Search in sources :

Example 1 with TlsCryptoParameters

use of org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters in project open-ecard by ecsec.

the class SmartCardCredentialFactory method getClientCredentials.

@Override
public List<TlsCredentialedSigner> getClientCredentials(CertificateRequest cr) {
    ArrayList<TlsCredentialedSigner> credentials = new ArrayList<>();
    TlsCryptoParameters tlsCrypto = new TlsCryptoParameters(context);
    LOG.debug("Selecting a suitable DID for the following requested algorithms:");
    ArrayList<SignatureAndHashAlgorithm> crSigAlgs = getCrSigAlgs(cr);
    removeUnsupportedAlgs(crSigAlgs);
    for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
        String reqAlgStr = String.format("%s-%s", SignatureAlgorithm.getText(reqAlg.getSignature()), HashAlgorithm.getText(reqAlg.getHash()));
        LOG.debug("  {}", reqAlgStr);
    }
    try {
        DidInfos didInfos = tokenCache.getInfo(null, handle);
        List<DidInfo> infos = didInfos.getCryptoDidInfos();
        printCerts(infos);
        // remove unsuitable DIDs
        LOG.info("Sorting out DIDs not able to handle the TLS request.");
        infos = removeSecretCertDids(infos);
        infos = removeNonAuthDids(infos);
        infos = removeUnsupportedAlgs(infos);
        infos = removeUnsupportedCerts(cr, infos);
        // infos = nonRawFirst(infos);
        LOG.info("Creating signer instances for the TLS Client Certificate signature.");
        // TLS < 1.2
        if (crSigAlgs.isEmpty()) {
            LOG.info("Looking for a raw RSA DID.");
            for (DidInfo info : infos) {
                try {
                    LOG.debug("Checking DID= {}.", info.getDidName());
                    TlsCredentialedSigner cred;
                    List<X509Certificate> chain = info.getRelatedCertificateChain();
                    Certificate clientCert = convertCert(context.getCrypto(), chain);
                    if (isRawRSA(info)) {
                        LOG.debug("Adding raw RSA signer.");
                        TlsSigner signer = new SmartCardSignerCredential(info);
                        cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, null);
                        credentials.add(cred);
                    }
                } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                    LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                } catch (UnsupportedAlgorithmException ex) {
                    LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                } catch (WSHelper.WSException ex) {
                    LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                }
            }
        } else {
            // TLS >= 1.2
            LOG.info("Looking for most specific DIDs.");
            // looping over the servers alg list preserves its ordering
            for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
                for (DidInfo info : infos) {
                    LOG.debug("Checking DID={}.", info.getDidName());
                    try {
                        AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
                        SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
                        TlsCredentialedSigner cred;
                        List<X509Certificate> chain = info.getRelatedCertificateChain();
                        Certificate clientCert = convertCert(context.getCrypto(), chain);
                        // find one DID for this problem, then continue with the next algorithm
                        if (matchesAlg(reqAlg, alg) && (alg.getHashAlg() != null || isSafeForNoneDid(reqAlg))) {
                            LOG.debug("Adding {} signer.", alg.getJcaAlg());
                            TlsSigner signer = new SmartCardSignerCredential(info);
                            cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, reqAlg);
                            credentials.add(cred);
                            // break;
                            return credentials;
                        }
                    } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                        LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (UnsupportedAlgorithmException ex) {
                        LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (WSHelper.WSException ex) {
                        LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                    }
                }
            }
        }
    } catch (NoSuchDid | WSHelper.WSException ex) {
        LOG.error("Failed to access DIDs of smartcard. Proceeding without client authentication.", ex);
    }
    return credentials;
}
Also used : ArrayList(java.util.ArrayList) SecurityConditionUnsatisfiable(org.openecard.common.SecurityConditionUnsatisfiable) CertificateException(java.security.cert.CertificateException) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm) DidInfo(org.openecard.crypto.common.sal.did.DidInfo) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCryptoParameters(org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters) TlsSigner(org.openecard.bouncycastle.tls.crypto.TlsSigner) WSHelper(org.openecard.common.WSHelper) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCredentialedSigner(org.openecard.bouncycastle.tls.TlsCredentialedSigner) NoSuchDid(org.openecard.crypto.common.sal.did.NoSuchDid) DidInfos(org.openecard.crypto.common.sal.did.DidInfos) X509Certificate(java.security.cert.X509Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) Certificate(org.openecard.bouncycastle.tls.Certificate)

Aggregations

AlgorithmInfoType (iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)1 IOException (java.io.IOException)1 CertificateException (java.security.cert.CertificateException)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Certificate (org.openecard.bouncycastle.tls.Certificate)1 DefaultTlsCredentialedSigner (org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner)1 SignatureAndHashAlgorithm (org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm)1 TlsCredentialedSigner (org.openecard.bouncycastle.tls.TlsCredentialedSigner)1 TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)1 TlsCryptoParameters (org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters)1 TlsSigner (org.openecard.bouncycastle.tls.crypto.TlsSigner)1 SecurityConditionUnsatisfiable (org.openecard.common.SecurityConditionUnsatisfiable)1 WSHelper (org.openecard.common.WSHelper)1 SignatureAlgorithms (org.openecard.crypto.common.SignatureAlgorithms)1 UnsupportedAlgorithmException (org.openecard.crypto.common.UnsupportedAlgorithmException)1 DidInfo (org.openecard.crypto.common.sal.did.DidInfo)1 DidInfos (org.openecard.crypto.common.sal.did.DidInfos)1 NoSuchDid (org.openecard.crypto.common.sal.did.NoSuchDid)1