private AlgorithmIdentifier getSignatureAlgoId(final String signerConf) throws SignerException {
CmpUtf8Pairs keyValues = new CmpUtf8Pairs(signerConf);
String algoS = keyValues.getValue("algo");
if (algoS == null) {
throw new SignerException("algo is not specified");
}
try {
return AlgorithmUtil.getSignatureAlgoId(algoS);
} catch (NoSuchAlgorithmException e) {
throw new SignerException(e.getMessage(), e);
}
}
public static String getPkcs11SignerConfWithoutAlgo(
final String pkcs11ModuleName,
final P11SlotIdentifier slotId,
final P11KeyIdentifier keyId,
final int parallelism) {
ParamChecker.assertNotNull("keyId", keyId);
CmpUtf8Pairs conf = new CmpUtf8Pairs();
conf.putUtf8Pair("parallelism", Integer.toString(parallelism));
if (pkcs11ModuleName != null && pkcs11ModuleName.length() > 0) {
conf.putUtf8Pair("module", pkcs11ModuleName);
}
if (slotId.getSlotId() != null) {
conf.putUtf8Pair("slot-id", slotId.getSlotId().toString());
} else {
conf.putUtf8Pair("slot", slotId.getSlotIndex().toString());
}
if (keyId.getKeyId() != null) {
conf.putUtf8Pair("key-id", Hex.toHexString(keyId.getKeyId()));
}
if (keyId.getKeyLabel() != null) {
conf.putUtf8Pair("key-label", keyId.getKeyLabel());
}
return conf.getEncoded();
}
public static String getKeystoreSignerConfWithoutAlgo(
final String keystoreFile,
final String password,
final int parallelism,
final String keyLabel) {
ParamChecker.assertNotBlank("keystoreFile", keystoreFile);
ParamChecker.assertNotBlank("password", password);
CmpUtf8Pairs conf = new CmpUtf8Pairs("password", password);
conf.putUtf8Pair("parallelism", Integer.toString(parallelism));
if (keyLabel != null) {
conf.putUtf8Pair("key-label", keyLabel);
}
conf.putUtf8Pair("keystore", "file:" + keystoreFile);
return conf.getEncoded();
}
/*
* sigAlgoControl will be considered only if hashAlgo is not set
*
*/
private ConcurrentContentSigner doCreateSigner(
String type,
final String conf,
final String hashAlgo,
final SignatureAlgoControl sigAlgoControl,
final X509Certificate[] certificateChain)
throws SignerException {
if (signerTypeMapping.containsKey(type)) {
type = signerTypeMapping.get(type);
}
if ("PKCS11".equalsIgnoreCase(type)
|| "PKCS12".equalsIgnoreCase(type)
|| "JKS".equalsIgnoreCase(type)) {
CmpUtf8Pairs keyValues = new CmpUtf8Pairs(conf);
String s = keyValues.getValue("parallelism");
int parallelism = defaultParallelism;
if (s != null) {
try {
parallelism = Integer.parseInt(s);
} catch (NumberFormatException e) {
throw new SignerException("invalid parallelism " + s);
}
if (parallelism < 1) {
throw new SignerException("invalid parallelism " + s);
}
}
if ("PKCS11".equalsIgnoreCase(type)) {
String pkcs11Module = keyValues.getValue("module");
if (pkcs11Module == null) {
pkcs11Module = DEFAULT_P11MODULE_NAME;
}
s = keyValues.getValue("slot");
Integer slotIndex = (s == null) ? null : Integer.parseInt(s);
s = keyValues.getValue("slot-id");
Long slotId = (s == null) ? null : Long.parseLong(s);
if ((slotIndex == null && slotId == null) || (slotIndex != null && slotId != null)) {
throw new SignerException("exactly one of slot (index) and slot-id must be specified");
}
P11SlotIdentifier slot = new P11SlotIdentifier(slotIndex, slotId);
String keyLabel = keyValues.getValue("key-label");
s = keyValues.getValue("key-id");
byte[] keyId = null;
if (s != null) {
keyId = Hex.decode(s);
