Examples with AlgorithmInfoType iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType used on opensource projects

Search in sources :

Example 6 with AlgorithmInfoType

use of iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType in project open-ecard by ecsec.

the class CIFCreator method createCryptoDID.

private DIDInfoType createCryptoDID(List<MwCertificate> mwCerts, SignatureAlgorithms sigalg) throws WSMarshallerException, CryptokiException {
    LOG.debug("Creating Crypto DID object.");
    DIDInfoType di = new DIDInfoType();
    String keyLabel = mwCerts.get(0).getLabel();
    // create differential identity
    DifferentialIdentityType did = new DifferentialIdentityType();
    di.setDifferentialIdentity(did);
    String didName = keyLabel + "_" + mwCerts.get(0).getLabel() + "_" + sigalg.getJcaAlg();
    LOG.debug("DIDName: {}", didName);
    did.setDIDName(didName);
    did.setDIDProtocol("urn:oid:1.3.162.15480.3.0.25");
    did.setDIDScope(DIDScopeType.LOCAL);
    // create crypto marker
    CryptoMarkerBuilder markerBuilder = new CryptoMarkerBuilder();
    // add AlgorithmInfo
    AlgorithmInfoType algInfo = new AlgorithmInfoType();
    algInfo.setAlgorithm(sigalg.getJcaAlg());
    AlgorithmIdentifierType algIdentifier = new AlgorithmIdentifierType();
    algIdentifier.setAlgorithm(sigalg.getAlgId());
    algInfo.setAlgorithmIdentifier(algIdentifier);
    algInfo.getSupportedOperations().add("Compute-signature");
    markerBuilder.setAlgInfo(algInfo);
    markerBuilder.setLegacyKeyname(keyLabel);
    // add certificates
    for (MwCertificate nextCert : mwCerts) {
        try {
            CertificateRefType certRef = new CertificateRefType();
            certRef.setDataSetName(nextCert.getLabel());
            markerBuilder.getCertRefs().add(certRef);
        } catch (CryptokiException ex) {
            LOG.warn("Certificate chain is not complete.");
            break;
        }
    }
    // wrap crypto marker and add to parent
    CryptoMarkerType marker = markerBuilder.build();
    DIDMarkerType markerWrapper = new DIDMarkerType();
    markerWrapper.setCryptoMarker(marker);
    did.setDIDMarker(markerWrapper);
    // create acl
    AccessControlListType acl = new AccessControlListType();
    di.setDIDACL(acl);
    List<AccessRuleType> rules = acl.getAccessRule();
    rules.add(createRuleTrue(AuthorizationServiceActionName.ACL_LIST));
    rules.add(createRuleTrue(DifferentialIdentityServiceActionName.DID_GET));
    // create sign rule with PIN reference
    AccessRuleType signRule = createRuleTrue(CryptographicServiceActionName.SIGN);
    signRule.setSecurityCondition(createDidCond(PIN_NAME));
    rules.add(signRule);
    return di;
}
Also used : CryptoMarkerBuilder(org.openecard.mdlw.sal.didfactory.CryptoMarkerBuilder) AccessControlListType(iso.std.iso_iec._24727.tech.schema.AccessControlListType) CryptoMarkerType(iso.std.iso_iec._24727.tech.schema.CryptoMarkerType) CertificateRefType(iso.std.iso_iec._24727.tech.schema.CertificateRefType) DIDMarkerType(iso.std.iso_iec._24727.tech.schema.DIDMarkerType) DifferentialIdentityType(iso.std.iso_iec._24727.tech.schema.DifferentialIdentityType) DIDInfoType(iso.std.iso_iec._24727.tech.schema.DIDInfoType) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) CryptokiException(org.openecard.mdlw.sal.exceptions.CryptokiException) AlgorithmIdentifierType(iso.std.iso_iec._24727.tech.schema.AlgorithmIdentifierType) AccessRuleType(iso.std.iso_iec._24727.tech.schema.AccessRuleType)

Example 7 with AlgorithmInfoType

use of iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType in project open-ecard by ecsec.

the class SmartCardCredentialFactory method getClientCredentials.

