diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-17 18:10:45 +0100 | 
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-02-17 18:10:45 +0100 | 
| commit | fa2727e5844733f29d9ba12f353579c112f0673d (patch) | |
| tree | 223b5033f9b54f623b14e2022587eb0f47b69d24 /eaaf_modules/eaaf_module_auth_sl20 | |
| parent | f62bafa252e6e0dfaaa9ba4acbc34b47ee627e21 (diff) | |
| download | EAAF-Components-fa2727e5844733f29d9ba12f353579c112f0673d.tar.gz EAAF-Components-fa2727e5844733f29d9ba12f353579c112f0673d.tar.bz2 EAAF-Components-fa2727e5844733f29d9ba12f353579c112f0673d.zip | |
Update sign method to add parameter for JOSE x509c header
Inject special Java Security Provider if KeyStore needs a specific one
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20')
2 files changed, 68 insertions, 27 deletions
| diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java index 6ee53a9d..f04555dc 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/IJoseTools.java @@ -8,26 +8,39 @@ import java.util.List;  import javax.annotation.Nonnull; +import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; +  import org.jose4j.jwa.AlgorithmConstraints;  import org.jose4j.lang.JoseException;  import com.fasterxml.jackson.databind.JsonNode; -import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; -  public interface IJoseTools {    /**     * Create a JWS signature.     * +   *<p>This method adds the certificate chain into JOSE header.</p> +   *     * @param payLoad Payload to sign     * @throws SlCommandoBuildException In case of a signature creation error     */    String createSignature(String payLoad) throws SlCommandoBuildException;    /** +   * Create a JWS signature. +   * +   * @param payLoad Payload to sign +   * @param addFullCertChain If <code>true</code> the full certificate chain will be added, +   *     otherwise only the X509CertSha256Fingerprint is added into JOSE header +   * @return Signed PayLoad in serialized form +   * @throws SlCommandoBuildException SlCommandoBuildException In case of a signature creation error +   */ +  String createSignature(String payLoad, boolean addFullCertChain) throws SlCommandoBuildException; + +  /**     * Validates a signed SL2.0 message.     *     * @param serializedContent Serialized JWS signature diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 1668752a..1b1f090f 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -30,6 +30,7 @@ import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException;  import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException;  import org.apache.commons.lang3.StringUtils; +import org.jose4j.jca.ProviderContext;  import org.jose4j.jwa.AlgorithmConstraints;  import org.jose4j.jwa.AlgorithmConstraints.ConstraintType;  import org.jose4j.jwe.JsonWebEncryption; @@ -56,8 +57,10 @@ public class JsonSecurityUtils implements IJoseTools {    private static final String FRIENDLYNAME_KEYSTORE = "SL2.0 KeyStore";    private static final String FRIENDLYNAME_TRUSTSTORE = "SL2.0 TrustStore"; -  @Autowired(required = true) IConfiguration authConfig; -  @Autowired(required = true) EaafKeyStoreFactory keystoreFactory; +  @Autowired(required = true) +  IConfiguration authConfig; +  @Autowired(required = true) +  EaafKeyStoreFactory keystoreFactory;    private Pair<KeyStore, Provider> keyStore;    private Pair<KeyStore, Provider> trustStore; @@ -68,17 +71,17 @@ public class JsonSecurityUtils implements IJoseTools {    protected void initalize() throws SL20Exception {      log.info("Initialize SL2.0 authentication security constrains ... ");      try { -      //load KeyStore +      // load KeyStore        final KeyStoreConfiguration keyStoreConfig = buildKeyStoreConfiguration();        keyStore = keystoreFactory.buildNewKeyStore(keyStoreConfig); -      //load TrustStore +      // load TrustStore        final KeyStoreConfiguration trustStoreConfig = buildTrustStoreConfiguration();        trustStore = keystoreFactory.buildNewKeyStore(trustStoreConfig); -      //validate KeyStore entries +      // validate KeyStore entries        EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getSigningKeyAlias(), -              getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE); +          getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);        final Pair<Key, X509Certificate[]> encCredentials =            EaafKeyStoreUtils.getPrivateKeyAndCertificates(keyStore.getFirst(), getEncryptionKeyAlias(),                getEncryptionKeyPassword(), false, FRIENDLYNAME_TRUSTSTORE); @@ -87,8 +90,9 @@ public class JsonSecurityUtils implements IJoseTools {        } -      //validate TrustStore -      final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst()); +      // validate TrustStore +      final List<X509Certificate> trustedCerts = EaafKeyStoreUtils.readCertsFromKeyStore(trustStore +          .getFirst());        if (trustedCerts.isEmpty()) {          log.info("No certificates in TrustStore: {}. Signature validation will FAIL!",              FRIENDLYNAME_TRUSTSTORE); @@ -106,7 +110,7 @@ public class JsonSecurityUtils implements IJoseTools {      } catch (final Exception e) {        log.error("SL2.0 security constrains initialization FAILED."); -      throw new SL20Exception("sl20.11", new Object[] {e.getMessage()}, e); +      throw new SL20Exception("sl20.11", new Object[] { e.getMessage() }, e);      } @@ -114,6 +118,12 @@ public class JsonSecurityUtils implements IJoseTools {    @Override    public String createSignature(final String payLoad) throws SlCommandoBuildException { +    return createSignature(payLoad, true); + +  } + +  @Override +  public String createSignature(final String payLoad, boolean addFullCertChain) throws