}
if ((keyId == null && keyLabel == null) || (keyId != null && keyLabel != null)) {
throw new SignerException("exactly one of key-id and key-label must be specified");
}
P11KeyIdentifier keyIdentifier;
if (keyId != null) {
keyIdentifier = new P11KeyIdentifier(keyId);
} else {
keyIdentifier = new P11KeyIdentifier(keyLabel);
}
P11CryptService p11CryptService = getP11CryptService(pkcs11Module);
P11ContentSignerBuilder signerBuilder =
new P11ContentSignerBuilder(p11CryptService, slot, keyIdentifier, certificateChain);
try {
AlgorithmIdentifier signatureAlgId;
if (hashAlgo == null) {
signatureAlgId = getSignatureAlgoId(conf);
} else {
PublicKey pubKey;
try {
pubKey = getPkcs11PublicKey(pkcs11Module, slot, keyIdentifier);
} catch (InvalidKeyException e) {
throw new SignerException("invalid key: " + e.getMessage(), e);
}
signatureAlgId = AlgorithmUtil.getSignatureAlgoId(pubKey, hashAlgo, sigAlgoControl);
}
return signerBuilder.createSigner(signatureAlgId, parallelism);
} catch (OperatorCreationException | NoSuchPaddingException | NoSuchAlgorithmException e) {
throw new SignerException(e.getMessage(), e);
}
} else {
String passwordHint = keyValues.getValue("password");
char[] password;
if (passwordHint == null) {
password = null;
} else {
if (passwordResolver == null) {
password = passwordHint.toCharArray();
} else {
try {
password = passwordResolver.resolvePassword(passwordHint);
} catch (PasswordResolverException e) {
throw new SignerException("could not resolve password. Message: " + e.getMessage());
}
}
}
s = keyValues.getValue("keystore");
String keyLabel = keyValues.getValue("key-label");
InputStream keystoreStream;
if (StringUtil.startsWithIgnoreCase(s, "base64:")) {
keystoreStream = new ByteArrayInputStream(Base64.decode(s.substring("base64:".length())));
} else if (StringUtil.startsWithIgnoreCase(s, "file:")) {
String fn = s.substring("file:".length());
try {
keystoreStream = new FileInputStream(IoUtil.expandFilepath(fn));
} catch (FileNotFoundException e) {
throw new SignerException("file not found: " + fn);
}
} else {
throw new SignerException("unknown keystore content format");
}
SoftTokenContentSignerBuilder signerBuilder =
new SoftTokenContentSignerBuilder(
type, keystoreStream, password, keyLabel, password, certificateChain);
try {
AlgorithmIdentifier signatureAlgId;
if (hashAlgo == null) {
signatureAlgId = getSignatureAlgoId(conf);
} else {
PublicKey pubKey = signerBuilder.getCert().getPublicKey();
signatureAlgId = AlgorithmUtil.getSignatureAlgoId(pubKey, hashAlgo, sigAlgoControl);
}
return signerBuilder.createSigner(signatureAlgId, parallelism);
} catch (OperatorCreationException | NoSuchPaddingException | NoSuchAlgorithmException e) {
throw new SignerException(e.getMessage());
}
}
} else if (StringUtil.startsWithIgnoreCase(type, "java:")) {
if (hashAlgo == null) {
ConcurrentContentSigner contentSigner;
String classname = type.substring("java:".length());
try {
Class<?> clazz = Class.forName(classname);
contentSigner = (ConcurrentContentSigner) clazz.newInstance();
} catch (Exception e) {
throw new SignerException(e.getMessage(), e);
}
contentSigner.initialize(conf, passwordResolver);
if (certificateChain != null) {
contentSigner.setCertificateChain(certificateChain);
}
return contentSigner;
} else {
throw new SignerException("unknwon type: " + type);
