Search in sources :

Example 1 with SignatureAndHashAlgorithm

use of org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm in project open-ecard by ecsec.

the class ClientCertDefaultTlsClient method getSupportedSignatureAlgorithms.

@Override
protected Vector getSupportedSignatureAlgorithms() {
    boolean weakCrypto = Boolean.valueOf(OpenecardProperties.getProperty("legacy.weak_crypto"));
    TlsCrypto crypto = context.getCrypto();
    short[] hashAlgorithms;
    if (!weakCrypto) {
        hashAlgorithms = new short[] { HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, HashAlgorithm.sha224 };
    } else {
        hashAlgorithms = new short[] { HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, HashAlgorithm.sha224, HashAlgorithm.sha1 };
    }
    short[] signatureAlgorithms = new short[] { SignatureAlgorithm.rsa, SignatureAlgorithm.ecdsa };
    Vector result = new Vector();
    for (int i = 0; i < signatureAlgorithms.length; ++i) {
        for (int j = 0; j < hashAlgorithms.length; ++j) {
            SignatureAndHashAlgorithm alg = new SignatureAndHashAlgorithm(hashAlgorithms[j], signatureAlgorithms[i]);
            if (crypto.hasSignatureAndHashAlgorithm(alg)) {
                result.addElement(alg);
            }
        }
    }
    return result;
}
Also used : Vector(java.util.Vector) TlsCrypto(org.openecard.bouncycastle.tls.crypto.TlsCrypto) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)

Example 2 with SignatureAndHashAlgorithm

use of org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm in project open-ecard by ecsec.

the class ClientCertPSKTlsClient method getSupportedSignatureAlgorithms.

@Override
protected Vector getSupportedSignatureAlgorithms() {
    boolean weakCrypto = Boolean.valueOf(OpenecardProperties.getProperty("legacy.weak_crypto"));
    TlsCrypto crypto = context.getCrypto();
    short[] hashAlgorithms;
    if (!weakCrypto) {
        hashAlgorithms = new short[] { HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, HashAlgorithm.sha224 };
    } else {
        hashAlgorithms = new short[] { HashAlgorithm.sha512, HashAlgorithm.sha384, HashAlgorithm.sha256, HashAlgorithm.sha224, HashAlgorithm.sha1 };
    }
    short[] signatureAlgorithms = new short[] { SignatureAlgorithm.rsa, SignatureAlgorithm.ecdsa };
    Vector result = new Vector();
    for (int i = 0; i < signatureAlgorithms.length; ++i) {
        for (int j = 0; j < hashAlgorithms.length; ++j) {
            SignatureAndHashAlgorithm alg = new SignatureAndHashAlgorithm(hashAlgorithms[j], signatureAlgorithms[i]);
            if (crypto.hasSignatureAndHashAlgorithm(alg)) {
                result.addElement(alg);
            }
        }
    }
    return result;
}
Also used : Vector(java.util.Vector) TlsCrypto(org.openecard.bouncycastle.tls.crypto.TlsCrypto) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)

Example 3 with SignatureAndHashAlgorithm

use of org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm in project open-ecard by ecsec.

the class SmartCardCredentialFactory method convertSignatureAlgorithm.

@Nullable
private static SignatureAndHashAlgorithm convertSignatureAlgorithm(SignatureAlgorithms alg) {
    HashAlgorithms hashAlg = alg.getHashAlg();
    KeyTypes keyType = alg.getKeyType();
    short hash;
    if (hashAlg != null) {
        switch(hashAlg) {
            case CKM_SHA_1:
                hash = HashAlgorithm.sha1;
                break;
            case CKM_SHA224:
                hash = HashAlgorithm.sha224;
                break;
            case CKM_SHA256:
                hash = HashAlgorithm.sha256;
                break;
            case CKM_SHA384:
                hash = HashAlgorithm.sha384;
                break;
            case CKM_SHA512:
                hash = HashAlgorithm.sha512;
                break;
            default:
                throw new IllegalArgumentException("Unsupported hash algorithm selected.");
        }
    } else {
        return null;
    }
    short sig;
    switch(keyType) {
        case CKK_RSA:
            sig = SignatureAlgorithm.rsa;
            break;
        case CKK_EC:
            sig = SignatureAlgorithm.ecdsa;
            break;
        default:
            throw new IllegalArgumentException("Unsupported signature algorithm selected.");
    }
    return new SignatureAndHashAlgorithm(hash, sig);
}
Also used : HashAlgorithms(org.openecard.crypto.common.HashAlgorithms) KeyTypes(org.openecard.crypto.common.KeyTypes) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm) Nullable(javax.annotation.Nullable)

Example 4 with SignatureAndHashAlgorithm

use of org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm in project open-ecard by ecsec.

the class SmartCardCredentialFactory method getClientCredentials.

