Example #1
0
 private AlgorithmIdentifier getSignatureAlgoId(final String signerConf) throws SignerException {
   CmpUtf8Pairs keyValues = new CmpUtf8Pairs(signerConf);
   String algoS = keyValues.getValue("algo");
   if (algoS == null) {
     throw new SignerException("algo is not specified");
   }
   try {
     return AlgorithmUtil.getSignatureAlgoId(algoS);
   } catch (NoSuchAlgorithmException e) {
     throw new SignerException(e.getMessage(), e);
   }
 }
Example #2
0
  public static String getPkcs11SignerConfWithoutAlgo(
      final String pkcs11ModuleName,
      final P11SlotIdentifier slotId,
      final P11KeyIdentifier keyId,
      final int parallelism) {
    ParamChecker.assertNotNull("keyId", keyId);

    CmpUtf8Pairs conf = new CmpUtf8Pairs();
    conf.putUtf8Pair("parallelism", Integer.toString(parallelism));

    if (pkcs11ModuleName != null && pkcs11ModuleName.length() > 0) {
      conf.putUtf8Pair("module", pkcs11ModuleName);
    }

    if (slotId.getSlotId() != null) {
      conf.putUtf8Pair("slot-id", slotId.getSlotId().toString());
    } else {
      conf.putUtf8Pair("slot", slotId.getSlotIndex().toString());
    }

    if (keyId.getKeyId() != null) {
      conf.putUtf8Pair("key-id", Hex.toHexString(keyId.getKeyId()));
    }

    if (keyId.getKeyLabel() != null) {
      conf.putUtf8Pair("key-label", keyId.getKeyLabel());
    }

    return conf.getEncoded();
  }
Example #3
0
  public static String getKeystoreSignerConfWithoutAlgo(
      final String keystoreFile,
      final String password,
      final int parallelism,
      final String keyLabel) {
    ParamChecker.assertNotBlank("keystoreFile", keystoreFile);
    ParamChecker.assertNotBlank("password", password);

    CmpUtf8Pairs conf = new CmpUtf8Pairs("password", password);
    conf.putUtf8Pair("parallelism", Integer.toString(parallelism));
    if (keyLabel != null) {
      conf.putUtf8Pair("key-label", keyLabel);
    }
    conf.putUtf8Pair("keystore", "file:" + keystoreFile);

    return conf.getEncoded();
  }
Example #4
0
  /*
   * sigAlgoControl will be considered only if hashAlgo is not set
   *
   */
  private ConcurrentContentSigner doCreateSigner(
      String type,
      final String conf,
      final String hashAlgo,
      final SignatureAlgoControl sigAlgoControl,
      final X509Certificate[] certificateChain)
      throws SignerException {
    if (signerTypeMapping.containsKey(type)) {
      type = signerTypeMapping.get(type);
    }

    if ("PKCS11".equalsIgnoreCase(type)
        || "PKCS12".equalsIgnoreCase(type)
        || "JKS".equalsIgnoreCase(type)) {
      CmpUtf8Pairs keyValues = new CmpUtf8Pairs(conf);

      String s = keyValues.getValue("parallelism");
      int parallelism = defaultParallelism;
      if (s != null) {
        try {
          parallelism = Integer.parseInt(s);
        } catch (NumberFormatException e) {
          throw new SignerException("invalid parallelism " + s);
        }

        if (parallelism < 1) {
          throw new SignerException("invalid parallelism " + s);
        }
      }

      if ("PKCS11".equalsIgnoreCase(type)) {
        String pkcs11Module = keyValues.getValue("module");
        if (pkcs11Module == null) {
          pkcs11Module = DEFAULT_P11MODULE_NAME;
        }

        s = keyValues.getValue("slot");
        Integer slotIndex = (s == null) ? null : Integer.parseInt(s);

        s = keyValues.getValue("slot-id");
        Long slotId = (s == null) ? null : Long.parseLong(s);

        if ((slotIndex == null && slotId == null) || (slotIndex != null && slotId != null)) {
          throw new SignerException("exactly one of slot (index) and slot-id must be specified");
        }
        P11SlotIdentifier slot = new P11SlotIdentifier(slotIndex, slotId);

