Release v2.0 - Java 25 upgrade with new cryptographic features

  BREAKING CHANGES:
  - Upgraded to Java 25 (from Java 21)
  - Replaced ru.rutoken:pkcs11jna with custom JNA bindings

  NEW FEATURES:
  - PKCS11ECDSASigner: ECDSA signing with SHA-1/224/256/384/512
  - PKCS11Digest: Hardware hashing (MD5, SHA-1/224/256/384/512, RIPEMD-160)
  - PKCS11Random: Hardware RNG extending SecureRandom
  - PKCS11KeyDerivation: ECDH key derivation with multiple KDFs
  - Custom JNA Cryptoki interface based on OASIS PKCS#11 v2.40
  - Multi-part signing for large files (>16KB)

  IMPROVEMENTS:
  - PKCS11Signer: Added SHA-1/224/384/512 algorithm support
  - PKCS11RSACrypto: Simplified to PKCS#1 v1.5 only
  - Added comprehensive exception types for new operations
  - Updated all dependencies to latest versions

  DEPENDENCIES:
  - JNA 5.16.0, dss-token 6.3, BouncyCastle 1.80
  - Lombok 1.18.42 (Java 25 support)
  - JUnit 5.11.4, Mockito 5.15.2

  DOCUMENTATION:
  - Updated README with all new features and examples
  - Added OpenSC 0.26.1 to tested environments
  - Updated architecture diagrams

  Lub krótsza wersja:

  Release v2.0 - Major update with Java 25 and new crypto features

  - Upgrade to Java 25 with updated dependencies
  - Add ECDSA signing, hardware RNG, digest, and ECDH key derivation
  - Replace external PKCS#11 bindings with custom JNA implementation
  - Add multi-part signing for large files
  - Update README with OpenSC 0.26.1 support

Author: SimpleMethod

src/main/java/pl/mlodawski/security/example/PKCS11Example.java

@@ -1,5 +1,6 @@
 package pl.mlodawski.security.example;
 
+import com.sun.jna.NativeLong;
 import pl.mlodawski.security.pkcs11.*;
 import pl.mlodawski.security.pkcs11.model.*;
 
@@ -91,9 +92,15 @@ public void onDeviceError(PKCS11Device device, Exception error) {
                                     listSupportedAlgorithms(manager, session);
                                     break;
                                 case 8:
+                                    generateHardwareRandom(manager, session);
+                                    break;
+                                case 9:
+                                    computeHardwareDigest(manager, session);
+                                    break;
+                                case 10:
                                     selectedDevice = null;
                                     return;
-                                case 9:
+                                case 11:
                                     session.close();
                                     selectedDevice = null;
                                     PIN = null;
@@ -104,10 +111,6 @@ public void onDeviceError(PKCS11Device device, Exception error) {
                                 default:
                                     System.out.println("Invalid choice. Please try again.");
                             }
-
-//                            if (choice == 6) {
-//                                break;
-//                            }
                         }
                     } catch (Exception e) {
                         System.out.println("Session error: " + e.getMessage());
@@ -145,14 +148,12 @@ private void signFile(PKCS11Manager manager, PKCS11Session session) {
                     selectedPair.getKeyHandle(),
                     fileContent);
 
-            // Save signature to file
             String signatureFilePath = filePath + ".sig";
             Files.write(Paths.get(signatureFilePath), signature);
 
             System.out.println("File signed successfully. Signature saved to: " + signatureFilePath);
             System.out.println("Signature (Base64): " + Base64.getEncoder().encodeToString(signature));
 
-            // Verify signature immediately
             boolean isSignatureValid = signer.verifySignature(fileContent, signature, selectedPair.getCertificate());
             System.out.println("Signature verification: " + (isSignatureValid ? "Valid" : "Invalid"));
         } catch (Exception e) {
@@ -208,11 +209,9 @@ private void encryptDecryptFile(PKCS11Manager manager, PKCS11Session session) {
 
             byte[] fileContent = Files.readAllBytes(Paths.get(filePath));
 
