fix bug in SL20 JOSE-Utils that prohibits HSM-Facade Usage and only allows RSA keys

author: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-06-19 15:53:01 +0200
committer: Thomas Lenz <thomas.lenz@egiz.gv.at> 2020-06-19 15:53:01 +0200
commit: d5df50291368c099c0c2c382dedc861b99a98462 (patch)
tree: 98c65b62b122dc2a8ac70ca625a904bfb0996601
parent: 83a10243f8cc5e39093f9764356350ae8c80e41c (diff)
download: EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.gz
EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.bz2
EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.zip
1 files changed, 34 insertions, 6 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 43c44647..1b824ad1 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -7,6 +7,8 @@ import java.security.KeyStoreException;
 import java.security.Provider;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
 import java.util.Collections;
 import java.util.List;
 
@@ -134,11 +136,12 @@ public class JsonSecurityUtils implements IJoseTools {
       jws.setContentTypeHeaderValue(SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND);
 
       // set signing information
-      jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
       final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
           keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
       jws.setKey(signingCred.getFirst());
-
+      jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(jws.getKey(), 
+          AlgorithmIdentifiers.RSA_USING_SHA256, AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256));
+      
       // set special provider if required
       if (keyStore.getSecond() != null) {
         log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName());
@@ -377,8 +380,7 @@ public class JsonSecurityUtils implements IJoseTools {
     config.setFriendlyName(FRIENDLYNAME_KEYSTORE);
 
     config.setKeyStoreType(authConfig.getBasicConfiguration(
-        authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE),
-        KeyStoreType.JKS.getKeyStoreType()));
+        Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType()));
     config.setKeyStoreName(
         authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME));
     config.setSoftKeyStoreFilePath(
@@ -398,8 +400,7 @@ public class JsonSecurityUtils implements IJoseTools {
     config.setFriendlyName(FRIENDLYNAME_TRUSTSTORE);
 
     config.setKeyStoreType(authConfig.getBasicConfiguration(
-        authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE),
-        KeyStoreType.JKS.getKeyStoreType()));
+        Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType()));
     config.setKeyStoreName(
         authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME));
     config.setSoftKeyStoreFilePath(
@@ -413,6 +414,33 @@ public class JsonSecurityUtils implements IJoseTools {
     return config;
   }
 
+  /**
+   * Select signature algorithm for a given credential.
+   *
+   * @param key     {@link X509Credential} that will be used for key operations
+   * @param rsaSigAlgorithm RSA based algorithm that should be used in
+   *                        case of RSA credential
+   * @param ecSigAlgorithm  EC based algorithm that should be used in case
+   *                        of RSA credential
+   * @return either the RSA based algorithm or the EC based algorithm
+   * @throws SlCommandoBuildException In case of an unsupported credential
+   */
+  private static String getKeyOperationAlgorithmFromCredential(Key key,
+      String rsaSigAlgorithm, String ecSigAlgorithm) throws SlCommandoBuildException {
+    if (key instanceof RSAPrivateKey) {
+      return rsaSigAlgorithm;
+
+    } else if (key instanceof ECPrivateKey) {
+      return ecSigAlgorithm;
+
+    } else {
+      log.warn("Could NOT evaluate the Private-Key type from do select algorithm");
+      throw new SlCommandoBuildException("Could NOT evaluate the Private-Key type from do select algorithm");
+    
+    }
+
+  }
+  
   private String getSigningKeyAlias() {
     String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS);
     if (value != null) {
author	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-06-19 15:53:01 +0200
committer	Thomas Lenz <thomas.lenz@egiz.gv.at>	2020-06-19 15:53:01 +0200
commit	d5df50291368c099c0c2c382dedc861b99a98462 (patch)
tree	98c65b62b122dc2a8ac70ca625a904bfb0996601
parent	83a10243f8cc5e39093f9764356350ae8c80e41c (diff)
download	EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.gz EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.bz2 EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.zip