From 86241863a1aebdc16e3bc273b63e5ce00fb86645 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 2 Nov 2020 12:23:29 +0100 Subject: change order of IAIK CryptoProvider registration Update JWS and JWE impl. to mitigate problems if IAIK and BC provider are loaded --- .../eaaf/modules/auth/sl20/utils/JoseUtils.java | 14 ++++++++-- .../modules/auth/sl20/utils/JsonSecurityUtils.java | 10 +++++-- .../sl20/utils/AbstractJsonSecurityUtilsTest.java | 32 +++++++++++++++++++++- .../modules/auth/sl20/utils/JoseUtilsTest.java | 25 +++++++++++++++++ .../sigverify/moasig/impl/MoaSigInitializer.java | 15 ++++------ 5 files changed, 82 insertions(+), 14 deletions(-) diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java index 48b10580..5b221bbe 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java @@ -181,10 +181,15 @@ public class JoseUtils { if (keyStore.getSecond() != null) { log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName()); final ProviderContext providerCtx = new ProviderContext(); - providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( - keyStore.getSecond().getName()); + providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(keyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); jws.setProviderContext(providerCtx); + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jws.setProviderContext(providerCtx); + } if (addFullCertChain) { @@ -262,6 +267,11 @@ public class JoseUtils { } + //set BouncyCastleProvider as default provider + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jws.setProviderContext(providerCtx); + // set verification key jws.setKey(convertToBcKeyIfRequired(selectedKey)); diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 27f06276..58e3e41c 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -14,6 +14,7 @@ import javax.annotation.Nonnull; import javax.annotation.PostConstruct; import org.apache.commons.lang3.StringUtils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; @@ -223,10 +224,15 @@ public class JsonSecurityUtils implements IJoseTools { if (keyStore.getSecond() != null) { log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName()); final ProviderContext providerCtx = new ProviderContext(); - providerCtx.getSuppliedKeyProviderContext().setGeneralProvider( - keyStore.getSecond().getName()); + providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(keyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); receiverJwe.setProviderContext(providerCtx); + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + receiverJwe.setProviderContext(providerCtx); + } // validate key from header against key from config diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java index 8516a0ed..6550b026 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java @@ -19,6 +19,7 @@ import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers; import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers; import org.jose4j.lang.JoseException; +import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; import org.junit.Test; @@ -37,6 +38,8 @@ import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; +import iaik.security.ec.provider.ECCelerate; +import iaik.security.provider.IAIK; @RunWith(SpringJUnit4ClassRunner.class) @ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml") @@ -46,12 +49,27 @@ public abstract class AbstractJsonSecurityUtilsTest { @Autowired protected IJoseTools joseTools; @Autowired protected EaafKeyStoreFactory keyStoreFactory; + /** + *jUnit test class initializer. + */ @BeforeClass public static void classInitializer() { - Security.addProvider(new BouncyCastleProvider()); + IAIK.addAsProvider(); + ECCelerate.addAsProvider(); + Security.addProvider(new BouncyCastleProvider()); } + /** + * jUnit test class cleaner. + */ + @AfterClass + public static final void classFinisher() { + Security.removeProvider(IAIK.getInstance().getName()); + Security.removeProvider(ECCelerate.getInstance().getName()); + + } + protected abstract void setRsaSigningKey(); protected abstract void setEcSigningKey(); @@ -88,8 +106,14 @@ public abstract class AbstractJsonSecurityUtilsTest { final ProviderContext providerCtx = new ProviderContext(); providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( rsaEncKeyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); jwe.setProviderContext(providerCtx); + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jwe.setProviderContext(providerCtx); + } final String encData = jwe.getCompactSerialization(); @@ -149,8 +173,14 @@ public abstract class AbstractJsonSecurityUtilsTest { final ProviderContext providerCtx = new ProviderContext(); providerCtx.getSuppliedKeyProviderContext().setSignatureProvider( rsaEncKeyStore.getSecond().getName()); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); jwe.setProviderContext(providerCtx); + } else { + final ProviderContext providerCtx = new ProviderContext(); + providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME); + jwe.setProviderContext(providerCtx); + } final String encData = jwe.getCompactSerialization(); diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java index 7771ce60..b5a7639e 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtilsTest.java @@ -2,6 +2,7 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; import java.io.IOException; import java.security.NoSuchProviderException; +import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Arrays; @@ -13,12 +14,16 @@ import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwa.AlgorithmConstraints.ConstraintType; import org.jose4j.jws.AlgorithmIdentifiers; import org.jose4j.lang.JoseException; +import org.junit.AfterClass; import org.junit.Assert; +import org.junit.BeforeClass; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.BlockJUnit4ClassRunner; import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult; +import iaik.security.ec.provider.ECCelerate; +import iaik.security.provider.IAIK; @RunWith(BlockJUnit4ClassRunner.class) public class JoseUtilsTest { @@ -30,6 +35,26 @@ public class JoseUtilsTest { AlgorithmIdentifiers.RSA_PSS_USING_SHA256, AlgorithmIdentifiers.RSA_PSS_USING_SHA512)); + /** + *jUnit test class initializer. + */ + @BeforeClass + public static final void classInitializer() { + IAIK.addAsProvider(); + ECCelerate.addAsProvider(); + + } + + /** + * jUnit test class cleaner. + */ + @AfterClass + public static final void classFinisher() { + Security.removeProvider(IAIK.getInstance().getName()); + Security.removeProvider(ECCelerate.getInstance().getName()); + + } + @Test public void testBindingAuthBlock() throws JoseException, IOException, CertificateException, NoSuchProviderException { diff --git a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java index 3f2d4593..ce98c92b 100644 --- a/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java +++ b/eaaf_modules/eaaf_module_moa-sig/src/main/java/at/gv/egiz/eaaf/modules/sigverify/moasig/impl/MoaSigInitializer.java @@ -9,6 +9,10 @@ import java.util.Map.Entry; import javax.annotation.PostConstruct; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; + import at.gv.egiz.eaaf.modules.sigverify.moasig.api.data.ISchemaRessourceProvider; import at.gv.egiz.eaaf.modules.sigverify.moasig.exceptions.MoaSigServiceConfigurationException; import at.gv.egovernment.moa.spss.MOAException; @@ -17,11 +21,6 @@ import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; import at.gv.egovernment.moaspss.logging.LoggingContext; import at.gv.egovernment.moaspss.logging.LoggingContextManager; import at.gv.egovernment.moaspss.util.DOMUtils; - -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; - import iaik.asn1.structures.AlgorithmID; import iaik.security.ec.provider.ECCelerate; import iaik.security.provider.IAIK; @@ -48,10 +47,8 @@ public class MoaSigInitializer { log.info("Initializing MOA-Sig signature-verification service ... "); log.info("Loading Java security providers."); - //IAIK.addAsProvider(); - //ECCelerate.addAsProvider(); - Security.addProvider(new IAIK()); - Security.addProvider(new ECCelerate()); + IAIK.addAsProvider(); + ECCelerate.addAsProvider(); try { LoggingContextManager.getInstance().setLoggingContext(new LoggingContext("startup")); -- cgit v1.2.3