-            // Encrypt file using hybrid encryption
             PKCS11Crypto crypto = new PKCS11Crypto();
             byte[][] encryptedPackage = crypto.encryptData(fileContent, selectedPair.getCertificate());
 
-            // Save encrypted components
             String encryptedKeyPath = filePath + ".key.enc";
             String encryptedIVPath = filePath + ".iv";
             String encryptedDataPath = filePath + ".data.enc";
@@ -232,7 +231,6 @@ private void encryptDecryptFile(PKCS11Manager manager, PKCS11Session session) {
                 return;
             }
 
-            // Decrypt file
             byte[][] decryptPackage = new byte[][]{
                     Files.readAllBytes(Paths.get(encryptedKeyPath)),
                     Files.readAllBytes(Paths.get(encryptedIVPath)),
@@ -246,12 +244,10 @@ private void encryptDecryptFile(PKCS11Manager manager, PKCS11Session session) {
                     decryptPackage
             );
 
-            // Save decrypted file
             String decryptedFilePath = filePath + ".dec";
             Files.write(Paths.get(decryptedFilePath), decryptedData);
             System.out.println("File decrypted successfully. Saved to: " + decryptedFilePath);
 
-            // Calculate and display checksums
             String originalChecksum = getFileChecksum(fileContent);
             String decryptedChecksum = getFileChecksum(decryptedData);
 
@@ -379,15 +375,20 @@ private boolean getPINFromUser() {
     private void displayMenu() {
         System.out.println("\n--- PKCS#11 Operations Menu ---");
         System.out.println("Current device: " + selectedDevice.getLabel());
+        System.out.println("--- Basic Operations ---");
         System.out.println("1. List Available Certificates");
-        System.out.println("2. Sign a Message");
+        System.out.println("2. Sign a Message (RSA-PKCS)");
         System.out.println("3. Sign a File");
         System.out.println("4. Verify File Signature");
-        System.out.println("5. Encrypt and Decrypt Data");
-        System.out.println("6. Encrypt and Decrypt File");
+        System.out.println("5. Encrypt and Decrypt Data (Hybrid)");
+        System.out.println("6. Encrypt and Decrypt File (Hybrid)");
         System.out.println("7. List Supported Algorithms");
-        System.out.println("8. Exit");
-        System.out.println("9. Change Device");
+        System.out.println("--- Advanced Operations ---");
+        System.out.println("8. Generate Hardware Random Numbers");
+        System.out.println("9. Compute Hardware Digest (Hash)");
+        System.out.println("--- System ---");
+        System.out.println("10. Exit");
+        System.out.println("11. Change Device");
         System.out.print("Enter your choice: ");
     }
 
@@ -457,12 +458,10 @@ private void encryptDecryptData(PKCS11Manager manager, PKCS11Session session) {
 
             PKCS11Crypto crypto = new PKCS11Crypto();
 
-            // Encrypt data
             byte[][] encryptedPackage = crypto.encryptData(dataToEncrypt.getBytes(), selectedPair.getCertificate());
             System.out.println("Data encrypted successfully.");
             System.out.println("Encrypted data (Base64): " + Base64.getEncoder().encodeToString(encryptedPackage[2]));
 
