summaryrefslogtreecommitdiff
path: root/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2020-06-19 15:53:01 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2020-06-19 15:53:01 +0200
commitd5df50291368c099c0c2c382dedc861b99a98462 (patch)
tree98c65b62b122dc2a8ac70ca625a904bfb0996601 /eaaf_modules/eaaf_module_auth_sl20/src/main/java/at
parent83a10243f8cc5e39093f9764356350ae8c80e41c (diff)
downloadEAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.gz
EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.bz2
EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.zip
fix bug in SL20 JOSE-Utils that prohibits HSM-Facade Usage and only allows RSA keys
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20/src/main/java/at')
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java40
1 files changed, 34 insertions, 6 deletions
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
index 43c44647..1b824ad1 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java
@@ -7,6 +7,8 @@ import java.security.KeyStoreException;
import java.security.Provider;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.RSAPrivateKey;
import java.util.Collections;
import java.util.List;
@@ -134,11 +136,12 @@ public class JsonSecurityUtils implements IJoseTools {
jws.setContentTypeHeaderValue(SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND);
// set signing information
- jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(
keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);
jws.setKey(signingCred.getFirst());
-
+ jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(jws.getKey(),
+ AlgorithmIdentifiers.RSA_USING_SHA256, AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256));
+
// set special provider if required
if (keyStore.getSecond() != null) {
log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName());
@@ -377,8 +380,7 @@ public class JsonSecurityUtils implements IJoseTools {
config.setFriendlyName(FRIENDLYNAME_KEYSTORE);
config.setKeyStoreType(authConfig.getBasicConfiguration(
- authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE),
- KeyStoreType.JKS.getKeyStoreType()));
+ Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType()));
config.setKeyStoreName(
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME));
config.setSoftKeyStoreFilePath(
@@ -398,8 +400,7 @@ public class JsonSecurityUtils implements IJoseTools {
config.setFriendlyName(FRIENDLYNAME_TRUSTSTORE);
config.setKeyStoreType(authConfig.getBasicConfiguration(
- authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE),
- KeyStoreType.JKS.getKeyStoreType()));
+ Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType()));
config.setKeyStoreName(
authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME));
config.setSoftKeyStoreFilePath(
@@ -413,6 +414,33 @@ public class JsonSecurityUtils implements IJoseTools {
return config;
}
+ /**
+ * Select signature algorithm for a given credential.
+ *
+ * @param key {@link X509Credential} that will be used for key operations
+ * @param rsaSigAlgorithm RSA based algorithm that should be used in
+ * case of RSA credential
+ * @param ecSigAlgorithm EC based algorithm that should be used in case
+ * of RSA credential
+ * @return either the RSA based algorithm or the EC based algorithm
+ * @throws SlCommandoBuildException In case of an unsupported credential
+ */
+ private static String getKeyOperationAlgorithmFromCredential(Key key,
+ String rsaSigAlgorithm, String ecSigAlgorithm) throws SlCommandoBuildException {
+ if (key instanceof RSAPrivateKey) {
+ return rsaSigAlgorithm;
+
+ } else if (key instanceof ECPrivateKey) {
+ return ecSigAlgorithm;
+
+ } else {
+ log.warn("Could NOT evaluate the Private-Key type from do select algorithm");
+ throw new SlCommandoBuildException("Could NOT evaluate the Private-Key type from do select algorithm");
+
+ }
+
+ }
+
private String getSigningKeyAlias() {
String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS);
if (value != null) {