From d5df50291368c099c0c2c382dedc861b99a98462 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 19 Jun 2020 15:53:01 +0200 Subject: fix bug in SL20 JOSE-Utils that prohibits HSM-Facade Usage and only allows RSA keys --- .../modules/auth/sl20/utils/JsonSecurityUtils.java | 40 ++++++++++++++++++---- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 43c44647..1b824ad1 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -7,6 +7,8 @@ import java.security.KeyStoreException; import java.security.Provider; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; +import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.RSAPrivateKey; import java.util.Collections; import java.util.List; @@ -134,11 +136,12 @@ public class JsonSecurityUtils implements IJoseTools { jws.setContentTypeHeaderValue(SL20Constants.SL20_CONTENTTYPE_SIGNED_COMMAND); // set signing information - jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); final Pair signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), getSigningKeyAlias(), getSigningKeyPassword(), true, FRIENDLYNAME_KEYSTORE); jws.setKey(signingCred.getFirst()); - + jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(jws.getKey(), + AlgorithmIdentifiers.RSA_USING_SHA256, AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256)); + // set special provider if required if (keyStore.getSecond() != null) { log.trace("Injecting special Java Security Provider: {}", keyStore.getSecond().getName()); @@ -377,8 +380,7 @@ public class JsonSecurityUtils implements IJoseTools { config.setFriendlyName(FRIENDLYNAME_KEYSTORE); config.setKeyStoreType(authConfig.getBasicConfiguration( - authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE), - KeyStoreType.JKS.getKeyStoreType())); + Constants.CONFIG_PROP_SECURITY_KEYSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType())); config.setKeyStoreName( authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_NAME)); config.setSoftKeyStoreFilePath( @@ -398,8 +400,7 @@ public class JsonSecurityUtils implements IJoseTools { config.setFriendlyName(FRIENDLYNAME_TRUSTSTORE); config.setKeyStoreType(authConfig.getBasicConfiguration( - authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE), - KeyStoreType.JKS.getKeyStoreType())); + Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_TYPE, KeyStoreType.JKS.getKeyStoreType())); config.setKeyStoreName( authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_TRUSTSTORE_NAME)); config.setSoftKeyStoreFilePath( @@ -413,6 +414,33 @@ public class JsonSecurityUtils implements IJoseTools { return config; } + /** + * Select signature algorithm for a given credential. + * + * @param key {@link X509Credential} that will be used for key operations + * @param rsaSigAlgorithm RSA based algorithm that should be used in + * case of RSA credential + * @param ecSigAlgorithm EC based algorithm that should be used in case + * of RSA credential + * @return either the RSA based algorithm or the EC based algorithm + * @throws SlCommandoBuildException In case of an unsupported credential + */ + private static String getKeyOperationAlgorithmFromCredential(Key key, + String rsaSigAlgorithm, String ecSigAlgorithm) throws SlCommandoBuildException { + if (key instanceof RSAPrivateKey) { + return rsaSigAlgorithm; + + } else if (key instanceof ECPrivateKey) { + return ecSigAlgorithm; + + } else { + log.warn("Could NOT evaluate the Private-Key type from do select algorithm"); + throw new SlCommandoBuildException("Could NOT evaluate the Private-Key type from do select algorithm"); + + } + + } + private String getSigningKeyAlias() { String value = authConfig.getBasicConfiguration(Constants.CONFIG_PROP_SECURITY_KEYSTORE_KEY_SIGN_ALIAS); if (value != null) { -- cgit v1.2.3