-            // Decrypt data
             byte[] decryptedData = crypto.decryptData(
                     manager.getPkcs11(),
                     session.getSession(),
@@ -504,6 +503,94 @@ private void listSupportedAlgorithms(PKCS11Manager manager, PKCS11Session sessio
             System.out.println("Error listing algorithms: " + e.getMessage());
         }
     }
+
+    private void generateHardwareRandom(PKCS11Manager manager, PKCS11Session session) {
+        try {
+            Scanner scanner = new Scanner(System.in);
+            System.out.print("Enter number of random bytes to generate (1-1024): ");
+            int numBytes = scanner.nextInt();
+
+            if (numBytes < 1 || numBytes > 1024) {
+                System.out.println("Invalid number of bytes. Please enter a value between 1 and 1024.");
+                return;
+            }
+
+            PKCS11Random random = new PKCS11Random(manager.getPkcs11(), session.getSession());
+            byte[] randomBytes = random.generateRandomBytes(numBytes);
+
+            System.out.println("\nHardware-generated random bytes:");
+            System.out.println("Hex: " + bytesToHex(randomBytes));
+            System.out.println("Base64: " + Base64.getEncoder().encodeToString(randomBytes));
+            System.out.println("Generated " + randomBytes.length + " random bytes from hardware token.");
+        } catch (Exception e) {
+            System.out.println("Error generating random numbers: " + e.getMessage());
+        }
+    }
+
+    private void computeHardwareDigest(PKCS11Manager manager, PKCS11Session session) {
+        try {
+            Scanner scanner = new Scanner(System.in);
+
+            System.out.println("\nSelect hash algorithm:");
+            PKCS11Digest.Algorithm[] algorithms = PKCS11Digest.Algorithm.values();
+            for (int i = 0; i < algorithms.length; i++) {
+                System.out.printf("%d. %s (%d bytes)%n", i + 1, algorithms[i].name(), algorithms[i].getDigestLength());
+            }
+            System.out.print("Enter choice: ");
+            int algoChoice = scanner.nextInt();
+            scanner.nextLine(); // consume newline
+
+            if (algoChoice < 1 || algoChoice > algorithms.length) {
+                System.out.println("Invalid algorithm choice.");
+                return;
+            }
+            PKCS11Digest.Algorithm selectedAlgorithm = algorithms[algoChoice - 1];
+
+            System.out.print("Enter data to hash (or 'file:path' to hash a file): ");
+            String input = scanner.nextLine();
+
+            byte[] dataToHash;
+            if (input.startsWith("file:")) {
+                String filePath = input.substring(5);
+                if (!Files.exists(Paths.get(filePath))) {
+                    System.out.println("File does not exist: " + filePath);
+                    return;
+                }
+                dataToHash = Files.readAllBytes(Paths.get(filePath));
+                System.out.println("Hashing file: " + filePath + " (" + dataToHash.length + " bytes)");
+            } else {
+                dataToHash = input.getBytes();
+            }
+
+            PKCS11Digest digest = new PKCS11Digest(manager.getPkcs11(), session.getSession());
+            byte[] hashResult = digest.digest(selectedAlgorithm, dataToHash);
+
+            System.out.println("\nHardware-computed " + selectedAlgorithm.name() + " digest:");
+            System.out.println("Hex: " + bytesToHex(hashResult));
+            System.out.println("Base64: " + Base64.getEncoder().encodeToString(hashResult));
+
+            try {
+                String javaAlgoName = selectedAlgorithm.name().replace("_", "-");
+                if (javaAlgoName.equals("SHA1")) javaAlgoName = "SHA-1";
+                MessageDigest md = MessageDigest.getInstance(javaAlgoName);
+                byte[] softwareHash = md.digest(dataToHash);
+                boolean matches = Arrays.equals(hashResult, softwareHash);
+                System.out.println("Matches software hash: " + (matches ? "Yes" : "No"));
+            } catch (NoSuchAlgorithmException e) {
+                System.out.println("(Software comparison not available for this algorithm)");
+            }
+        } catch (Exception e) {
+            System.out.println("Error computing digest: " + e.getMessage());
+        }
+    }
+
+    private String bytesToHex(byte[] bytes) {
+        StringBuilder sb = new StringBuilder();
+        for (byte b : bytes) {
+            sb.append(String.format("%02x", b));
+        }
+        return sb.toString();
+    }
 }
 
