package at.gv.egiz.eaaf.modules.auth.sl20.utils; import java.io.IOException; import java.security.Key; import java.security.KeyFactory; import java.security.KeyStore; import java.security.NoSuchAlgorithmException; import java.security.Provider; import java.security.PublicKey; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.security.interfaces.ECPrivateKey; import java.security.interfaces.ECPublicKey; import java.security.interfaces.RSAPrivateKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Collections; import java.util.List; import java.util.Map; import java.util.Map.Entry; import javax.annotation.Nonnull; import org.apache.commons.lang3.StringUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.jose4j.jca.ProviderContext; import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jws.AlgorithmIdentifiers; import org.jose4j.jws.JsonWebSignature; import org.jose4j.jwx.Headers; import org.jose4j.jwx.JsonWebStructure; import org.jose4j.keys.resolvers.X509VerificationKeyResolver; import org.jose4j.lang.JoseException; import org.springframework.util.Base64Utils; import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException; import at.gv.egiz.eaaf.core.exceptions.EaafException; import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils; import at.gv.egiz.eaaf.core.impl.data.Pair; import at.gv.egiz.eaaf.core.impl.utils.X509Utils; import lombok.AllArgsConstructor; import lombok.Getter; import lombok.extern.slf4j.Slf4j; /** * {@link JoseUtils} provides static methods JWS and JWE processing. * * @author tlenz * */ @Slf4j public class JoseUtils { private static final Provider provider = new BouncyCastleProvider(); /** * Create a JWS signature. * *
* Use {@link org.jose4j.jws.AlgorithmIdentifiers.RSA_PSS_USING_SHA256} in case * of a RSA based key and * {@link org.jose4j.jws.AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256} * in case of an ECC based key. *
* * @param keyStore KeyStore that should be used * @param keyAlias Alias of the private key * @param keyPassword Password to access the key * @param payLoad PayLoad to sign * @param addFullCertChain If true the full certificate chain will be * added, otherwise only the * X509CertSha256Fingerprint is added into JOSE * header * @param friendlyNameForLogging FriendlyName for the used KeyStore for logging * purposes only * @return Signed PayLoad in serialized form * @throws EaafException In case of a key-access or key-usage error * @throws JoseException In case of a JOSE error */ public static String createSignature(@Nonnull Pair* Use {@link org.jose4j.jws.AlgorithmIdentifiers.RSA_PSS_USING_SHA256} in case * of a RSA based key and * {@link org.jose4j.jws.AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256} * in case of an ECC based key. *
* * @param keyStore KeyStore that should be used * @param keyAlias Alias of the private key * @param keyPassword Password to access the key * @param payLoad PayLoad to sign * @param addFullCertChain If true the full certificate chain will be * added, otherwise only the * X509CertSha256Fingerprint is added into JOSE * header * @param joseHeaders HeaderName and HeaderValue that should be set * into JOSE header * @param friendlyNameForLogging FriendlyName for the used KeyStore for logging * purposes only * @return Signed PayLoad in serialized form * @throws EaafException In case of a key-access or key-usage error * @throws JoseException In case of a JOSE error */ public static String createSignature(@Nonnull PairIAIK JCE / Eccelerate ECC Keys are not compatible to JWS impl.
* @param input Key * @return input Key, or BC ECC-Key in case of a ECC Key */ public static Key convertToBcKeyIfRequired(Key input) { try { if (input instanceof ECPublicKey && "iaik.security.ec.common.ECPublicKey".equals(input.getClass().getName())) { //convert Key to BouncyCastle KeyImplemenation because there is an //incompatibility with IAIK EC Keys and JWS signature-verfification implementation PublicKey publicKey = KeyFactory.getInstance( input.getAlgorithm(), provider).generatePublic( new X509EncodedKeySpec(input.getEncoded())); return publicKey; } else if (input instanceof ECPrivateKey && "iaik.security.ec.common.ECPrivateKey".equals(input.getClass().getName())) { //convert Key to BouncyCastle KeyImplemenation because there is an //incompatibility with IAIK EC Keys and JWS signature-creation implementation Key privateKey = KeyFactory.getInstance( input.getAlgorithm(), provider).generatePrivate( new PKCS8EncodedKeySpec(input.getEncoded())); return privateKey; } } catch (InvalidKeySpecException | NoSuchAlgorithmException e) { log.warn("Can NOT convert {} to {}. The verification may FAIL.", input.getClass().getName(), PublicKey.class.getName(), e); } return input; } /** * Select signature algorithm for a given credential. * * @param key {@link X509Credential} that will be used for * key operations * @param rsaSigAlgorithm RSA based algorithm that should be used in case * of RSA credential * @param ecSigAlgorithm EC based algorithm that should be used in case * of RSA credential * @param friendlyNameForLogging KeyStore friendlyName for logging purposes * @return either the RSA based algorithm or the EC based algorithm * @throws EaafKeyUsageException In case of an unsupported private-key type */ private static String getKeyOperationAlgorithmFromCredential(Key key, String rsaSigAlgorithm, String ecSigAlgorithm, String friendlyNameForLogging) throws EaafKeyUsageException { if (key instanceof RSAPrivateKey) { return rsaSigAlgorithm; } else if (key instanceof ECPrivateKey) { return ecSigAlgorithm; } else { log.warn("Could NOT select the cryptographic algorithm from Private-Key type"); throw new EaafKeyUsageException(EaafKeyUsageException.ERROR_CODE_01, friendlyNameForLogging, "Can not select cryptographic algorithm"); } } private JoseUtils() { } @Getter @AllArgsConstructor public static class JwsResult { final boolean valid; final String payLoad; final Headers fullJoseHeader; final List