SlCommandoBuildException {      try {        final JsonWebSignature jws = new JsonWebSignature(); @@ -127,11 +137,23 @@ public class JsonSecurityUtils implements IJoseTools {        jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);        final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(            keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE); -        jws.setKey(signingCred.getFirst()); -      // TODO: -      jws.setCertificateChainHeaderValue(signingCred.getSecond()); +      // set special provider if required +      if (keyStore.getSecond() != null) { +        log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName()); +        final ProviderContext providerCtx = new ProviderContext(); +        providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( +            keyStore.getSecond().getName()); +        jws.setProviderContext(providerCtx); + +      } + +      if (addFullCertChain) { +        jws.setCertificateChainHeaderValue(signingCred.getSecond()); + +      } +        jws.setX509CertSha256ThumbprintHeaderValue(signingCred.getSecond()[0]);        return jws.getCompactSerialization(); @@ -190,7 +212,8 @@ public class JsonSecurityUtils implements IJoseTools {      } else if (StringUtils.isNotEmpty(x5t256)) {        log.debug("Found x5t256 fingerprint in JOSE header .... "); -      final X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(trustedCerts); +      final X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver( +          trustedCerts);        selectedKey = x509VerificationKeyResolver.resolveKey(jws, Collections.<JsonWebStructure>emptyList());      } else { @@ -220,7 +243,8 @@ public class JsonSecurityUtils implements IJoseTools {                .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_SIGNING.size()]));        final VerificationResult result = -          validateSignature(serializedContent, EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst()), algConstraints); +          validateSignature(serializedContent, EaafKeyStoreUtils.readCertsFromKeyStore(trustStore.getFirst()), +              algConstraints);        if (!result.isValidSigned()) {          log.info("JWS signature invalide. Stopping authentication process ..."); @@ -251,8 +275,9 @@ public class JsonSecurityUtils implements IJoseTools {        // set security constrains        receiverJwe.setAlgorithmConstraints( -          new AlgorithmConstraints(ConstraintType.WHITELIST, SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION -              .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()]))); +          new AlgorithmConstraints(ConstraintType.WHITELIST, +              SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION +                  .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_KEYENCRYPTION.size()])));        receiverJwe.setContentEncryptionAlgorithmConstraints(            new AlgorithmConstraints(ConstraintType.WHITELIST, SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION                .toArray(new String[SL20Constants.SL20_ALGORITHM_WHITELIST_ENCRYPTION.size()]))); @@ -261,7 +286,8 @@ public class JsonSecurityUtils implements IJoseTools {        receiverJwe.setCompactSerialization(compactSerialization);        final Pair<Key, X509Certificate[]> encryptionCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates( -          keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, FRIENDLYNAME_KEYSTORE); +          keyStore.getFirst(), getEncryptionKeyAlias(), getEncryptionKeyPassword(), true, +          FRIENDLYNAME_KEYSTORE);        // validate key from header against key from config        final List<X509Certificate> x5cCerts = receiverJwe.getCertificateChainHeaderValue(); @@ -357,7 +383,7 @@ public class JsonSecurityUtils implements IJoseTools {      config.setSoftKeyStorePassword(          authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_PASSWORD)); -    //validate configuration state +    // validate configuration state      config.validate();      return config; @@ -378,13 +404,12 @@ public class JsonSecurityUtils implements IJoseTools {      config.setSoftKeyStorePassword(          authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_PASSWORD)); -    //validate configuration state +    // validate configuration state      config.validate();      return config;    } -    private String getSigningKeyAlias() {      String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS);      if (value != null) { @@ -395,7 +420,8 @@ public class JsonSecurityUtils implements IJoseTools {    }    private char[] getSigningKeyPassword() { -    final String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD); +    final String value = authConfig.getBasicConfiguration( +        Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_PASSWORD);      if (value != null) {        return value.trim().toCharArray();      } @@ -404,7 +430,8 @@ public class JsonSecurityUtils implements IJoseTools {    }    private String getEncryptionKeyAlias() { -    String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS); +    String value = authConfig.getBasicConfiguration( +        Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_ALIAS);      if (value != null) {        value = value.trim();      } @@ -413,7 +440,8 @@ public class JsonSecurityUtils implements IJoseTools {    }    private char[] getEncryptionKeyPassword() { -    final String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD); +    final String value = authConfig.getBasicConfiguration( +        Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_ENCRYPTION_PASSWORD);      if (value != null) {        return value.trim().toCharArray();      } | 