 

src/main/java/pl/mlodawski/security/pkcs11/PKCS11Crypto.java

@@ -2,13 +2,13 @@
 
 import lombok.extern.slf4j.Slf4j;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
-import pl.mlodawski.security.pkcs11.exceptions.CryptoInitializationException;
 import pl.mlodawski.security.pkcs11.exceptions.DecryptionException;
 import pl.mlodawski.security.pkcs11.exceptions.EncryptionException;
 import pl.mlodawski.security.pkcs11.exceptions.InvalidInputException;
-import ru.rutoken.pkcs11jna.CK_MECHANISM;
-import ru.rutoken.pkcs11jna.Pkcs11;
-import ru.rutoken.pkcs11jna.Pkcs11Constants;
+import pl.mlodawski.security.pkcs11.jna.Cryptoki;
+import pl.mlodawski.security.pkcs11.jna.constants.MechanismType;
+import pl.mlodawski.security.pkcs11.jna.constants.ReturnValue;
+import pl.mlodawski.security.pkcs11.jna.structure.Mechanism;
 import com.sun.jna.NativeLong;
 import com.sun.jna.ptr.NativeLongByReference;
 
@@ -77,16 +77,15 @@ public byte[][] encryptData(byte[] dataToEncrypt, X509Certificate certificate) {
      * @return the decrypted data as a byte array.
      * @throws DecryptionException if the decryption process fails.
      */
-    public byte[] decryptData(Pkcs11 pkcs11, NativeLong session, NativeLong privateKeyHandle, byte[][] encryptedPackage) {
+    public byte[] decryptData(Cryptoki pkcs11, NativeLong session, NativeLong privateKeyHandle, byte[][] encryptedPackage) {
         validateDecryptInput(pkcs11, session, privateKeyHandle, encryptedPackage);
 
         byte[] encryptedKey = encryptedPackage[0];
         byte[] iv = encryptedPackage[1];
         byte[] encryptedData = encryptedPackage[2];
 
         try {
-            CK_MECHANISM mechanism = new CK_MECHANISM();
-            mechanism.mechanism = new NativeLong(Pkcs11Constants.CKM_RSA_PKCS);
+            Mechanism mechanism = new Mechanism(MechanismType.RSA_PKCS);
             NativeLong rv = pkcs11.C_DecryptInit(session, mechanism, privateKeyHandle);
             checkResult(rv, "Failed to initialize decryption");
 
@@ -111,7 +110,7 @@ public byte[] decryptData(Pkcs11 pkcs11, NativeLong session, NativeLong privateK
      * @return the decrypted data as a byte array
      * @throws DecryptionException if the decryption process fails
      */
-    private byte[] decrypt(Pkcs11 pkcs11, NativeLong session, byte[] encryptedData) {
+    private byte[] decrypt(Cryptoki pkcs11, NativeLong session, byte[] encryptedData) {
         try {
             NativeLongByReference decryptedDataLen = new NativeLongByReference();
             NativeLong result = pkcs11.C_Decrypt(session, encryptedData, new NativeLong(encryptedData.length), null, decryptedDataLen);
@@ -136,7 +135,7 @@ private byte[] decrypt(Pkcs11 pkcs11, NativeLong session, byte[] encryptedData)
      * @throws DecryptionException if the result is not CKR_OK.
      */
     private void checkResult(NativeLong result, String errorMessage) {
-        if (!result.equals(new NativeLong(Pkcs11Constants.CKR_OK))) {
+        if (!ReturnValue.isSuccess(result)) {
             throw new DecryptionException(errorMessage + ": " + result, null);
         }
     }
@@ -166,7 +165,7 @@ private void validateEncryptInput(byte[] dataToEncrypt, X509Certificate certific
      * @param encryptedPackage the encrypted data package, must be an array of three non-null byte arrays
      * @throws InvalidInputException if any of the input parameters are invalid
      */
-    private void validateDecryptInput(Pkcs11 pkcs11, NativeLong session, NativeLong privateKeyHandle, byte[][] encryptedPackage) {
+    private void validateDecryptInput(Cryptoki pkcs11, NativeLong session, NativeLong privateKeyHandle, byte[][] encryptedPackage) {
         if (pkcs11 == null) {
             throw new InvalidInputException("pkcs11 instance cannot be null");
         }