Example 1 with AsymmetricKeyParameter
use of org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter in project open-ecard by ecsec.
the class KeyLengthVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
boolean firstCert = true;
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate x509 = Certificate.getInstance(next.getEncoded());
boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
// skip key comparison step if this is a root certificate, but still check self signed server certs
boolean isRootCert = selfSigned && !firstCert;
if (!isRootCert) {
// get public key and determine minimum size for the actual type
SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
KeyTools.assertKeyLength(key);
firstCert = false;
}
}
} catch (IOException ex) {
String msg = "Failed to extract public key from certificate.";
throw new CertificateVerificationException(msg, ex);
} catch (KeyLengthException ex) {
String msg = "The key in the certificate does not satisfy the length requirements.";
throw new CertificateVerificationException(msg, ex);
}
}
Also used :
AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 2 with AsymmetricKeyParameter
use of org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter in project open-ecard by ecsec.
the class KeyStoreSigner method sign.
// /**
// * Gets the certificate for this KeyStore entry converted to a BouncyCastle TLS certificate.
// *
// * @return The certificate chain in BouncyCastle format.
// * @throws CertificateException Thrown in case the certificate could not be found or converted.
// * @throws IllegalStateException Thrown in case the keystore is not initialized.
// */
// @Nonnull
// public synchronized Certificate getCertificateChain() throws CertificateException {
// if (bcCert == null) {
// try {
// java.security.cert.Certificate[] jcaCerts = getJCACertificateChain();
// bcCert = KeyTools.convertCertificates(jcaCerts);
// } catch (KeyStoreException ex) {
// throw new IllegalStateException("Uninitialized keystore supplied.");
// }
// }
// return bcCert;
// }
/**
* Signs the given hash with the entry represented by this instance.
*
* @param sigHashAlg Signature and hash algorithm. If {@code null}, then use PKCS1 v1.5.
* @param hash The hash that should be signed.
* @return Signature of the given hash.
* @throws SignatureException In case the signature could not be created.
* @throws CredentialPermissionDenied In case the signature could not be performed by the token due to missing
* permissions.
*/
public byte[] sign(@Nullable SignatureAndHashAlgorithm sigHashAlg, @Nonnull byte[] hash) throws SignatureException, CredentialPermissionDenied {
try {
Key key = keyStore.getKey(alias, password);
if (!(key instanceof RSAPrivateKey)) {
throw new SignatureException("No private key available for the sign operation.");
} else {
PrivateKey pKey = (PrivateKey) key;
AsymmetricKeyParameter bcKey = PrivateKeyFactory.createKey(pKey.getEncoded());
Signer signer;
if (sigHashAlg == null) {
signer = new GenericSigner(new PKCS1Encoding(new RSABlindedEngine()), new NullDigest());
} else {
ASN1ObjectIdentifier hashOid = TlsUtils.getOIDForHashAlgorithm(sigHashAlg.getHash());
signer = new RSADigestSigner(new NullDigest(), hashOid);
}
signer.init(true, new ParametersWithRandom(bcKey, ReusableSecureRandom.getInstance()));
signer.update(hash, 0, hash.length);
byte[] signature = signer.generateSignature();
return signature;
}
} catch (KeyStoreException ex) {
throw new IllegalStateException("Keystore is not initialized.");
} catch (UnrecoverableKeyException ex) {
throw new CredentialPermissionDenied("No usable key could be retrieved from the keystore.", ex);
} catch (NoSuchAlgorithmException ex) {
throw new SignatureException("Requested algorithm is not available.", ex);
} catch (IOException ex) {
throw new SignatureException("Failed to convert private key to BC class.");
} catch (CryptoException ex) {
throw new SignatureException("Failed to compute signature.", ex);
}
}
Also used :
GenericSigner(org.openecard.bouncycastle.crypto.signers.GenericSigner)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
PKCS1Encoding(org.openecard.bouncycastle.crypto.encodings.PKCS1Encoding)
NullDigest(org.openecard.bouncycastle.crypto.digests.NullDigest)
ParametersWithRandom(org.openecard.bouncycastle.crypto.params.ParametersWithRandom)
SignatureException(java.security.SignatureException)
KeyStoreException(java.security.KeyStoreException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
Signer(org.openecard.bouncycastle.crypto.Signer)
RSADigestSigner(org.openecard.bouncycastle.crypto.signers.RSADigestSigner)
GenericSigner(org.openecard.bouncycastle.crypto.signers.GenericSigner)
AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
RSABlindedEngine(org.openecard.bouncycastle.crypto.engines.RSABlindedEngine)
RSADigestSigner(org.openecard.bouncycastle.crypto.signers.RSADigestSigner)
CryptoException(org.openecard.bouncycastle.crypto.CryptoException)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
CredentialPermissionDenied(org.openecard.crypto.common.sal.did.CredentialPermissionDenied)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
ASN1ObjectIdentifier(org.openecard.bouncycastle.asn1.ASN1ObjectIdentifier)
Aggregations
IOException (java.io.IOException)2
AsymmetricKeyParameter (org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)2
Key (java.security.Key)1
KeyStoreException (java.security.KeyStoreException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
PrivateKey (java.security.PrivateKey)1
SignatureException (java.security.SignatureException)1
UnrecoverableKeyException (java.security.UnrecoverableKeyException)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
ASN1ObjectIdentifier (org.openecard.bouncycastle.asn1.ASN1ObjectIdentifier)1
Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)1
SubjectPublicKeyInfo (org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1
CryptoException (org.openecard.bouncycastle.crypto.CryptoException)1
Signer (org.openecard.bouncycastle.crypto.Signer)1
NullDigest (org.openecard.bouncycastle.crypto.digests.NullDigest)1
PKCS1Encoding (org.openecard.bouncycastle.crypto.encodings.PKCS1Encoding)1
RSABlindedEngine (org.openecard.bouncycastle.crypto.engines.RSABlindedEngine)1
ParametersWithRandom (org.openecard.bouncycastle.crypto.params.ParametersWithRandom)1
GenericSigner (org.openecard.bouncycastle.crypto.signers.GenericSigner)1
RSADigestSigner (org.openecard.bouncycastle.crypto.signers.RSADigestSigner)1
