aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/pom.xml7
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java28
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java3
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java122
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java8
6 files changed, 87 insertions, 96 deletions
diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml
index fb6ba1bc6..a203fb7a5 100644
--- a/id/server/idserverlib/pom.xml
+++ b/id/server/idserverlib/pom.xml
@@ -315,6 +315,13 @@
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>iaik.prod</groupId>
+ <artifactId>iaik_ixsil</artifactId>
+ <version>1.2.2.5</version>
+ <scope>test</scope>
+ </dependency>
+
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
index d1cf3338a..90aa5d3ac 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java
@@ -40,14 +40,14 @@ import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.id.util.SSLUtils;
import at.gv.egovernment.moa.logging.Logger;
-import at.gv.egovernment.moa.logging.LoggingContext;
-import at.gv.egovernment.moa.logging.LoggingContextManager;
import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider;
import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.MiscUtil;
+import at.gv.egovernment.moaspss.logging.LoggingContext;
+import at.gv.egovernment.moaspss.logging.LoggingContextManager;
import iaik.pki.PKIException;
-import iaik.security.ecc.provider.ECCProvider;
+import iaik.security.ec.provider.ECCelerate;
import iaik.security.provider.IAIK;
/**
@@ -104,7 +104,7 @@ public class MOAIDAuthInitializer {
Logger.info("Loading Java security providers.");
IAIK.addAsProvider();
- ECCProvider.addAsProvider();
+ ECCelerate.addAsProvider();
// Initializes SSLSocketFactory store
SSLUtils.initialize();
@@ -147,7 +147,12 @@ public class MOAIDAuthInitializer {
//ECCProvider.addAsProvider();
Security.insertProviderAt(IAIK.getInstance(), 0);
- Security.addProvider(new ECCProvider());
+
+ ECCelerate eccProvider = ECCelerate.getInstance();
+ if (Security.getProvider(eccProvider.getName()) != null)
+ Security.removeProvider(eccProvider.getName());
+
+ Security.addProvider(new ECCelerate());
if (Logger.isDebugEnabled()) {
Logger.debug("Loaded Security Provider:");
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
index 855925272..e2f8664d8 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java
@@ -24,8 +24,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder;
import java.io.IOException;
import java.io.StringWriter;
-import java.security.PrivateKey;
-import java.security.interfaces.RSAPrivateKey;
import java.util.List;
import javax.xml.parsers.DocumentBuilder;
@@ -66,7 +64,6 @@ import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.keyinfo.KeyInfoGenerator;
import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory;
import org.opensaml.xml.signature.Signature;
-import org.opensaml.xml.signature.SignatureConstants;
import org.opensaml.xml.signature.SignatureException;
import org.opensaml.xml.signature.Signer;
import org.springframework.stereotype.Service;
@@ -74,6 +71,7 @@ import org.w3c.dom.Document;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
+import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider;
import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
import at.gv.egovernment.moa.logging.Logger;
@@ -153,7 +151,7 @@ public class PVPMetadataBuilder {
//set metadata signature parameters
Credential metadataSignCred = config.getMetadataSigningCredentials();
- Signature signature = getIDPSignature(metadataSignCred);
+ Signature signature = AbstractCredentialProvider.getIDPSignature(metadataSignCred);
SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null);
@@ -437,27 +435,5 @@ public class PVPMetadataBuilder {
return idpSSODescriptor;
}
-
- private Signature getIDPSignature(Credential credentials) {
- PrivateKey privatekey = credentials.getPrivateKey();
- Signature signer = SAML2Utils.createSAMLObject(Signature.class);
- if (privatekey instanceof RSAPrivateKey) {
- signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
-
- } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
- signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
-
- } else {
- Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential.");
-
-
- }
-
- signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
- signer.setSigningCredential(credentials);
- return signer;
-
- }
-
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
index bf4cfd480..77cc7228b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/signer/AbstractCredentialProvider.java
@@ -24,6 +24,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.signer;
import java.security.KeyStore;
import java.security.PrivateKey;
+import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import org.opensaml.xml.security.credential.Credential;
@@ -198,7 +199,7 @@ public abstract class AbstractCredentialProvider {
if (privatekey instanceof RSAPrivateKey) {
signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256);
- } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
+ } else if (privatekey instanceof ECPrivateKey) {
signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1);
} else {
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
index 2c0a82708..f37ae0b0b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ECDSAKeyValueConverter.java
@@ -20,48 +20,15 @@
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
******************************************************************************/
-/*
- * Copyright 2003 Federal Chancellery Austria
- * MOA-ID has been developed in a cooperation between BRZ, the Federal
- * Chancellery Austria - ICT staff unit, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
- * the European Commission - subsequent versions of the EUPL (the "Licence");
- * You may not use this work except in compliance with the Licence.
