1*e7b1675dSTing-Kang Chang /** 2*e7b1675dSTing-Kang Chang * Copyright 2021 Google LLC 3*e7b1675dSTing-Kang Chang * 4*e7b1675dSTing-Kang Chang * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except 5*e7b1675dSTing-Kang Chang * in compliance with the License. You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang * 7*e7b1675dSTing-Kang Chang * http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang * 9*e7b1675dSTing-Kang Chang * Unless required by applicable law or agreed to in writing, software distributed under the License 10*e7b1675dSTing-Kang Chang * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express 11*e7b1675dSTing-Kang Chang * or implied. See the License for the specific language governing permissions and limitations under 12*e7b1675dSTing-Kang Chang * the License. 13*e7b1675dSTing-Kang Chang */ 14*e7b1675dSTing-Kang Chang // [START digital-signature-example] 15*e7b1675dSTing-Kang Chang package signature; 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Chang import static java.nio.charset.StandardCharsets.UTF_8; 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Chang import com.google.crypto.tink.InsecureSecretKeyAccess; 20*e7b1675dSTing-Kang Chang import com.google.crypto.tink.KeysetHandle; 21*e7b1675dSTing-Kang Chang import com.google.crypto.tink.PublicKeySign; 22*e7b1675dSTing-Kang Chang import com.google.crypto.tink.PublicKeyVerify; 23*e7b1675dSTing-Kang Chang import com.google.crypto.tink.TinkJsonProtoKeysetFormat; 24*e7b1675dSTing-Kang Chang import com.google.crypto.tink.signature.SignatureConfig; 25*e7b1675dSTing-Kang Chang import java.nio.file.Files; 26*e7b1675dSTing-Kang Chang import java.nio.file.Path; 27*e7b1675dSTing-Kang Chang import java.nio.file.Paths; 28*e7b1675dSTing-Kang Chang 29*e7b1675dSTing-Kang Chang /** 30*e7b1675dSTing-Kang Chang * A command-line utility for digitally signing and verifying a file. 31*e7b1675dSTing-Kang Chang * 32*e7b1675dSTing-Kang Chang * <p>It loads cleartext keys from disk - this is not recommended! 33*e7b1675dSTing-Kang Chang * 34*e7b1675dSTing-Kang Chang * <p>It requires the following arguments: 35*e7b1675dSTing-Kang Chang * 36*e7b1675dSTing-Kang Chang * <ul> 37*e7b1675dSTing-Kang Chang * <li>mode: either 'sign' or 'verify'. 38*e7b1675dSTing-Kang Chang * <li>key-file: Read the key material from this file. 39*e7b1675dSTing-Kang Chang * <li>input-file: Read the input from this file. 40*e7b1675dSTing-Kang Chang * <li>signature-file: name of the file containing a hexadecimal signature of the input file. 41*e7b1675dSTing-Kang Chang */ 42*e7b1675dSTing-Kang Chang public final class SignatureExample { main(String[] args)43*e7b1675dSTing-Kang Chang public static void main(String[] args) throws Exception { 44*e7b1675dSTing-Kang Chang if (args.length != 4) { 45*e7b1675dSTing-Kang Chang System.err.printf("Expected 4 parameters, got %d\n", args.length); 46*e7b1675dSTing-Kang Chang System.err.println( 47*e7b1675dSTing-Kang Chang "Usage: java SignatureExample sign/verify key-file input-file signature-file"); 48*e7b1675dSTing-Kang Chang System.exit(1); 49*e7b1675dSTing-Kang Chang } 50*e7b1675dSTing-Kang Chang 51*e7b1675dSTing-Kang Chang String mode = args[0]; 52*e7b1675dSTing-Kang Chang if (!mode.equals("sign") && !mode.equals("verify")) { 53*e7b1675dSTing-Kang Chang System.err.println("Incorrect mode. Please select sign or verify."); 54*e7b1675dSTing-Kang Chang System.exit(1); 55*e7b1675dSTing-Kang Chang } 56*e7b1675dSTing-Kang Chang Path keyFile = Paths.get(args[1]); 57*e7b1675dSTing-Kang Chang byte[] msg = Files.readAllBytes(Paths.get(args[2])); 58*e7b1675dSTing-Kang Chang Path signatureFile = Paths.get(args[3]); 59*e7b1675dSTing-Kang Chang 60*e7b1675dSTing-Kang Chang // Register all signature key types with the Tink runtime. 61*e7b1675dSTing-Kang Chang SignatureConfig.register(); 62*e7b1675dSTing-Kang Chang 63*e7b1675dSTing-Kang Chang // Read the keyset into a KeysetHandle. 64*e7b1675dSTing-Kang Chang KeysetHandle handle = 65*e7b1675dSTing-Kang Chang TinkJsonProtoKeysetFormat.parseKeyset( 66*e7b1675dSTing-Kang Chang new String(Files.readAllBytes(keyFile), UTF_8), InsecureSecretKeyAccess.get()); 67*e7b1675dSTing-Kang Chang 68*e7b1675dSTing-Kang Chang if (mode.equals("sign")) { 69*e7b1675dSTing-Kang Chang // Get the primitive. 70*e7b1675dSTing-Kang Chang PublicKeySign signer = handle.getPrimitive(PublicKeySign.class); 71*e7b1675dSTing-Kang Chang 72*e7b1675dSTing-Kang Chang // Use the primitive to sign data. 73*e7b1675dSTing-Kang Chang byte[] signature = signer.sign(msg); 74*e7b1675dSTing-Kang Chang Files.write(signatureFile, signature); 75*e7b1675dSTing-Kang Chang } else { 76*e7b1675dSTing-Kang Chang byte[] signature = Files.readAllBytes(signatureFile); 77*e7b1675dSTing-Kang Chang 78*e7b1675dSTing-Kang Chang // Get the primitive. 79*e7b1675dSTing-Kang Chang PublicKeyVerify verifier = handle.getPrimitive(PublicKeyVerify.class); 80*e7b1675dSTing-Kang Chang 81*e7b1675dSTing-Kang Chang verifier.verify(signature, msg); 82*e7b1675dSTing-Kang Chang } 83*e7b1675dSTing-Kang Chang } 84*e7b1675dSTing-Kang Chang SignatureExample()85*e7b1675dSTing-Kang Chang private SignatureExample() {} 86*e7b1675dSTing-Kang Chang } 87*e7b1675dSTing-Kang Chang // [END digital-signature-example] 88