diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-07-25 12:07:59 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-07-25 12:07:59 +0200 |
commit | c4fe089610dba3d6e8929f6e163538dfae0d18da (patch) | |
tree | c9d9b079aa47aa58b00804bbd080715ee7cb2e39 /id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation | |
parent | 782b159ec4050a459f8aadf85b68fb2b15fbf1b2 (diff) | |
download | moa-id-spss-c4fe089610dba3d6e8929f6e163538dfae0d18da.tar.gz moa-id-spss-c4fe089610dba3d6e8929f6e163538dfae0d18da.tar.bz2 moa-id-spss-c4fe089610dba3d6e8929f6e163538dfae0d18da.zip |
betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain
Diffstat (limited to 'id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation')
-rw-r--r-- | id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java | 226 |
1 files changed, 226 insertions, 0 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java new file mode 100644 index 000000000..990b5d3b1 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java @@ -0,0 +1,226 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.validation; + +import java.math.BigInteger; +import java.security.AlgorithmConstraints; +import java.security.AlgorithmParameters; +import java.security.CryptoPrimitive; +import java.security.GeneralSecurityException; +import java.security.KeyFactory; +import java.security.PublicKey; +import java.security.cert.CertPathValidatorException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateParsingException; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.PKIXReason; +import java.security.cert.X509Certificate; +import java.security.interfaces.DSAParams; +import java.security.interfaces.DSAPublicKey; +import java.security.spec.DSAPublicKeySpec; +import java.util.Collection; +import java.util.Collections; +import java.util.EnumSet; +import java.util.Set; + +import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.x509.X509CertImpl; + +/** + * @author tlenz + * + */ +public class MOASSLAlgorithmChecker extends PKIXCertPathChecker { + + private final AlgorithmConstraints constraints; + private final PublicKey trustedPubKey; + private PublicKey prevPubKey; + private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); + private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT)); + + private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms"); + + /** + * + */ + public MOASSLAlgorithmChecker() { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = certPathDefaultConstraints; + + } + + public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = paramAlgorithmConstraints; + } + + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#init(boolean) + */ + @Override + public void init(boolean forward) throws CertPathValidatorException { + if (!(forward)) { + if (this.trustedPubKey != null) + this.prevPubKey = this.trustedPubKey; + + else + this.prevPubKey = null; + + } else + throw new CertPathValidatorException("forward checking not supported"); + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported() + */ + @Override + public boolean isForwardCheckingSupported() { + return false; + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions() + */ + @Override + public Set<String> getSupportedExtensions() { + return null; + + } + + /* (non-Javadoc) + * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection) + */ + @Override + public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException { + if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) { + return; + + } + + X509CertImpl localX509CertImpl = null; + try { + localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert); + + } catch (CertificateException localCertificateException1) { + throw new CertPathValidatorException(localCertificateException1); + + } + + PublicKey localPublicKey = localX509CertImpl.getPublicKey(); + String str = localX509CertImpl.getSigAlgName(); + + + //check algorithms + AlgorithmParameters localAlgorithmParameters = null; + try { + sun.security.x509.AlgorithmId localAlgorithmId = null; + localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm"); + localAlgorithmParameters = localAlgorithmId.getParameters(); + + if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) { + throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + + } catch (CertificateParsingException localCertificateException2) { + throw new CertPathValidatorException(localCertificateException2); + + } + + + //check key usage + boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage(); + if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9)) + throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE); + + if (arrayOfBoolean != null) { + Set<CryptoPrimitive> cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class); + if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) { + cryptoPrimitives.add(CryptoPrimitive.SIGNATURE); + + } + + if (arrayOfBoolean[2] == true) { + cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION); + + } + + if (arrayOfBoolean[3] == true) { + cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION); + + } + + if (arrayOfBoolean[4] == true) { + cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT); + + } + + if ((!(cryptoPrimitives.isEmpty())) && (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) { + throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + } + + //check pubKeys + if (this.prevPubKey != null) { + if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) { + throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED); + + } + + if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) { + if (!(this.prevPubKey instanceof DSAPublicKey)) { + throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters"); + + } + + DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams(); + if (localObject == null) { + throw new CertPathValidatorException("Key parameters missing"); + + } + + try { + BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY(); + KeyFactory localKeyFactory = KeyFactory.getInstance("DSA"); + DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG()); + localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec); + + } catch (GeneralSecurityException localGeneralSecurityException) { + throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException); + + } + } + } + + this.prevPubKey = localPublicKey; + } + + +} |