- * You may obtain a copy of the Licence at:
- * http://www.osor.eu/eupl/
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the Licence is distributed on an "AS IS" basis,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the Licence for the specific language governing permissions and
- * limitations under the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text
- * file for details on the various modules and licenses.
- * The "NOTICE" text file is part of the distribution. Any derivative works
- * that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
package at.gv.egovernment.moa.id.util;
-import iaik.security.ecc.ecdsa.ECDSAParameter;
-import iaik.security.ecc.ecdsa.ECPublicKey;
-import iaik.security.ecc.math.ecgroup.AffineCoordinate;
-import iaik.security.ecc.math.ecgroup.Coordinate;
-import iaik.security.ecc.math.ecgroup.CoordinateTypes;
-import iaik.security.ecc.math.ecgroup.ECGroupFactory;
-import iaik.security.ecc.math.ecgroup.ECPoint;
-import iaik.security.ecc.math.ecgroup.EllipticCurve;
-import iaik.security.ecc.math.field.Field;
-import iaik.security.ecc.math.field.FieldElement;
-import iaik.security.ecc.math.field.PrimeField;
-import iaik.security.ecc.parameter.ECCParameterFactory;
-import iaik.security.ecc.spec.ECCParameterSpec;
-
import java.math.BigInteger;
import java.security.PublicKey;
+import java.security.spec.ECField;
+import java.security.spec.ECFieldF2m;
+import java.security.spec.ECFieldFp;
+import java.security.spec.ECPoint;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
@@ -72,6 +39,15 @@ import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import at.gv.egovernment.moa.logging.Logger;
+import iaik.security.ec.common.ECParameterSpec;
+import iaik.security.ec.common.ECPublicKey;
+import iaik.security.ec.common.ECStandardizedParameterFactory;
+import iaik.security.ec.common.EllipticCurve;
+import iaik.security.ec.math.field.Field;
+import iaik.security.ec.math.field.FieldElement;
+import iaik.security.ec.math.field.PrimeField;
+
public class ECDSAKeyValueConverter
{
@@ -94,15 +70,13 @@ public class ECDSAKeyValueConverter
if (domainParams == null) throw new Exception("Domain parameters must not be implicit.");
Element namedCurve = getChildElement(domainParams, ecdsaNS, "NamedCurve", 1);
- ECCParameterSpec eccParameterSpec;
+ ECParameterSpec eccParameterSpec;
if (namedCurve != null)
{
// URL curveNameURN = new URL(namedCurve.getAttributeNS(null, "URN"));
String curveNameOID = namedCurve.getAttributeNS(null, "URN").substring(8);
- ECCParameterFactory eccParamFactory = ECCParameterFactory.getInstance();
- // eccParameterSpec = eccParamFactory.getParameterByOID(curveNameURN.getPath().substring(4));
- eccParameterSpec = eccParamFactory.getParameterByOID(curveNameOID);
+ eccParameterSpec = ECStandardizedParameterFactory.getParametersByOID(curveNameOID);
}
else
{
@@ -167,14 +141,21 @@ public class ECDSAKeyValueConverter
String cofactorStr = getChildElementText(basePointParams, ecdsaNS, "Cofactor", 1);
BigInteger cofactor = (cofactorStr != null) ? new BigInteger(cofactorStr, 10) : null;
+ BigInteger a = new BigInteger(aStr, 10);
+ BigInteger b = new BigInteger(bStr, 10);
+ BigInteger basePointX = new BigInteger(basePointXStr, 10);
+ BigInteger basePointY = new BigInteger(basePointYStr, 10);
+
if (fieldParamsType == FIELD_TYPE_PRIME)
- {
- BigInteger a = new BigInteger(aStr, 10);
- BigInteger b = new BigInteger(bStr, 10);
- BigInteger basePointX = new BigInteger(basePointXStr, 10);
- BigInteger basePointY = new BigInteger(basePointYStr, 10);
- eccParameterSpec = new ECCParameterSpec(p, cofactor, order, seed, null, a, b, basePointX,
- basePointY, null);
+ {
+ ECField javaECField = new ECFieldFp(p);
+ java.security.spec.EllipticCurve curve =
+ new java.security.spec.EllipticCurve(javaECField, a, b, seed.toByteArray());
+ java.security.spec.ECPoint javaECbasePoint =
+ new java.security.spec.ECPoint(basePointX, basePointY);
+ java.security.spec.ECParameterSpec javaECSpec =
+ new java.security.spec.ECParameterSpec(curve, javaECbasePoint, order, cofactor.intValue());
+ eccParameterSpec = ECParameterSpec.getParameterSpec(javaECSpec);
