From c9cdc12f87ea6ee188de6862ce4935d9b8ef36ce Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 7 Oct 2020 20:32:11 +0200 Subject: implement work-around to fix possible incompatibility between IAIK JCE/Eccelerate and JWS lib in case of ECC keys --- .../eaaf/modules/auth/sl20/utils/JoseUtils.java | 78 +++++++++++++++++++--- .../modules/auth/sl20/utils/JsonSecurityUtils.java | 38 +++++------ 2 files changed, 86 insertions(+), 30 deletions(-) (limited to 'eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth') diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java index d8c39931..48b10580 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.java @@ -2,12 +2,19 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils; import java.io.IOException; import java.security.Key; +import java.security.KeyFactory; import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; import java.security.Provider; +import java.security.PublicKey; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.security.interfaces.ECPrivateKey; +import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPrivateKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; import java.util.Collections; import java.util.List; import java.util.Map; @@ -15,13 +22,8 @@ import java.util.Map.Entry; import javax.annotation.Nonnull; -import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.utils.X509Utils; - import org.apache.commons.lang3.StringUtils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jws.AlgorithmIdentifiers; @@ -32,6 +34,11 @@ import org.jose4j.keys.resolvers.X509VerificationKeyResolver; import org.jose4j.lang.JoseException; import org.springframework.util.Base64Utils; +import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.X509Utils; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.extern.slf4j.Slf4j; @@ -45,6 +52,8 @@ import lombok.extern.slf4j.Slf4j; @Slf4j public class JoseUtils { + private static final Provider provider = new BouncyCastleProvider(); + /** * Create a JWS signature. * @@ -161,7 +170,10 @@ public class JoseUtils { // set signing information final Pair signingCred = EaafKeyStoreUtils.getPrivateKeyAndCertificates( keyStore.getFirst(), keyAlias, keyPassword, true, friendlyNameForLogging); - jws.setKey(signingCred.getFirst()); + + // set verification key + jws.setKey(convertToBcKeyIfRequired(signingCred.getFirst())); + jws.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential( jws.getKey(), rsaAlgToUse, eccAlgToUse, friendlyNameForLogging)); @@ -173,7 +185,7 @@ public class JoseUtils { keyStore.getSecond().getName()); jws.setProviderContext(providerCtx); - } + } if (addFullCertChain) { jws.setCertificateChainHeaderValue(signingCred.getSecond()); @@ -216,6 +228,8 @@ public class JoseUtils { log.trace("Sorting received X509 certificates ... "); final List sortedX5cCerts = X509Utils.sortCertificates(x5cCerts); + + if (trustedCerts.contains(sortedX5cCerts.get(0))) { selectedKey = sortedX5cCerts.get(0).getPublicKey(); @@ -247,10 +261,10 @@ public class JoseUtils { throw new JoseException("Can NOT select verification key for JWS. Signature verification FAILED"); } - + // set verification key - jws.setKey(selectedKey); - + jws.setKey(convertToBcKeyIfRequired(selectedKey)); + // load payLoad return new JwsResult( jws.verifySignature(), @@ -260,6 +274,48 @@ public class JoseUtils { } + + /** + * Convert an ECC public-key into BouncyCastle implementation. + * + *

IAIK JCE / Eccelerate ECC Keys are not compatible to JWS impl.

+ * @param input Key + * @return input Key, or BC ECC-Key in case of a ECC Key + */ + public static Key convertToBcKeyIfRequired(Key input) { + try { + if (input instanceof ECPublicKey + && "iaik.security.ec.common.ECPublicKey".equals(input.getClass().getName())) { + + //convert Key to BouncyCastle KeyImplemenation because there is an + //incompatibility with IAIK EC Keys and JWS signature-verfification implementation + PublicKey publicKey = KeyFactory.getInstance( + input.getAlgorithm(), provider).generatePublic( + new X509EncodedKeySpec(input.getEncoded())); + return publicKey; + + } else if (input instanceof ECPrivateKey + && "iaik.security.ec.common.ECPrivateKey".equals(input.getClass().getName())) { + //convert Key to BouncyCastle KeyImplemenation because there is an + //incompatibility with IAIK EC Keys and JWS signature-creation implementation + Key privateKey = KeyFactory.getInstance( + input.getAlgorithm(), provider).generatePrivate( + new PKCS8EncodedKeySpec(input.getEncoded())); + + return privateKey; + + } + + } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { + log.warn("Can NOT convert {} to {}. The verification may FAIL.", + input.getClass().getName(), PublicKey.class.getName(), e); + + } + + return input; + + } + /** * Select signature algorithm for a given credential. * diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java index 10cfeafa..27f06276 100644 --- a/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java +++ b/eaaf_modules/eaaf_module_auth_sl20/src/main/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtils.java @@ -13,24 +13,6 @@ import java.util.List; import javax.annotation.Nonnull; import javax.annotation.PostConstruct; -import at.gv.egiz.eaaf.core.api.idp.IConfiguration; -import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; -import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; -import at.gv.egiz.eaaf.core.exceptions.EaafException; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; -import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; -import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; -import at.gv.egiz.eaaf.core.impl.data.Pair; -import at.gv.egiz.eaaf.core.impl.utils.X509Utils; -import at.gv.egiz.eaaf.modules.auth.sl20.Constants; -import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; -import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; -import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult; - import org.apache.commons.lang3.StringUtils; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmConstraints; @@ -50,6 +32,24 @@ import org.springframework.util.Base64Utils; import com.fasterxml.jackson.core.JsonParseException; import com.fasterxml.jackson.databind.JsonNode; +import at.gv.egiz.eaaf.core.api.idp.IConfiguration; +import at.gv.egiz.eaaf.core.exception.EaafKeyAccessException; +import at.gv.egiz.eaaf.core.exceptions.EaafConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreFactory; +import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration; +import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType; +import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.utils.X509Utils; +import at.gv.egiz.eaaf.modules.auth.sl20.Constants; +import at.gv.egiz.eaaf.modules.auth.sl20.data.VerificationResult; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20Exception; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SL20SecurityException; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoBuildException; +import at.gv.egiz.eaaf.modules.auth.sl20.exceptions.SlCommandoParserException; +import at.gv.egiz.eaaf.modules.auth.sl20.utils.JoseUtils.JwsResult; + @Service public class JsonSecurityUtils implements IJoseTools { private static final Logger log = LoggerFactory.getLogger(JsonSecurityUtils.class); @@ -269,7 +269,7 @@ public class JsonSecurityUtils implements IJoseTools { } // set key - receiverJwe.setKey(encryptionCred.getFirst()); + receiverJwe.setKey(JoseUtils.convertToBcKeyIfRequired(encryptionCred.getFirst())); // decrypt payload return mapper.getMapper().readTree(receiverJwe.getPlaintextString()); -- cgit v1.2.3