        String keyLabel = keyValues.getValue("key-label");
        s = keyValues.getValue("key-id");
        byte[] keyId = null;
        if (s != null) {
          keyId = Hex.decode(s);
        }

        if ((keyId == null && keyLabel == null) || (keyId != null && keyLabel != null)) {
          throw new SignerException("exactly one of key-id and key-label must be specified");
        }

        P11KeyIdentifier keyIdentifier;
        if (keyId != null) {
          keyIdentifier = new P11KeyIdentifier(keyId);
        } else {
          keyIdentifier = new P11KeyIdentifier(keyLabel);
        }

        P11CryptService p11CryptService = getP11CryptService(pkcs11Module);
        P11ContentSignerBuilder signerBuilder =
            new P11ContentSignerBuilder(p11CryptService, slot, keyIdentifier, certificateChain);

        try {
          AlgorithmIdentifier signatureAlgId;
          if (hashAlgo == null) {
            signatureAlgId = getSignatureAlgoId(conf);
          } else {
            PublicKey pubKey;
            try {
              pubKey = getPkcs11PublicKey(pkcs11Module, slot, keyIdentifier);
            } catch (InvalidKeyException e) {
              throw new SignerException("invalid key: " + e.getMessage(), e);
            }

            signatureAlgId = AlgorithmUtil.getSignatureAlgoId(pubKey, hashAlgo, sigAlgoControl);
          }
          return signerBuilder.createSigner(signatureAlgId, parallelism);
        } catch (OperatorCreationException | NoSuchPaddingException | NoSuchAlgorithmException e) {
          throw new SignerException(e.getMessage(), e);
        }

      } else {
        String passwordHint = keyValues.getValue("password");
        char[] password;
        if (passwordHint == null) {
          password = null;
        } else {
          if (passwordResolver == null) {
            password = passwordHint.toCharArray();
          } else {
            try {
              password = passwordResolver.resolvePassword(passwordHint);
            } catch (PasswordResolverException e) {
              throw new SignerException("could not resolve password. Message: " + e.getMessage());
            }
          }
        }

        s = keyValues.getValue("keystore");
        String keyLabel = keyValues.getValue("key-label");

        InputStream keystoreStream;
        if (StringUtil.startsWithIgnoreCase(s, "base64:")) {
          keystoreStream = new ByteArrayInputStream(Base64.decode(s.substring("base64:".length())));
        } else if (StringUtil.startsWithIgnoreCase(s, "file:")) {
          String fn = s.substring("file:".length());
          try {
            keystoreStream = new FileInputStream(IoUtil.expandFilepath(fn));
          } catch (FileNotFoundException e) {
            throw new SignerException("file not found: " + fn);
          }
        } else {
          throw new SignerException("unknown keystore content format");
        }

        SoftTokenContentSignerBuilder signerBuilder =
            new SoftTokenContentSignerBuilder(
                type, keystoreStream, password, keyLabel, password, certificateChain);

        try {
          AlgorithmIdentifier signatureAlgId;
          if (hashAlgo == null) {
            signatureAlgId = getSignatureAlgoId(conf);
          } else {
            PublicKey pubKey = signerBuilder.getCert().getPublicKey();
            signatureAlgId = AlgorithmUtil.getSignatureAlgoId(pubKey, hashAlgo, sigAlgoControl);
          }

          return signerBuilder.createSigner(signatureAlgId, parallelism);
        } catch (OperatorCreationException | NoSuchPaddingException | NoSuchAlgorithmException e) {
          throw new SignerException(e.getMessage());
        }
      }
    } else if (StringUtil.startsWithIgnoreCase(type, "java:")) {
      if (hashAlgo == null) {
        ConcurrentContentSigner contentSigner;
        String classname = type.substring("java:".length());
        try {
          Class<?> clazz = Class.forName(classname);
          contentSigner = (ConcurrentContentSigner) clazz.newInstance();
        } catch (Exception e) {
          throw new SignerException(e.getMessage(), e);
        }
        contentSigner.initialize(conf, passwordResolver);