@Override
public List<TlsCredentialedSigner> getClientCredentials(CertificateRequest cr) {
    ArrayList<TlsCredentialedSigner> credentials = new ArrayList<>();
    TlsCryptoParameters tlsCrypto = new TlsCryptoParameters(context);
    LOG.debug("Selecting a suitable DID for the following requested algorithms:");
    ArrayList<SignatureAndHashAlgorithm> crSigAlgs = getCrSigAlgs(cr);
    removeUnsupportedAlgs(crSigAlgs);
    for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
        String reqAlgStr = String.format("%s-%s", SignatureAlgorithm.getText(reqAlg.getSignature()), HashAlgorithm.getText(reqAlg.getHash()));
        LOG.debug("  {}", reqAlgStr);
    }
    try {
        DidInfos didInfos = tokenCache.getInfo(null, handle);
        List<DidInfo> infos = didInfos.getCryptoDidInfos();
        printCerts(infos);
        // remove unsuitable DIDs
        LOG.info("Sorting out DIDs not able to handle the TLS request.");
        infos = removeSecretCertDids(infos);
        infos = removeNonAuthDids(infos);
        infos = removeUnsupportedAlgs(infos);
        infos = removeUnsupportedCerts(cr, infos);
        // infos = nonRawFirst(infos);
        LOG.info("Creating signer instances for the TLS Client Certificate signature.");
        // TLS < 1.2
        if (crSigAlgs.isEmpty()) {
            LOG.info("Looking for a raw RSA DID.");
            for (DidInfo info : infos) {
                try {
                    LOG.debug("Checking DID= {}.", info.getDidName());
                    TlsCredentialedSigner cred;
                    List<X509Certificate> chain = info.getRelatedCertificateChain();
                    Certificate clientCert = convertCert(context.getCrypto(), chain);
                    if (isRawRSA(info)) {
                        LOG.debug("Adding raw RSA signer.");
                        TlsSigner signer = new SmartCardSignerCredential(info);
                        cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, null);
                        credentials.add(cred);
                    }
                } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                    LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                } catch (UnsupportedAlgorithmException ex) {
                    LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                } catch (WSHelper.WSException ex) {
                    LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                }
            }
        } else {
            // TLS >= 1.2
            LOG.info("Looking for most specific DIDs.");
            // looping over the servers alg list preserves its ordering
            for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
                for (DidInfo info : infos) {
                    LOG.debug("Checking DID={}.", info.getDidName());
                    try {
                        AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
                        SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
                        TlsCredentialedSigner cred;
                        List<X509Certificate> chain = info.getRelatedCertificateChain();
                        Certificate clientCert = convertCert(context.getCrypto(), chain);
                        // find one DID for this problem, then continue with the next algorithm
                        if (matchesAlg(reqAlg, alg) && (alg.getHashAlg() != null || isSafeForNoneDid(reqAlg))) {
                            LOG.debug("Adding {} signer.", alg.getJcaAlg());
                            TlsSigner signer = new SmartCardSignerCredential(info);
                            cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, reqAlg);
                            credentials.add(cred);
                            // break;
                            return credentials;
                        }
                    } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                        LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (UnsupportedAlgorithmException ex) {
                        LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (WSHelper.WSException ex) {
                        LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                    }
                }
            }
        }
    } catch (NoSuchDid | WSHelper.WSException ex) {
        LOG.error("Failed to access DIDs of smartcard. Proceeding without client authentication.", ex);
    }
    return credentials;
}
Also used : ArrayList(java.util.ArrayList) SecurityConditionUnsatisfiable(org.openecard.common.SecurityConditionUnsatisfiable) CertificateException(java.security.cert.CertificateException) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm) DidInfo(org.openecard.crypto.common.sal.did.DidInfo) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCryptoParameters(org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters) TlsSigner(org.openecard.bouncycastle.tls.crypto.TlsSigner) WSHelper(org.openecard.common.WSHelper) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCredentialedSigner(org.openecard.bouncycastle.tls.TlsCredentialedSigner) NoSuchDid(org.openecard.crypto.common.sal.did.NoSuchDid) DidInfos(org.openecard.crypto.common.sal.did.DidInfos) X509Certificate(java.security.cert.X509Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) Certificate(org.openecard.bouncycastle.tls.Certificate)

Example 8 with AlgorithmInfoType

use of iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType in project open-ecard by ecsec.

the class SmartCardCredentialFactory method isAuthCert.

