aboutsummaryrefslogtreecommitdiff
path: root/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2017-07-25 12:07:59 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2017-07-25 12:07:59 +0200
commitc4fe089610dba3d6e8929f6e163538dfae0d18da (patch)
treec9d9b079aa47aa58b00804bbd080715ee7cb2e39 /id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation
parent782b159ec4050a459f8aadf85b68fb2b15fbf1b2 (diff)
downloadmoa-id-spss-c4fe089610dba3d6e8929f6e163538dfae0d18da.tar.gz
moa-id-spss-c4fe089610dba3d6e8929f6e163538dfae0d18da.tar.bz2
moa-id-spss-c4fe089610dba3d6e8929f6e163538dfae0d18da.zip
betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain
Diffstat (limited to 'id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation')
-rw-r--r--id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java226
1 files changed, 226 insertions, 0 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
new file mode 100644
index 000000000..990b5d3b1
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
@@ -0,0 +1,226 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.validation;
+
+import java.math.BigInteger;
+import java.security.AlgorithmConstraints;
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.PKIXReason;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPublicKey;
+import java.security.spec.DSAPublicKeySpec;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
+
+import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.x509.X509CertImpl;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASSLAlgorithmChecker extends PKIXCertPathChecker {
+
+ private final AlgorithmConstraints constraints;
+ private final PublicKey trustedPubKey;
+ private PublicKey prevPubKey;
+ private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
+ private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT));
+
+ private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
+
+ /**
+ *
+ */
+ public MOASSLAlgorithmChecker() {
+ this.prevPubKey = null;
+ this.trustedPubKey = null;
+ this.constraints = certPathDefaultConstraints;
+
+ }
+
+ public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) {
+ this.prevPubKey = null;
+ this.trustedPubKey = null;
+ this.constraints = paramAlgorithmConstraints;
+ }
+
+
+ /* (non-Javadoc)
+ * @see java.security.cert.PKIXCertPathChecker#init(boolean)
+ */
+ @Override
+ public void init(boolean forward) throws CertPathValidatorException {
+ if (!(forward)) {
+ if (this.trustedPubKey != null)
+ this.prevPubKey = this.trustedPubKey;
+
+ else
+ this.prevPubKey = null;
+
+ } else
+ throw new CertPathValidatorException("forward checking not supported");
+
+ }
+
+ /* (non-Javadoc)
+ * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported()
+ */
+ @Override
+ public boolean isForwardCheckingSupported() {
+ return false;
+
+ }
+
+ /* (non-Javadoc)
+ * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions()
+ */
+ @Override
+ public Set<String> getSupportedExtensions() {
+ return null;
+
+ }
+
+ /* (non-Javadoc)
+ * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection)
+ */
+ @Override
+ public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
+ if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) {
+ return;
+
+ }
+
+ X509CertImpl localX509CertImpl = null;
+ try {
+ localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert);
+
+ } catch (CertificateException localCertificateException1) {
+ throw new CertPathValidatorException(localCertificateException1);
+
+ }
+
+ PublicKey localPublicKey = localX509CertImpl.getPublicKey();
+ String str = localX509CertImpl.getSigAlgName();
+
+
+ //check algorithms
+ AlgorithmParameters localAlgorithmParameters = null;
+ try {
+ sun.security.x509.AlgorithmId localAlgorithmId = null;
+ localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm");
+ localAlgorithmParameters = localAlgorithmId.getParameters();
+
+ if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) {
+ throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+
+ }
+
+ } catch (CertificateParsingException localCertificateException2) {
+ throw new CertPathValidatorException(localCertificateException2);
+
+ }
+
+
+ //check key usage
+ boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage();
+ if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9))
+ throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
+
+ if (arrayOfBoolean != null) {
+ Set<CryptoPrimitive> cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class);
+ if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) {
+ cryptoPrimitives.add(CryptoPrimitive.SIGNATURE);
+
+ }
+
+ if (arrayOfBoolean[2] == true) {
+ cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
+
+ }
+
+ if (arrayOfBoolean[3] == true) {
+ cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
+
+ }
+
+ if (arrayOfBoolean[4] == true) {
+ cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT);
+
+ }
+
+ if ((!(cryptoPrimitives.isEmpty())) && (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) {
+ throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+
+ }
+ }
+
+ //check pubKeys
+ if (this.prevPubKey != null) {
+ if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) {
+ throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+
+ }
+
+ if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) {
+ if (!(this.prevPubKey instanceof DSAPublicKey)) {
+ throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters");
+
+ }
+
+ DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams();
+ if (localObject == null) {
+ throw new CertPathValidatorException("Key parameters missing");
+
+ }
+
+ try {
+ BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY();
+ KeyFactory localKeyFactory = KeyFactory.getInstance("DSA");
+ DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG());
+ localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec);
+
+ } catch (GeneralSecurityException localGeneralSecurityException) {
+ throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException);
+
+ }
+ }
+ }
+
+ this.prevPubKey = localPublicKey;
+ }
+
+
+}