams = pssParams.WithDigest((FipsDigestAlgorithm)Utils.digestTable[sigParams.HashAlgorithm.Algorithm]);
AlgorithmIdentifier mgfDigAlg = AlgorithmIdentifier.GetInstance(AlgorithmIdentifier.GetInstance(sigParams.MaskGenAlgorithm).Parameters);
pssParams = pssParams.WithMgfDigest((FipsDigestAlgorithm)Utils.digestTable[mgfDigAlg.Algorithm]);
pssParams = pssParams.WithSaltLength(sigParams.SaltLength.Value.IntValue);
return(CreateVerifierFactory(algorithmDetails, verifierService.CreateVerifierFactory(pssParams), certificate));
}
else if (pkcs1Table.Contains(algorithmDetails.Algorithm))
{
FipsRsa.SignatureParameters rsaParams = FipsRsa.Pkcs1v15.WithDigest((FipsDigestAlgorithm)pkcs1Table[algorithmDetails.Algorithm]);
return(CreateVerifierFactory(algorithmDetails, verifierService.CreateVerifierFactory(rsaParams), certificate));
}
}
AsymmetricDsaPublicKey dsaKey = publicKey as AsymmetricDsaPublicKey;
if (dsaKey != null)
{
IVerifierFactoryService verifierService = CryptoServicesRegistrar.CreateService(dsaKey);
FipsDsa.SignatureParameters sigParams = (FipsDsa.SignatureParameters)dsaTable[algorithmDetails.Algorithm];
return(CreateVerifierFactory(algorithmDetails, verifierService.CreateVerifierFactory(sigParams), certificate));
}
AsymmetricECPublicKey ecdsaKey = publicKey as AsymmetricECPublicKey;
if (ecdsaKey != null)
{
IVerifierFactoryService verifierService = CryptoServicesRegistrar.CreateService(ecdsaKey);
FipsEC.SignatureParameters sigParams = (FipsEC.SignatureParameters)ecdsaTable[algorithmDetails.Algorithm];
return(CreateVerifierFactory(algorithmDetails, verifierService.CreateVerifierFactory(sigParams), certificate));
}
AsymmetricSphincsPublicKey sphincsKey = publicKey as AsymmetricSphincsPublicKey;
if (sphincsKey != null)
{
IVerifierFactoryService verifierService = CryptoServicesRegistrar.CreateService(sphincsKey);
if (algorithmDetails.Algorithm.Equals(BCObjectIdentifiers.sphincs256_with_SHA512))
{
return(CreateVerifierFactory(algorithmDetails, verifierService.CreateVerifierFactory(Sphincs.Sphincs256), certificate));
}
else
{
return(CreateVerifierFactory(algorithmDetails, verifierService.CreateVerifierFactory(Sphincs.Sphincs256.WithDigest(FipsShs.Sha3_512)), certificate));
}
}
throw new ArgumentException("cannot match signature algorithm");
}