}
else
{
@@ -193,9 +174,19 @@ public class ECDSAKeyValueConverter
irreducible[k1/32] += 1 << k1 % 32;
irreducible[0] += 1;
}
- eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr),
- octetString2IntArray(bStr), octetString2IntArray(basePointXStr),
- octetString2IntArray(basePointYStr), null);
+
+ ECField javaECField = new ECFieldF2m(m, irreducible);
+ java.security.spec.EllipticCurve curve =
+ new java.security.spec.EllipticCurve(javaECField, a, b, seed.toByteArray());
+ java.security.spec.ECPoint javaECbasePoint =
+ new java.security.spec.ECPoint(basePointX, basePointY);
+ java.security.spec.ECParameterSpec javaECSpec =
+ new java.security.spec.ECParameterSpec(curve, javaECbasePoint, order, cofactor.intValue());
+ eccParameterSpec = ECParameterSpec.getParameterSpec(javaECSpec);
+
+// eccParameterSpec = new ECCParameterSpec(irreducible, cofactor, order, octetString2IntArray(aStr),
+// octetString2IntArray(bStr), octetString2IntArray(basePointXStr),
+// octetString2IntArray(basePointYStr), null);
}
}
@@ -206,10 +197,14 @@ public class ECDSAKeyValueConverter
Element publicKeyYElem = getChildElement(publicKeyElem, ecdsaNS, "Y", 1);
String publicKeyYStr = publicKeyYElem.getAttributeNS(null, "Value");
- ECDSAParameter ecdsaParams = new ECDSAParameter(eccParameterSpec, CoordinateTypes.PROJECTIVE_COORDINATES);
- ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance();
- EllipticCurve eCurve = ecGroupFactory.getCurve(eccParameterSpec.getA(),
- eccParameterSpec.getB(), eccParameterSpec.getR(), CoordinateTypes.PROJECTIVE_COORDINATES);
+ //ECParameterSpec ecdsaParams = new ECParameterSpec(eccParameterSpec, CoordinateTypes.PROJECTIVE_COORDINATES);
+ //ECGroupFactory ecGroupFactory = ECGroupFactory.getInstance();
+
+ EllipticCurve eCurve = eccParameterSpec.getCurve();
+
+// EllipticCurve eCurve = ecGroupFactory.getCurve(eccParameterSpec.getA(),
+// eccParameterSpec.getB(), eccParameterSpec.getR(), CoordinateTypes.PROJECTIVE_COORDINATES);
+
Field field = eCurve.getField();
// Detect type of public key field elements
@@ -239,10 +234,19 @@ public class ECDSAKeyValueConverter
}
// ProjectiveCoordinate publicKeyPointCoordinate = new ProjectiveCoordinate(publicKeyPointX,
// publicKeyPointY, field.getONEelement());
- Coordinate publicKeyPointCoordinate = new AffineCoordinate(publicKeyPointX,
- publicKeyPointY).toProjective();
- ECPoint publicKeyPoint = eCurve.newPoint(publicKeyPointCoordinate);
- ECPublicKey publicKey = new ECPublicKey(ecdsaParams, publicKeyPoint);
+// Coordinate publicKeyPointCoordinate = new AffineCoordinate(publicKeyPointX,
+// publicKeyPointY).toProjective();
+
+ ECPoint publicKeyPointECPoint = new ECPoint(publicKeyPointX.toBigInteger(),
+ publicKeyPointY.toBigInteger());
+
+ if (!eCurve.containsPoint(publicKeyPointECPoint)) {
+ Logger.error("IDL ECC parameter extraction FAILED! Public-Key ECPoint is not on the curve!");
+ throw new Exception("IDL ECC parameter extraction FAILED! Public-Key ECPoint is not on the curve!");
+
+ }
+
+ ECPublicKey publicKey = new ECPublicKey(eccParameterSpec, publicKeyPointECPoint);
return publicKey;
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
index f0cec1d61..891d01e09 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/SSLUtils.java
@@ -46,9 +46,6 @@
package at.gv.egovernment.moa.id.util;
-import iaik.pki.PKIException;
-import iaik.security.provider.IAIK;
-
import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.IOException;
@@ -71,6 +68,8 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
import at.gv.egovernment.moa.id.commons.utils.ssl.SSLConfigurationException;
import at.gv.egovernment.moa.id.config.ConnectionParameter;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import iaik.pki.PKIException;
+import iaik.security.provider.IAIK;
/**
@@ -126,8 +125,7 @@ public class SSLUtils {
//INFO: MOA-ID 2.x always use defaultChainingMode
try {
- SSLSocketFactory ssf =
- at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
+ SSLSocketFactory ssf = at.gv.egovernment.moa.id.commons.utils.ssl.SSLUtils.getSSLSocketFactory(
connParam.getUrl(),
conf.getCertstoreDirectory(),
trustStoreURL,