}
} else {
throw new SignerException("unknwon type: " + type);
}
}
private static void validateSigner(
final ConcurrentContentSigner signer,
final X509Certificate[] certificateChain,
final String signerType,
final String signerConf)
throws SignerException {
X509Certificate cert = signer.getCertificate();
if (certificateChain == null) {
return;
}
String signatureAlgoName;
try {
signatureAlgoName = AlgorithmUtil.getSignatureAlgoName(signer.getAlgorithmIdentifier());
} catch (NoSuchAlgorithmException e) {
throw new SignerException(e.getMessage(), e);
}
ContentSigner csigner;
try {
csigner = signer.borrowContentSigner();
} catch (NoIdleSignerException e) {
throw new SignerException(e.getMessage(), e);
}
try {
byte[] dummyContent = new byte[] {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
Signature verifier = Signature.getInstance(signatureAlgoName, "BC");
OutputStream signatureStream = csigner.getOutputStream();
signatureStream.write(dummyContent);
byte[] signatureValue = csigner.getSignature();
verifier.initVerify(cert.getPublicKey());
verifier.update(dummyContent);
boolean valid = verifier.verify(signatureValue);
if (valid == false) {
String subject = X509Util.getRFC4519Name(cert.getSubjectX500Principal());
StringBuilder sb = new StringBuilder();
sb.append("key and certificate not match. ");
sb.append("key type='").append(signerType).append("'; ");
CmpUtf8Pairs keyValues = new CmpUtf8Pairs(signerConf);
String pwd = keyValues.getValue("password");
if (pwd != null) {
keyValues.putUtf8Pair("password", "****");
}
keyValues.putUtf8Pair("algo", signatureAlgoName);
sb.append("conf='").append(keyValues.getEncoded()).append("', ");
sb.append("certificate subject='").append(subject).append("'");
throw new SignerException(sb.toString());
}
} catch (IOException
| NoSuchAlgorithmException
| InvalidKeyException
| SignatureException
| NoSuchProviderException e) {
throw new SignerException(e.getMessage(), e);
} finally {
if (csigner != null) {
signer.returnContentSigner(csigner);
}
}
}
@Override
protected Object _doExecute() throws Exception {
X509ChangeCAEntry ey = getChangeCAEntry();
String caName = ey.getName();
out("checking CA" + caName);
CAEntry entry = caManager.getCA(caName);
if (entry == null) {
throw new UnexpectedException("could not find CA '" + caName + "'");
}
if (entry instanceof X509CAEntry == false) {
throw new UnexpectedException("CA '" + caName + "' is not an X509-CA");
}
X509CAEntry ca = (X509CAEntry) entry;
// CA cert uris
if (ey.getCaCertUris() != null) {
List<String> ex = ey.getCaCertUris();
List<String> is = ca.getCacertUris();
MgmtQAShellUtil.assertEquals("CA cert uris", ex, is);
}
// CA certificate
if (ey.getCert() != null) {
X509Certificate ex = ey.getCert();
X509Certificate is = ca.getCertificate();
if (ex.equals(is) == false) {
throw new CmdFailure("CA cert is not as expected");
}
}
// CMP control name
if (ey.getCmpControlName() != null) {
String ex = ey.getCmpControlName();
String is = ca.getCmpControlName();
MgmtQAShellUtil.assertEquals("CMP control name", ex, is);
}
// CRL signer name
if (ey.getCrlSignerName() != null) {
String ex = ey.getCrlSignerName();
String is = ca.getCrlSignerName();
MgmtQAShellUtil.assertEquals("CRL signer name", ex, is);
}
// CRL uris
if (ey.getCrlUris() != null) {
List<String> ex = ey.getCrlUris();