        if (certificateChain != null) {
          contentSigner.setCertificateChain(certificateChain);
        }

        return contentSigner;
      } else {
        throw new SignerException("unknwon type: " + type);
      }
    } else {
      throw new SignerException("unknwon type: " + type);
    }
  }
Example #5
0
  private static void validateSigner(
      final ConcurrentContentSigner signer,
      final X509Certificate[] certificateChain,
      final String signerType,
      final String signerConf)
      throws SignerException {
    X509Certificate cert = signer.getCertificate();
    if (certificateChain == null) {
      return;
    }

    String signatureAlgoName;
    try {
      signatureAlgoName = AlgorithmUtil.getSignatureAlgoName(signer.getAlgorithmIdentifier());
    } catch (NoSuchAlgorithmException e) {
      throw new SignerException(e.getMessage(), e);
    }

    ContentSigner csigner;
    try {
      csigner = signer.borrowContentSigner();
    } catch (NoIdleSignerException e) {
      throw new SignerException(e.getMessage(), e);
    }

    try {
      byte[] dummyContent = new byte[] {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
      Signature verifier = Signature.getInstance(signatureAlgoName, "BC");

      OutputStream signatureStream = csigner.getOutputStream();
      signatureStream.write(dummyContent);
      byte[] signatureValue = csigner.getSignature();

      verifier.initVerify(cert.getPublicKey());
      verifier.update(dummyContent);
      boolean valid = verifier.verify(signatureValue);
      if (valid == false) {
        String subject = X509Util.getRFC4519Name(cert.getSubjectX500Principal());

        StringBuilder sb = new StringBuilder();
        sb.append("key and certificate not match. ");
        sb.append("key type='").append(signerType).append("'; ");

        CmpUtf8Pairs keyValues = new CmpUtf8Pairs(signerConf);
        String pwd = keyValues.getValue("password");
        if (pwd != null) {
          keyValues.putUtf8Pair("password", "****");
        }
        keyValues.putUtf8Pair("algo", signatureAlgoName);
        sb.append("conf='").append(keyValues.getEncoded()).append("', ");
        sb.append("certificate subject='").append(subject).append("'");

        throw new SignerException(sb.toString());
      }
    } catch (IOException
        | NoSuchAlgorithmException
        | InvalidKeyException
        | SignatureException
        | NoSuchProviderException e) {
      throw new SignerException(e.getMessage(), e);
    } finally {
      if (csigner != null) {
        signer.returnContentSigner(csigner);
      }
    }
  }
Example #6
0
  @Override
  protected Object _doExecute() throws Exception {
    X509ChangeCAEntry ey = getChangeCAEntry();
    String caName = ey.getName();
    out("checking CA" + caName);

    CAEntry entry = caManager.getCA(caName);
    if (entry == null) {
      throw new UnexpectedException("could not find CA '" + caName + "'");
    }

    if (entry instanceof X509CAEntry == false) {
      throw new UnexpectedException("CA '" + caName + "' is not an X509-CA");
    }

    X509CAEntry ca = (X509CAEntry) entry;

    // CA cert uris
    if (ey.getCaCertUris() != null) {
      List<String> ex = ey.getCaCertUris();
      List<String> is = ca.getCacertUris();
      MgmtQAShellUtil.assertEquals("CA cert uris", ex, is);
    }

    // CA certificate
    if (ey.getCert() != null) {
      X509Certificate ex = ey.getCert();
      X509Certificate is = ca.getCertificate();
      if (ex.equals(is) == false) {
        throw new CmdFailure("CA cert is not as expected");
      }
    }

    // CMP control name
    if (ey.getCmpControlName() != null) {
      String ex = ey.getCmpControlName();
      String is = ca.getCmpControlName();
      MgmtQAShellUtil.assertEquals("CMP control name", ex, is);
    }

