diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-06-19 15:53:01 +0200 | 
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2020-06-19 15:53:01 +0200 | 
| commit | d5df50291368c099c0c2c382dedc861b99a98462 (patch) | |
| tree | 98c65b62b122dc2a8ac70ca625a904bfb0996601 /eaaf_modules/eaaf_module_auth_sl20 | |
| parent | 83a10243f8cc5e39093f9764356350ae8c80e41c (diff) | |
| download | EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.gz EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.tar.bz2 EAAF-Components-d5df50291368c099c0c2c382dedc861b99a98462.zip | |
fix bug in SL20 JOSE-Utils that prohibits HSM-Facade Usage and only allows RSA keys
Diffstat (limited to 'eaaf_modules/eaaf_module_auth_sl20')
| -rw-r--r-- | eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java | 40 | 
1 files changed, 34 insertions, 6 deletions
| diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 43c44647..1b824ad1 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -7,6 +7,8 @@ import java.security.KeyStoreException;  import java.security.Provider;  import java.security.cert.CertificateEncodingException;  import java.security.cert.X509Certificate; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.RSAPrivateKey;  import java.util.Collections;  import java.util.List; @@ -134,11 +136,12 @@ public class JsonSecurityUtils implements IJoseTools {        jws.setContentTypeHeaderValue(SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND);        // set signing information -      jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);        final Pair<Key, X509Certificate[]> signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates(            keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE);        jws.setKey(signingCred.getFirst()); - +      jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(jws.getKey(),  +          AlgorithmIdentifiers.RSA_USING_SHA256, AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256)); +              // set special provider if required        if (keyStore.getSecond() != null) {          log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName()); @@ -377,8 +380,7 @@ public class JsonSecurityUtils implements IJoseTools {      config.setFriendlyName(FRIENDLYNAME_KEYSTORE);      config.setKeyStoreType(authConfig.getBasicConfiguration( -        authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE), -        KeyStoreType.JKS.getKeyStoreType())); +        Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType()));      config.setKeyStoreName(          authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME));      config.setSoftKeyStoreFilePath( @@ -398,8 +400,7 @@ public class JsonSecurityUtils implements IJoseTools {      config.setFriendlyName(FRIENDLYNAME_TRUSTSTORE);      config.setKeyStoreType(authConfig.getBasicConfiguration( -        authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE), -        KeyStoreType.JKS.getKeyStoreType())); +        Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType()));      config.setKeyStoreName(          authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME));      config.setSoftKeyStoreFilePath( @@ -413,6 +414,33 @@ public class JsonSecurityUtils implements IJoseTools {      return config;    } +  /** +   * Select signature algorithm for a given credential. +   * +   * @param key     {@link X509Credential} that will be used for key operations +   * @param rsaSigAlgorithm RSA based algorithm that should be used in +   *                        case of RSA credential +   * @param ecSigAlgorithm  EC based algorithm that should be used in case +   *                        of RSA credential +   * @return either the RSA based algorithm or the EC based algorithm +   * @throws SlCommandoBuildException In case of an unsupported credential +   */ +  private static String getKeyOperationAlgorithmFromCredential(Key key, +      String rsaSigAlgorithm, String ecSigAlgorithm) throws SlCommandoBuildException { +    if (key instanceof RSAPrivateKey) { +      return rsaSigAlgorithm; + +    } else if (key instanceof ECPrivateKey) { +      return ecSigAlgorithm; + +    } else { +      log.warn("Could NOT evaluate the Private-Key type from do select algorithm"); +      throw new SlCommandoBuildException("Could NOT evaluate the Private-Key type from do select algorithm"); +     +    } + +  } +      private String getSigningKeyAlias() {      String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS);      if (value != null) { | 
