Search in sources :

Example 1 with AsymmetricKeyParameter

use of org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter in project open-ecard by ecsec.

the class KeyLengthVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
    try {
        boolean firstCert = true;
        for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
            Certificate x509 = Certificate.getInstance(next.getEncoded());
            boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
            // skip key comparison step if this is a root certificate, but still check self signed server certs
            boolean isRootCert = selfSigned && !firstCert;
            if (!isRootCert) {
                // get public key and determine minimum size for the actual type
                SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
                AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
                KeyTools.assertKeyLength(key);
                firstCert = false;
            }
        }
    } catch (IOException ex) {
        String msg = "Failed to extract public key from certificate.";
        throw new CertificateVerificationException(msg, ex);
    } catch (KeyLengthException ex) {
        String msg = "The key in the certificate does not satisfy the length requirements.";
        throw new CertificateVerificationException(msg, ex);
    }
}
Also used : AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo) KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Example 2 with AsymmetricKeyParameter

use of org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter in project open-ecard by ecsec.

the class KeyStoreSigner method sign.

// /**
// * Gets the certificate for this KeyStore entry converted to a BouncyCastle TLS certificate.
// *
// * @return The certificate chain in BouncyCastle format.
// * @throws CertificateException Thrown in case the certificate could not be found or converted.
// * @throws IllegalStateException Thrown in case the keystore is not initialized.
// */
// @Nonnull
// public synchronized Certificate getCertificateChain() throws CertificateException {
// if (bcCert == null) {
// try {
// java.security.cert.Certificate[] jcaCerts = getJCACertificateChain();
// bcCert = KeyTools.convertCertificates(jcaCerts);
// } catch (KeyStoreException ex) {
// throw new IllegalStateException("Uninitialized keystore supplied.");
// }
// }
// return bcCert;
// }
/**
 * Signs the given hash with the entry represented by this instance.
 *
 * @param sigHashAlg Signature and hash algorithm. If {@code null}, then use PKCS1 v1.5.
 * @param hash The hash that should be signed.
 * @return Signature of the given hash.
 * @throws SignatureException In case the signature could not be created.
 * @throws CredentialPermissionDenied In case the signature could not be performed by the token due to missing
 *   permissions.
 */
public byte[] sign(@Nullable SignatureAndHashAlgorithm sigHashAlg, @Nonnull byte[] hash) throws SignatureException, CredentialPermissionDenied {
    try {
        Key key = keyStore.getKey(alias, password);
        if (!(key instanceof RSAPrivateKey)) {
            throw new SignatureException("No private key available for the sign operation.");
        } else {
            PrivateKey pKey = (PrivateKey) key;
            AsymmetricKeyParameter bcKey = PrivateKeyFactory.createKey(pKey.getEncoded());
            Signer signer;
            if (sigHashAlg == null) {
                signer = new GenericSigner(new PKCS1Encoding(new RSABlindedEngine()), new NullDigest());
            } else {
                ASN1ObjectIdentifier hashOid = TlsUtils.getOIDForHashAlgorithm(sigHashAlg.getHash());
                signer = new RSADigestSigner(new NullDigest(), hashOid);
            }
            signer.init(true, new ParametersWithRandom(bcKey, ReusableSecureRandom.getInstance()));
            signer.update(hash, 0, hash.length);
            byte[] signature = signer.generateSignature();
            return signature;
        }
    } catch (KeyStoreException ex) {
        throw new IllegalStateException("Keystore is not initialized.");
    } catch (UnrecoverableKeyException ex) {
        throw new CredentialPermissionDenied("No usable key could be retrieved from the keystore.", ex);
    } catch (NoSuchAlgorithmException ex) {
        throw new SignatureException("Requested algorithm is not available.", ex);
    } catch (IOException ex) {
        throw new SignatureException("Failed to convert private key to BC class.");
    } catch (CryptoException ex) {
        throw new SignatureException("Failed to compute signature.", ex);
    }
}
Also used : GenericSigner(org.openecard.bouncycastle.crypto.signers.GenericSigner) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) PKCS1Encoding(org.openecard.bouncycastle.crypto.encodings.PKCS1Encoding) NullDigest(org.openecard.bouncycastle.crypto.digests.NullDigest) ParametersWithRandom(org.openecard.bouncycastle.crypto.params.ParametersWithRandom) SignatureException(java.security.SignatureException) KeyStoreException(java.security.KeyStoreException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) IOException(java.io.IOException) Signer(org.openecard.bouncycastle.crypto.Signer) RSADigestSigner(org.openecard.bouncycastle.crypto.signers.RSADigestSigner) GenericSigner(org.openecard.bouncycastle.crypto.signers.GenericSigner) AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter) UnrecoverableKeyException(java.security.UnrecoverableKeyException) RSABlindedEngine(org.openecard.bouncycastle.crypto.engines.RSABlindedEngine) RSADigestSigner(org.openecard.bouncycastle.crypto.signers.RSADigestSigner) CryptoException(org.openecard.bouncycastle.crypto.CryptoException) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) CredentialPermissionDenied(org.openecard.crypto.common.sal.did.CredentialPermissionDenied) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) Key(java.security.Key) PrivateKey(java.security.PrivateKey) ASN1ObjectIdentifier(org.openecard.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

IOException (java.io.IOException)2 AsymmetricKeyParameter (org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)2 Key (java.security.Key)1 KeyStoreException (java.security.KeyStoreException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PrivateKey (java.security.PrivateKey)1 SignatureException (java.security.SignatureException)1 UnrecoverableKeyException (java.security.UnrecoverableKeyException)1 RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1 ASN1ObjectIdentifier (org.openecard.bouncycastle.asn1.ASN1ObjectIdentifier)1 Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)1 SubjectPublicKeyInfo (org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1 CryptoException (org.openecard.bouncycastle.crypto.CryptoException)1 Signer (org.openecard.bouncycastle.crypto.Signer)1 NullDigest (org.openecard.bouncycastle.crypto.digests.NullDigest)1 PKCS1Encoding (org.openecard.bouncycastle.crypto.encodings.PKCS1Encoding)1 RSABlindedEngine (org.openecard.bouncycastle.crypto.engines.RSABlindedEngine)1 ParametersWithRandom (org.openecard.bouncycastle.crypto.params.ParametersWithRandom)1 GenericSigner (org.openecard.bouncycastle.crypto.signers.GenericSigner)1 RSADigestSigner (org.openecard.bouncycastle.crypto.signers.RSADigestSigner)1