private boolean isAuthCert(DidInfo info, List<X509Certificate> chain) throws WSHelper.WSException {
    AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
    if (!algInfo.getSupportedOperations().contains("Compute-signature")) {
        LOG.debug("DID ({}): AlgorithmInfo does not provide Compute-signature flag.", info.getDidName());
        return false;
    }
    // check authentication (digital signature) flag
    X509Certificate cert = chain.get(0);
    boolean isAuthCert = cert.getKeyUsage()[0];
    boolean isSigCert = cert.getKeyUsage()[1];
    if (!isAuthCert || isSigCert) {
        LOG.debug("DID ({}): Certificate key usage does not permit authentication signatures.", info.getDidName());
        return false;
    }
    return true;
}
Also used : AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) X509Certificate(java.security.cert.X509Certificate)

Example 9 with AlgorithmInfoType

use of iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType in project open-ecard by ecsec.

the class SmartCardCredentialFactory method removeUnsupportedAlgs.

private List<DidInfo> removeUnsupportedAlgs(List<DidInfo> infos) {
    ArrayList<DidInfo> result = new ArrayList<>();
    for (DidInfo next : infos) {
        try {
            AlgorithmInfoType algInfo = next.getGenericCryptoMarker().getAlgorithmInfo();
            String algStr = algInfo.getAlgorithmIdentifier().getAlgorithm();
            SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algStr);
            switch(alg) {
                case CKM_ECDSA:
                // case CKM_ECDSA_SHA1: // too weak
                case CKM_ECDSA_SHA256:
                case CKM_ECDSA_SHA384:
                case CKM_ECDSA_SHA512:
                case CKM_RSA_PKCS:
                // case CKM_SHA1_RSA_PKCS: // too weak
                case CKM_SHA256_RSA_PKCS:
                case CKM_SHA384_RSA_PKCS:
                case CKM_SHA512_RSA_PKCS:
                    result.add(next);
            }
        } catch (UnsupportedAlgorithmException ex) {
            LOG.error("Unsupported algorithm used in CIF. Skipping DID " + next.getDidName() + ".", ex);
        } catch (WSHelper.WSException ex) {
            LOG.error("Unknown error accessing DID " + next.getDidName() + ".", ex);
        }
    }
    return result;
}
Also used : WSHelper(org.openecard.common.WSHelper) DidInfo(org.openecard.crypto.common.sal.did.DidInfo) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) ArrayList(java.util.ArrayList)

Example 10 with AlgorithmInfoType

use of iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType in project open-ecard by ecsec.

the class SmartCardSignerCredential method getDidAlgorithm.

public SignatureAlgorithms getDidAlgorithm() {
    try {
        AlgorithmInfoType algInfo = did.getGenericCryptoMarker().getAlgorithmInfo();
        SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
        return alg;
    } catch (UnsupportedAlgorithmException | WSHelper.WSException ex) {
        throw new RuntimeException("Error evaluating algorithm", ex);
    }
}
Also used : AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException)

Aggregations

AlgorithmInfoType (iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)11 UnsupportedAlgorithmException (org.openecard.crypto.common.UnsupportedAlgorithmException)5 ArrayList (java.util.ArrayList)4 SignatureAlgorithms (org.openecard.crypto.common.SignatureAlgorithms)4 DidInfo (org.openecard.crypto.common.sal.did.DidInfo)4 AlgorithmIdentifierType (iso.std.iso_iec._24727.tech.schema.AlgorithmIdentifierType)3 CertificateRefType (iso.std.iso_iec._24727.tech.schema.CertificateRefType)3 X509Certificate (java.security.cert.X509Certificate)3 SecurityConditionUnsatisfiable (org.openecard.common.SecurityConditionUnsatisfiable)3 WSHelper (org.openecard.common.WSHelper)3 ConnectionHandleType (iso.std.iso_iec._24727.tech.schema.ConnectionHandleType)2 CryptoKeyInfoType (iso.std.iso_iec._24727.tech.schema.CryptoKeyInfoType)2 CryptoMarkerType (iso.std.iso_iec._24727.tech.schema.CryptoMarkerType)2 DIDInfoType (iso.std.iso_iec._24727.tech.schema.DIDInfoType)2 JAXBElement (javax.xml.bind.JAXBElement)2 QName (javax.xml.namespace.QName)2 ThreadTerminateException (org.openecard.common.ThreadTerminateException)2 CryptoMarkerType (org.openecard.crypto.common.sal.did.CryptoMarkerType)2 DidInfos (org.openecard.crypto.common.sal.did.DidInfos)2 AccessControlListType (iso.std.iso_iec._24727.tech.schema.AccessControlListType)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial