0

I need to sign certificate by using key from googles KMS and later verify, that coming certificate was actually sign with that key. I'm using bouncycastle provider for most stuff, but having trouble finding right AlgorithmIdentifier for EC_SIGN_P256_SHA256 (algorithm that google use to sign content).

Certificate creation looks like this:

X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(...);
ContentSigner contentSigner = new ContentSigner() {
  ...
  public AlgorithmIdentifier getAlgorithmIdentifier() {
    return new AlgorithmIdentifier(X9ObjectIdentifiers.prime256v1); // wrong
  }

  public byte[] getSignature() {
    byte[] messageHash = MessageDigest.getInstance("SHA-256").digest(this.out.toByteArray());
    return signAsymmetric(getKmsKeyName(), messageHash);
  }
}
X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);

signAsymmetric - is more or less copy-paste from google example and seems to be fine.

verification is done like this:

public void verifyCertificate(Certificate signatureCertificate) {
  PublicKey publicKey = getAsymmetricPublicKey(getKmsKeyName());
  signatureCertificate.verify(publicKey);
}

If I'm using prime256v1 on signatureCertificate.verify(...) it gives "java.security.NoSuchAlgorithmException: 1.2.840.10045.3.1.7 Signature not available", with some other algorithms it just gives signature validation exception. So what would be right way or algorithm id to use? Or it's not possible in such way at all?

Dainius
  • 1,765
  • 1
  • 17
  • 36

2 Answers2

2

I believe you'll want X9ObjectIdentifiers.ecdsa_with_SHA256.

bdhess
  • 628
  • 3
  • 6
  • Yes, it was the wrong object identifier, you can see that the one of the P256 named curve was used [here](http://www.oid-info.com/cgi-bin/display?oid=1.2.840.10045.3.1.7+&action=display) instead of the one of the algorithm. – Maarten Bodewes Apr 03 '19 at 19:49
1

My own mistake (of course), it works fine with "SHA256withECDSA", but I also did MessageDigest.getInstance("SHA-256").digest() and of course I shouldn't do that. When signing actual data and not hash, it works fine.

Dainius
  • 1,765
  • 1
  • 17
  • 36
  • Signature algorithms generally include the hash as a configuration parameter or - in this case - as part of the algorithm name. Sometimes you can directly inject the hash (which is actually a nice touch if an API lets you do that) but this is commonly not the default. – Maarten Bodewes Apr 03 '19 at 19:50
  • I guess you need to know, what algorithm was used to sign, so you can verify. But in my case it was just stupid mistake to create hash first (from content I wanted to sign) and then signing that hash. – Dainius Apr 04 '19 at 07:17