From 57e676ecd1a08d41a13344d3417819faded66c8a Mon Sep 17 00:00:00 2001
From: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>
Date: Fri, 22 Aug 2014 14:44:26 +0200
Subject: Keystore Entry opening hardened

---
 .../egiz/pdfas/sigs/pades/PAdESSignerKeystore.java | 48 +++++++++++++++++++++-
 1 file changed, 46 insertions(+), 2 deletions(-)

(limited to 'signature-standards/sigs-pades/src/main/java/at')

diff --git a/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESSignerKeystore.java b/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESSignerKeystore.java
index 7772fd3a..c4dda337 100644
--- a/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESSignerKeystore.java
+++ b/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESSignerKeystore.java
@@ -43,6 +43,9 @@ import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
+import java.security.KeyStore.Entry;
+import java.security.KeyStore.PasswordProtection;
+import java.security.KeyStore.PrivateKeyEntry;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.cert.Certificate;
@@ -75,13 +78,54 @@ public class PAdESSignerKeystore implements IPlainSigner {
 			String keypassword, String type) throws PdfAsException {
 		try {
 			KeyStore ks = KeyStore.getInstance(type);
+			if(ks == null) {
+				throw new PdfAsException("error.pdf.sig.14");
+			}
+			if(kspassword == null) {
+				throw new PdfAsException("error.pdf.sig.15");
+			}
+			
+			logger.info("Opening Keystore: " + file);
+			
 			ks.load(new FileInputStream(file), kspassword.toCharArray());
-			privKey = (PrivateKey) ks.getKey(alias, keypassword.toCharArray());
+			if(keypassword == null) {
+				throw new PdfAsException("error.pdf.sig.16");
+			}
+			PasswordProtection pwdProt = new PasswordProtection(keypassword.toCharArray());
+			
+			logger.info("Opening Alias: [" + alias + "]");
+			
+			Entry entry = ks.getEntry(alias, pwdProt);
+			
+			if(!(entry instanceof PrivateKeyEntry)) {
+				throw new PdfAsException("error.pdf.sig.18");
+			}
+			
+			PrivateKeyEntry privateEntry = (PrivateKeyEntry)entry;
+			
+			privKey = privateEntry.getPrivateKey();
+			
 			if(privKey == null) {
 				throw new PdfAsException("error.pdf.sig.13");
 			}
-			cert = new X509Certificate(ks.getCertificate(alias).getEncoded());
+			
+			Certificate c = privateEntry.getCertificate();
+			
+			if(c == null) {
+				if(privateEntry.getCertificateChain() != null) {
+					if(privateEntry.getCertificateChain().length > 0) {
+						c = privateEntry.getCertificateChain()[0];
+					}
+				}
+			}
+			
+			if(c == null) {
+				throw new PdfAsException("error.pdf.sig.17");
+			}
+			
+			cert = new X509Certificate(c.getEncoded());
 		} catch (Throwable e) {
+			 logger.error("Keystore error: ", e);
 			throw new PdfAsException("error.pdf.sig.02", e);
 		}
 	}
-- 
cgit v1.2.3