List<String> is = ca.getCrlUris();
MgmtQAShellUtil.assertEquals("CRL uris", ex, is);
}
// DeltaCRL uris
if (ey.getDeltaCrlUris() != null) {
List<String> ex = ey.getDeltaCrlUris();
List<String> is = ca.getDeltaCrlUris();
MgmtQAShellUtil.assertEquals("Delta CRL uris", ex, is);
}
// Duplicate key mode
if (ey.getDuplicateKeyMode() != null) {
DuplicationMode ex = ey.getDuplicateKeyMode();
DuplicationMode is = ca.getDuplicateKeyMode();
if (ex.equals(is) == false) {
throw new CmdFailure("Duplicate key mode: is '" + is + "', but expected '" + ex + "'");
}
}
// Duplicate subject mode
if (ey.getDuplicateSubjectMode() != null) {
DuplicationMode ex = ey.getDuplicateSubjectMode();
DuplicationMode is = ca.getDuplicateSubjectMode();
if (ex.equals(is) == false) {
throw new CmdFailure("Duplicate subject mode: is '" + is + "', but expected '" + ex + "'");
}
}
// Expiration period
if (ey.getExpirationPeriod() != null) {
Integer ex = ey.getExpirationPeriod();
Integer is = ca.getExpirationPeriod();
if (ex.equals(is) == false) {
throw new CmdFailure("Expiration period: is '" + is + "', but expected '" + ex + "'");
}
}
// Extra control
if (ey.getExtraControl() != null) {
String ex = ey.getExtraControl();
String is = ca.getExtraControl();
if (ex.equals(is) == false) {
throw new CmdFailure("Extra control: is '" + is + "', but expected '" + ex + "'");
}
}
// Max validity
if (ey.getMaxValidity() != null) {
CertValidity ex = ey.getMaxValidity();
CertValidity is = ca.getMaxValidity();
if (ex.equals(is) == false) {
throw new CmdFailure("Max validity: is '" + is + "', but expected '" + ex + "'");
}
}
// Num CRLs
if (ey.getNumCrls() != null) {
int ex = ey.getNumCrls();
int is = ca.getNumCrls();
if (ex != is) {
throw new CmdFailure("num CRLs: is '" + is + "', but expected '" + ex + "'");
}
}
// OCSP uris
if (ey.getOcspUris() != null) {
List<String> ex = ey.getOcspUris();
List<String> is = ca.getOcspUris();
MgmtQAShellUtil.assertEquals("OCSP uris", ex, is);
}
// Permissions
if (ey.getPermissions() != null) {
Set<Permission> ex = ey.getPermissions();
Set<Permission> is = ca.getPermissions();
MgmtQAShellUtil.assertEquals("permissions", ex, is);
}
// Responder name
if (ey.getResponderName() != null) {
String ex = ey.getResponderName();
String is = ca.getResponderName();
MgmtQAShellUtil.assertEquals("responder name", ex, is);
}
// Signer Type
if (ey.getSignerType() != null) {
String ex = ey.getSignerType();
String is = ca.getSignerType();
MgmtQAShellUtil.assertEquals("signer type", ex, is);
}
if (ey.getSignerConf() != null) {
CmpUtf8Pairs ex = new CmpUtf8Pairs(ey.getSignerConf());
ex.removeUtf8Pair("keystore");
CmpUtf8Pairs is = new CmpUtf8Pairs(ca.getSignerConf());
is.removeUtf8Pair("keystore");
if (ex.equals(is) == false) {
throw new CmdFailure("signer conf: is '" + is + "', but expected '" + ex + "'");
}
}
// Status
if (ey.getStatus() != null) {
CAStatus ex = ey.getStatus();
CAStatus is = ca.getStatus();
if (ex.equals(is) == false) {
throw new CmdFailure("status: is '" + is + "', but expected '" + ex + "'");
}
}
// validity mode
if (ey.getValidityMode() != null) {
ValidityMode ex = ey.getValidityMode();
ValidityMode is = ca.getValidityMode();
if (ex.equals(is) == false) {
throw new CmdFailure("validity mode: is '" + is + "', but expected '" + ex + "'");
}
}
out(" checked CA" + caName);
return null;
}