Documentation

Digital Signatures with Multiple Keys

If you need to switch keys when signing or verifying, use one of these.

Sometimes you need to be able to select signing keys at runtime. This is how you do it.

<crypt:signerWithChooserByPrivateKeyId id="signer" privateKeyMap-ref="privateKeyMap"
    algorithm="SHA1withRSA" provider="BC"/>

<util:map id="privateKeyMap">
    <entry key="mcDonalds">
        <crypt:privateKey keystore-ref="mcDonaldsKeystore" alias="ronald"
            password="ketchup"/>
    </entry>
    <entry key="burgerKing">
        <crypt:privateKey keystore-ref="burgerKingKeystore" alias="cowboy"
            password="meatIsMurder"/>
    </entry>
</util:map>

<crypt:keystore id="mcDonaldsKeystore" location="classpath:keystore-mcdonalds.jks"
    password="royaleWithCheese"/>

<crypt:keystore id="burgerKingKeystore" location="classpath:keystore-burger-king.jks"
    password="r0naldSucksStinkyMeat"/>

algorithm

SHA1withRSA is the default algorithm and can be omitted.

provider since 1.3.0

The provider attribute is optional.

The signer can then be used like this:

import com.springcryptoutils.core.signature.SignerWithChooserByPrivateKeyId;

public class MyBusinessSigner {

    @Autowired
    private SignerWithChooserByPrivateKeyId signer;

    public void myBusinessMethod(byte[] messageToBeTrusted) {
        byte[] mcsignature = signer.sign("mcDonalds", messageToBeTrusted);
        byte[] bksignature = signer.sign("burgerKing", messageToBeTrusted);
    }
}

Because you don't usually work directly with byte arrays, but rather with a base64 encoded version of such data, there also is a base64 version of the signer.

<crypt:b64SignerWithChooserByPrivateKeyId id="signer" privateKeyMap-ref="privateKeyMap"
    algorithm="SHA1withRSA" provider="BC"/>

<util:map id="privateKeyMap">
    <entry key="mcDonalds">
        <crypt:privateKey keystore-ref="mcDonaldsKeystore" alias="ronald"
            password="ketchup"/>
    </entry>
    <entry key="burgerKing">
        <crypt:privateKey keystore-ref="burgerKingKeystore" alias="cowboy"
            password="meatIsMurder"/>
    </entry>
</util:map>

<crypt:keystore id="mcDonaldsKeystore" location="classpath:keystore-mcdonalds.jks"
    password="royaleWithCheese"/>

<crypt:keystore id="burgerKingKeystore" location="classpath:keystore-burger-king.jks"
    password="r0naldSucksStinkyMeat"/>

algorithm

SHA1withRSA is the default algorithm and can be omitted.

provider since 1.3.0

The provider attribute is optional.

The signer can then be used like this:

import com.springcryptoutils.core.signature.Base64EncodedSignerWithChooserByPrivateKeyId;

public class MyBusinessSigner {

    @Autowired
    private Base64EncodedSignerWithChooserByPrivateKeyId signer;

    public void myBusinessMethod(String messageToBeTrusted) {
        String b64MCsignature = signer.sign("mcDonalds", messageToBeTrusted);
        String b64BKsignature = signer.sign("burgerKing", messageToBeTrusted);
    }
}

Sometimes you need to be able to select verifying keys at runtime. This is how you do it.

<crypt:verifierWithChooserByPublicKeyId id="verifier" publicKeyMap-ref="publicKeyMap"
    algorithm="SHA1withRSA" provider="BC"/>

<util:map id="publicKeyMap">
    <entry key="mcDonalds">
        <crypt:publicKey keystore-ref="mcDonaldsKeystore" alias="ronald"/>
    </entry>
    <entry key="burgerKing">
        <crypt:publicKey keystore-ref="burgerKingKeystore" alias="cowboy"/>
    </entry>
</util:map>

<crypt:keystore id="mcDonaldsKeystore" location="classpath:keystore-mcdonalds.jks"
    password="royaleWithCheese"/>

<crypt:keystore id="burgerKingKeystore" location="classpath:keystore-burger-king.jks"
    password="r0naldSucksStinkyMeat"/>

algorithm

SHA1withRSA is the default algorithm and can be omitted.

provider since 1.3.0

The provider attribute is optional.

Here is an example usage of the verifier:

import com.springcryptoutils.core.signature.VerifierWithChooserByPublicKeyId;

public class MyBusinessVerifier {

    @Autowired
    private VerifierWithChooserByPublicKeyId verifier;

    public void myBusinessMethod(byte[] messageToBeTrusted, byte[] signature) {
        boolean verified = verifier.verify("mcDonalds", messageToBeTrusted, signature);
    }
}

Because you don't usually work directly with byte arrays, but rather with a base64 encoded version of such data, there also is a base64 version of the verifier.

<crypt:b64VerifierWithChooserByPublicKeyId id="verifier" publicKeyMap-ref="publicKeyMap"
    algorithm="SHA1withRSA" provider="BC"/>

<util:map id="publicKeyMap">
    <entry key="mcDonalds">
        <crypt:publicKey keystore-ref="mcDonaldsKeystore" alias="ronald"/>
    </entry>
    <entry key="burgerKing">
        <crypt:publicKey keystore-ref="burgerKingKeystore" alias="cowboy"/>
    </entry>
</util:map>

<crypt:keystore id="mcDonaldsKeystore" location="classpath:keystore-mcdonalds.jks"
    password="royaleWithCheese"/>

<crypt:keystore id="burgerKingKeystore" location="classpath:keystore-burger-king.jks"
    password="r0naldSucksStinkyMeat"/>

algorithm

SHA1withRSA is the default algorithm and can be omitted.

provider since 1.3.0

The provider attribute is optional.

Here is an example usage of the verifier:

import com.springcryptoutils.core.signature.Base64EncodedVerifierWithChooserByPublicKeyId;

public class MyBusinessVerifier {

    @Autowired
    private Base64EncodedVerifierWithChooserByPublicKeyId verifier;

    public void myBusinessMethod(String message, String b64signature) {
        if (verifier.verify("mcDonalds", message, b64signature)) {
            proceedWithOrder(message);
        } else {
            // ignore order
        }
    }
}