Search in sources :

Example 1 with BCFKSLoadStoreParameter

use of com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineLoad.

public void engineLoad(KeyStore.LoadStoreParameter parameter) throws CertificateException, NoSuchAlgorithmException, IOException {
    if (parameter == null) {
        engineLoad(null, null);
    } else if (parameter instanceof BCFKSLoadStoreParameter) {
        BCFKSLoadStoreParameter bcParam = (BCFKSLoadStoreParameter) parameter;
        char[] password = ParameterUtil.extractPassword(bcParam);
        hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
        if (bcParam.getStoreEncryptionAlgorithm() == BCFKSLoadStoreParameter.EncryptionAlgorithm.AES256_CCM) {
            storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_CCM;
        } else {
            storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_wrap_pad;
        }
        if (bcParam.getStoreMacAlgorithm() == BCFKSLoadStoreParameter.MacAlgorithm.HmacSHA512) {
            hmacAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA512, DERNull.INSTANCE);
        } else {
            hmacAlgorithm = new AlgorithmIdentifier(NISTObjectIdentifiers.id_hmacWithSHA3_512, DERNull.INSTANCE);
        }
        this.verificationKey = (PublicKey) bcParam.getStoreSignatureKey();
        this.validator = bcParam.getCertChainValidator();
        this.signatureAlgorithm = generateSignatureAlgId(verificationKey, bcParam.getStoreSignatureAlgorithm());
        AlgorithmIdentifier presetHmacAlgorithm = hmacAlgorithm;
        ASN1ObjectIdentifier presetStoreEncryptionAlgorithm = storeEncryptionAlgorithm;
        InputStream inputStream = bcParam.getInputStream();
        engineLoad(inputStream, password);
        if (inputStream != null) {
            if (// !presetHmacAlgorithm.equals(hmacAlgorithm)
            !isSimilarHmacPbkd(bcParam.getStorePBKDFConfig(), hmacPkbdAlgorithm) || !presetStoreEncryptionAlgorithm.equals(storeEncryptionAlgorithm)) {
                throw new IOException("configuration parameters do not match existing store");
            }
        }
    } else if (parameter instanceof BCLoadStoreParameter) {
        BCLoadStoreParameter bcParam = (BCLoadStoreParameter) parameter;
        engineLoad(bcParam.getInputStream(), ParameterUtil.extractPassword(parameter));
    } else {
        throw new IllegalArgumentException("no support for 'parameter' of type " + parameter.getClass().getName());
    }
}
Also used : PublicKey(java.security.PublicKey) ASN1InputStream(com.github.zhenwei.core.asn1.ASN1InputStream) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) IOException(java.io.IOException) BCFKSLoadStoreParameter(com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter) ASN1ObjectIdentifier(com.github.zhenwei.core.asn1.ASN1ObjectIdentifier) BCLoadStoreParameter(com.github.zhenwei.provider.jcajce.BCLoadStoreParameter) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)

Example 2 with BCFKSLoadStoreParameter

use of com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter in project LinLong-Java by zhenwei1108.

the class BcFKSKeyStoreSpi method engineStore.