    // CRL signer name
    if (ey.getCrlSignerName() != null) {
      String ex = ey.getCrlSignerName();
      String is = ca.getCrlSignerName();
      MgmtQAShellUtil.assertEquals("CRL signer name", ex, is);
    }

    // CRL uris
    if (ey.getCrlUris() != null) {
      List<String> ex = ey.getCrlUris();
      List<String> is = ca.getCrlUris();
      MgmtQAShellUtil.assertEquals("CRL uris", ex, is);
    }

    // DeltaCRL uris
    if (ey.getDeltaCrlUris() != null) {
      List<String> ex = ey.getDeltaCrlUris();
      List<String> is = ca.getDeltaCrlUris();
      MgmtQAShellUtil.assertEquals("Delta CRL uris", ex, is);
    }

    // Duplicate key mode
    if (ey.getDuplicateKeyMode() != null) {
      DuplicationMode ex = ey.getDuplicateKeyMode();
      DuplicationMode is = ca.getDuplicateKeyMode();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Duplicate key mode: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Duplicate subject mode
    if (ey.getDuplicateSubjectMode() != null) {
      DuplicationMode ex = ey.getDuplicateSubjectMode();
      DuplicationMode is = ca.getDuplicateSubjectMode();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Duplicate subject mode: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Expiration period
    if (ey.getExpirationPeriod() != null) {
      Integer ex = ey.getExpirationPeriod();
      Integer is = ca.getExpirationPeriod();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Expiration period: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Extra control
    if (ey.getExtraControl() != null) {
      String ex = ey.getExtraControl();
      String is = ca.getExtraControl();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Extra control: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Max validity
    if (ey.getMaxValidity() != null) {
      CertValidity ex = ey.getMaxValidity();
      CertValidity is = ca.getMaxValidity();
      if (ex.equals(is) == false) {
        throw new CmdFailure("Max validity: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Num CRLs
    if (ey.getNumCrls() != null) {
      int ex = ey.getNumCrls();
      int is = ca.getNumCrls();
      if (ex != is) {
        throw new CmdFailure("num CRLs: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // OCSP uris
    if (ey.getOcspUris() != null) {
      List<String> ex = ey.getOcspUris();
      List<String> is = ca.getOcspUris();
      MgmtQAShellUtil.assertEquals("OCSP uris", ex, is);
    }

    // Permissions
    if (ey.getPermissions() != null) {
      Set<Permission> ex = ey.getPermissions();
      Set<Permission> is = ca.getPermissions();
      MgmtQAShellUtil.assertEquals("permissions", ex, is);
    }

    // Responder name
    if (ey.getResponderName() != null) {
      String ex = ey.getResponderName();
      String is = ca.getResponderName();
      MgmtQAShellUtil.assertEquals("responder name", ex, is);
    }

    // Signer Type
    if (ey.getSignerType() != null) {
      String ex = ey.getSignerType();
      String is = ca.getSignerType();
      MgmtQAShellUtil.assertEquals("signer type", ex, is);
    }

    if (ey.getSignerConf() != null) {
      CmpUtf8Pairs ex = new CmpUtf8Pairs(ey.getSignerConf());
      ex.removeUtf8Pair("keystore");
      CmpUtf8Pairs is = new CmpUtf8Pairs(ca.getSignerConf());
      is.removeUtf8Pair("keystore");
      if (ex.equals(is) == false) {
        throw new CmdFailure("signer conf: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // Status
    if (ey.getStatus() != null) {
      CAStatus ex = ey.getStatus();
      CAStatus is = ca.getStatus();
      if (ex.equals(is) == false) {
        throw new CmdFailure("status: is '" + is + "', but expected '" + ex + "'");
      }
    }

    // validity mode
    if (ey.getValidityMode() != null) {
      ValidityMode ex = ey.getValidityMode();
      ValidityMode is = ca.getValidityMode();
      if (ex.equals(is) == false) {
        throw new CmdFailure("validity mode: is '" + is + "', but expected '" + ex + "'");
      }
    }

    out(" checked CA" + caName);
    return null;
  }