@Override
public List<TlsCredentialedSigner> getClientCredentials(CertificateRequest cr) {
    ArrayList<TlsCredentialedSigner> credentials = new ArrayList<>();
    TlsCryptoParameters tlsCrypto = new TlsCryptoParameters(context);
    LOG.debug("Selecting a suitable DID for the following requested algorithms:");
    ArrayList<SignatureAndHashAlgorithm> crSigAlgs = getCrSigAlgs(cr);
    removeUnsupportedAlgs(crSigAlgs);
    for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
        String reqAlgStr = String.format("%s-%s", SignatureAlgorithm.getText(reqAlg.getSignature()), HashAlgorithm.getText(reqAlg.getHash()));
        LOG.debug("  {}", reqAlgStr);
    }
    try {
        DidInfos didInfos = tokenCache.getInfo(null, handle);
        List<DidInfo> infos = didInfos.getCryptoDidInfos();
        printCerts(infos);
        // remove unsuitable DIDs
        LOG.info("Sorting out DIDs not able to handle the TLS request.");
        infos = removeSecretCertDids(infos);
        infos = removeNonAuthDids(infos);
        infos = removeUnsupportedAlgs(infos);
        infos = removeUnsupportedCerts(cr, infos);
        // infos = nonRawFirst(infos);
        LOG.info("Creating signer instances for the TLS Client Certificate signature.");
        // TLS < 1.2
        if (crSigAlgs.isEmpty()) {
            LOG.info("Looking for a raw RSA DID.");
            for (DidInfo info : infos) {
                try {
                    LOG.debug("Checking DID= {}.", info.getDidName());
                    TlsCredentialedSigner cred;
                    List<X509Certificate> chain = info.getRelatedCertificateChain();
                    Certificate clientCert = convertCert(context.getCrypto(), chain);
                    if (isRawRSA(info)) {
                        LOG.debug("Adding raw RSA signer.");
                        TlsSigner signer = new SmartCardSignerCredential(info);
                        cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, null);
                        credentials.add(cred);
                    }
                } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                    LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                } catch (UnsupportedAlgorithmException ex) {
                    LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                } catch (WSHelper.WSException ex) {
                    LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                }
            }
        } else {
            // TLS >= 1.2
            LOG.info("Looking for most specific DIDs.");
            // looping over the servers alg list preserves its ordering
            for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
                for (DidInfo info : infos) {
                    LOG.debug("Checking DID={}.", info.getDidName());
                    try {
                        AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
                        SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
                        TlsCredentialedSigner cred;
                        List<X509Certificate> chain = info.getRelatedCertificateChain();
                        Certificate clientCert = convertCert(context.getCrypto(), chain);
                        // find one DID for this problem, then continue with the next algorithm
                        if (matchesAlg(reqAlg, alg) && (alg.getHashAlg() != null || isSafeForNoneDid(reqAlg))) {
                            LOG.debug("Adding {} signer.", alg.getJcaAlg());
                            TlsSigner signer = new SmartCardSignerCredential(info);
                            cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, reqAlg);
                            credentials.add(cred);
                            // break;
                            return credentials;
                        }
                    } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                        LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (UnsupportedAlgorithmException ex) {
                        LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (WSHelper.WSException ex) {
                        LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                    }
                }
            }
        }
    } catch (NoSuchDid | WSHelper.WSException ex) {
        LOG.error("Failed to access DIDs of smartcard. Proceeding without client authentication.", ex);
    }
    return credentials;
}
Also used : ArrayList(java.util.ArrayList) SecurityConditionUnsatisfiable(org.openecard.common.SecurityConditionUnsatisfiable) CertificateException(java.security.cert.CertificateException) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm) DidInfo(org.openecard.crypto.common.sal.did.DidInfo) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCryptoParameters(org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters) TlsSigner(org.openecard.bouncycastle.tls.crypto.TlsSigner) WSHelper(org.openecard.common.WSHelper) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCredentialedSigner(org.openecard.bouncycastle.tls.TlsCredentialedSigner) NoSuchDid(org.openecard.crypto.common.sal.did.NoSuchDid) DidInfos(org.openecard.crypto.common.sal.did.DidInfos) X509Certificate(java.security.cert.X509Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) Certificate(org.openecard.bouncycastle.tls.Certificate)

Aggregations

SignatureAndHashAlgorithm (org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)4 Vector (java.util.Vector)2 TlsCrypto (org.openecard.bouncycastle.tls.crypto.TlsCrypto)2 AlgorithmInfoType (iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)1 IOException (java.io.IOException)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Nullable (javax.annotation.Nullable)1 Certificate (org.openecard.bouncycastle.tls.Certificate)1 DefaultTlsCredentialedSigner (org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)1 TlsCredentialedSigner (org.openecard.bouncycastle.tls.TlsCredentialedSigner)1 TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)1 TlsCryptoParameters (org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters)1 TlsSigner (org.openecard.bouncycastle.tls.crypto.TlsSigner)1 SecurityConditionUnsatisfiable (org.openecard.common.SecurityConditionUnsatisfiable)1 WSHelper (org.openecard.common.WSHelper)1 HashAlgorithms (org.openecard.crypto.common.HashAlgorithms)1 KeyTypes (org.openecard.crypto.common.KeyTypes)1 SignatureAlgorithms (org.openecard.crypto.common.SignatureAlgorithms)1