public void engineStore(KeyStore.LoadStoreParameter parameter) throws CertificateException, NoSuchAlgorithmException, IOException {
    if (parameter == null) {
        throw new IllegalArgumentException("'parameter' arg cannot be null");
    }
    if (parameter instanceof BCFKSStoreParameter) {
        BCFKSStoreParameter bcParam = (BCFKSStoreParameter) parameter;
        char[] password = ParameterUtil.extractPassword(parameter);
        hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
        engineStore(bcParam.getOutputStream(), password);
    } else if (parameter instanceof BCFKSLoadStoreParameter) {
        BCFKSLoadStoreParameter bcParam = (BCFKSLoadStoreParameter) parameter;
        if (bcParam.getStoreSignatureKey() != null) {
            signatureAlgorithm = generateSignatureAlgId(bcParam.getStoreSignatureKey(), bcParam.getStoreSignatureAlgorithm());
            hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
            if (bcParam.getStoreEncryptionAlgorithm() == BCFKSLoadStoreParameter.EncryptionAlgorithm.AES256_CCM) {
                storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_CCM;
            } else {
                storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_wrap_pad;
            }
            if (bcParam.getStoreMacAlgorithm() == BCFKSLoadStoreParameter.MacAlgorithm.HmacSHA512) {
                hmacAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA512, DERNull.INSTANCE);
            } else {
                hmacAlgorithm = new AlgorithmIdentifier(NISTObjectIdentifiers.id_hmacWithSHA3_512, DERNull.INSTANCE);
            }
            char[] password = ParameterUtil.extractPassword(bcParam);
            EncryptedObjectStoreData encStoreData = getEncryptedObjectStoreData(signatureAlgorithm, password);
            try {
                Signature sig = helper.createSignature(signatureAlgorithm.getAlgorithm().getId());
                sig.initSign((PrivateKey) bcParam.getStoreSignatureKey());
                sig.update(encStoreData.getEncoded());
                SignatureCheck signatureCheck;
                X509Certificate[] certs = bcParam.getStoreCertificates();
                if (certs != null) {
                    com.github.zhenwei.core.asn1.x509.Certificate[] certificates = new com.github.zhenwei.core.asn1.x509.Certificate[certs.length];
                    for (int i = 0; i != certificates.length; i++) {
                        certificates[i] = com.github.zhenwei.core.asn1.x509.Certificate.getInstance(certs[i].getEncoded());
                    }
                    signatureCheck = new SignatureCheck(signatureAlgorithm, certificates, sig.sign());
                } else {
                    signatureCheck = new SignatureCheck(signatureAlgorithm, sig.sign());
                }
                ObjectStore store = new ObjectStore(encStoreData, new ObjectStoreIntegrityCheck(signatureCheck));
                bcParam.getOutputStream().write(store.getEncoded());
                bcParam.getOutputStream().flush();
            } catch (GeneralSecurityException e) {
                throw new IOException("error creating signature: " + e.getMessage(), e);
            }
        } else {
            char[] password = ParameterUtil.extractPassword(bcParam);
            hmacPkbdAlgorithm = generatePkbdAlgorithmIdentifier(bcParam.getStorePBKDFConfig(), 512 / 8);
            if (bcParam.getStoreEncryptionAlgorithm() == BCFKSLoadStoreParameter.EncryptionAlgorithm.AES256_CCM) {
                storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_CCM;
            } else {
                storeEncryptionAlgorithm = NISTObjectIdentifiers.id_aes256_wrap_pad;
            }
            if (bcParam.getStoreMacAlgorithm() == BCFKSLoadStoreParameter.MacAlgorithm.HmacSHA512) {
                hmacAlgorithm = new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA512, DERNull.INSTANCE);
            } else {
                hmacAlgorithm = new AlgorithmIdentifier(NISTObjectIdentifiers.id_hmacWithSHA3_512, DERNull.INSTANCE);
            }
            engineStore(bcParam.getOutputStream(), password);
        }
    } else if (parameter instanceof BCLoadStoreParameter) {
        BCLoadStoreParameter bcParam = (BCLoadStoreParameter) parameter;
        engineStore(bcParam.getOutputStream(), ParameterUtil.extractPassword(parameter));
    } else {
        throw new IllegalArgumentException("no support for 'parameter' of type " + parameter.getClass().getName());
    }
}
Also used : ObjectStore(com.github.zhenwei.core.asn1.bc.ObjectStore) PrivateKey(java.security.PrivateKey) GeneralSecurityException(java.security.GeneralSecurityException) BCFKSStoreParameter(com.github.zhenwei.provider.jcajce.BCFKSStoreParameter) EncryptedObjectStoreData(com.github.zhenwei.core.asn1.bc.EncryptedObjectStoreData) IOException(java.io.IOException) AlgorithmIdentifier(com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier) SignatureCheck(com.github.zhenwei.core.asn1.bc.SignatureCheck) Signature(java.security.Signature) BCFKSLoadStoreParameter(com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter) BCLoadStoreParameter(com.github.zhenwei.provider.jcajce.BCLoadStoreParameter) ObjectStoreIntegrityCheck(com.github.zhenwei.core.asn1.bc.ObjectStoreIntegrityCheck)

Aggregations

AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)2 BCFKSLoadStoreParameter (com.github.zhenwei.provider.jcajce.BCFKSLoadStoreParameter)2 BCLoadStoreParameter (com.github.zhenwei.provider.jcajce.BCLoadStoreParameter)2 IOException (java.io.IOException)2 ASN1InputStream (com.github.zhenwei.core.asn1.ASN1InputStream)1 ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)1 EncryptedObjectStoreData (com.github.zhenwei.core.asn1.bc.EncryptedObjectStoreData)1 ObjectStore (com.github.zhenwei.core.asn1.bc.ObjectStore)1 ObjectStoreIntegrityCheck (com.github.zhenwei.core.asn1.bc.ObjectStoreIntegrityCheck)1 SignatureCheck (com.github.zhenwei.core.asn1.bc.SignatureCheck)1 BCFKSStoreParameter (com.github.zhenwei.provider.jcajce.BCFKSStoreParameter)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 InputStream (java.io.InputStream)1 GeneralSecurityException (java.security.GeneralSecurityException)1 PrivateKey (java.security.PrivateKey)1 PublicKey (java.security.PublicKey)1 Signature (java.security.Signature)1