Search in sources :

Example 6 with UnsupportedAlgorithmException

use of org.openecard.crypto.common.UnsupportedAlgorithmException in project open-ecard by ecsec.

the class ChipGateway method createGetCommandRequest.

private GetCommandType createGetCommandRequest() {
    GetCommandType cmd = new GetCommandType();
    cmd.setSessionIdentifier(sessionId);
    // add token info
    try {
        ListTokens helper = new ListTokens(Collections.EMPTY_LIST, addonCtx);
        List<TokenInfoType> matchedTokens = helper.findTokens();
        cmd.getTokenInfo().addAll(matchedTokens);
    } catch (UnsupportedAlgorithmException ex) {
        throw new RuntimeException("Unexpected error in empty token filter.", ex);
    } catch (WSHelper.WSException ex) {
        LOG.error("Error requesting initial list of tokens.");
    }
    return cmd;
}
Also used : WSHelper(org.openecard.common.WSHelper) TokenInfoType(org.openecard.ws.chipgateway.TokenInfoType) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) GetCommandType(org.openecard.ws.chipgateway.GetCommandType)

Example 7 with UnsupportedAlgorithmException

use of org.openecard.crypto.common.UnsupportedAlgorithmException in project open-ecard by ecsec.

the class CardSpecType method getMappedSignatureAlgorithms.

@Nonnull
public EnumSet<SignatureAlgorithms> getMappedSignatureAlgorithms() {
    if (getSignatureAlgorithms().isEmpty()) {
        return EnumSet.allOf(SignatureAlgorithms.class);
    } else {
        EnumSet result = EnumSet.noneOf(SignatureAlgorithms.class);
        for (String next : getSignatureAlgorithms()) {
            try {
                SignatureAlgorithms alg = SignatureAlgorithms.fromJcaName(next);
                result.add(alg);
            } catch (UnsupportedAlgorithmException ex) {
                LOG.warn("Unknown JCA name specified as allowed signature algorithm: {}", next);
            }
        }
        return result;
    }
}
Also used : EnumSet(java.util.EnumSet) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) Nonnull(javax.annotation.Nonnull)

Example 8 with UnsupportedAlgorithmException

use of org.openecard.crypto.common.UnsupportedAlgorithmException in project open-ecard by ecsec.

the class CIFCreator method getSigAlgs.

private List<SignatureAlgorithms> getSigAlgs(MwPublicKey pubKey) throws CryptokiException {
    ArrayList<SignatureAlgorithms> sigAlgs = new ArrayList<>();
    long[] mechanisms = pubKey.getAllowedMechanisms();
    if (mechanisms.length == 0) {
        try {
            MwPrivateKey privKey = null;
            List<MwPrivateKey> privKeys = session.getPrivateKeys();
            for (MwPrivateKey next : privKeys) {
                if (next.getKeyLabel().equals(pubKey.getKeyLabel())) {
                    privKey = next;
                    break;
                }
            }
            if (privKey != null) {
                mechanisms = privKey.getAllowedMechanisms();
            }
        } catch (CryptokiException ex) {
            LOG.info("Could not access private key objetcs.");
        }
    }
    if (mechanisms.length == 0) {
        // no mechanisms available, ask what the card has to offer and assume this is also what the key offers
        try {
            List<MwMechanism> allMechanisms = session.getSlot().getMechanismList();
            for (MwMechanism mechanism : allMechanisms) {
                if (!mechanism.isSignatureAlgorithm()) {
                    // skipping non signature mechanism
                    continue;
                }
                if (!mechanism.hasFlags(CryptokiLibrary.CKF_SIGN)) {
                    // sign function does not work with that
                    continue;
                }
                addMechanism(pubKey, mechanism, sigAlgs);
            }
            // this is usually supported despite the middleware doesn't claim it
            if (sigAlgs.isEmpty()) {
                LOG.info("Trying to add raw RSA algorithm.");
                for (MwMechanism mechanism : allMechanisms) {
                    if (mechanism.getType() == CryptokiLibrary.CKM_RSA_PKCS) {
                        addMechanism(pubKey, mechanism, sigAlgs);
                        // no need to search longer if we have found it
                        break;
                    }
                }
            }
        } catch (CryptokiException ex) {
            LOG.error("Failed to read mechanisms from card.", ex);
        }
        // too bad we have nothing
        if (sigAlgs.isEmpty()) {
            LOG.error("Could not find any suitable algorithms for DID.");
        }
    } else {
        // convert each of the mechanisms
        for (long m : mechanisms) {
            try {
                SignatureAlgorithms sigAlg = SignatureAlgorithms.fromMechanismId(m);
                LOG.debug("Key signature algorithm: {}", sigAlg);
                sigAlgs.add(sigAlg);
            } catch (UnsupportedAlgorithmException ex) {
                String mStr = String.format("%#010x", m);
                LOG.error("Skipping unknown signature algorithm ({}).", mStr);
            }
        }
    }
    return sigAlgs;
}
Also used : CryptokiException(org.openecard.mdlw.sal.exceptions.CryptokiException) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) ArrayList(java.util.ArrayList)

Example 9 with UnsupportedAlgorithmException

use of org.openecard.crypto.common.UnsupportedAlgorithmException in project open-ecard by ecsec.

the class SmartCardCredentialFactory method getClientCredentials.

@Override
public List<TlsCredentialedSigner> getClientCredentials(CertificateRequest cr) {
    ArrayList<TlsCredentialedSigner> credentials = new ArrayList<>();
    TlsCryptoParameters tlsCrypto = new TlsCryptoParameters(context);
    LOG.debug("Selecting a suitable DID for the following requested algorithms:");
    ArrayList<SignatureAndHashAlgorithm> crSigAlgs = getCrSigAlgs(cr);
    removeUnsupportedAlgs(crSigAlgs);
    for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
        String reqAlgStr = String.format("%s-%s", SignatureAlgorithm.getText(reqAlg.getSignature()), HashAlgorithm.getText(reqAlg.getHash()));
        LOG.debug("  {}", reqAlgStr);
    }
    try {
        DidInfos didInfos = tokenCache.getInfo(null, handle);
        List<DidInfo> infos = didInfos.getCryptoDidInfos();
        printCerts(infos);
        // remove unsuitable DIDs
        LOG.info("Sorting out DIDs not able to handle the TLS request.");
        infos = removeSecretCertDids(infos);
        infos = removeNonAuthDids(infos);
        infos = removeUnsupportedAlgs(infos);
        infos = removeUnsupportedCerts(cr, infos);
        // infos = nonRawFirst(infos);
        LOG.info("Creating signer instances for the TLS Client Certificate signature.");
        // TLS < 1.2
        if (crSigAlgs.isEmpty()) {
            LOG.info("Looking for a raw RSA DID.");
            for (DidInfo info : infos) {
                try {
                    LOG.debug("Checking DID= {}.", info.getDidName());
                    TlsCredentialedSigner cred;
                    List<X509Certificate> chain = info.getRelatedCertificateChain();
                    Certificate clientCert = convertCert(context.getCrypto(), chain);
                    if (isRawRSA(info)) {
                        LOG.debug("Adding raw RSA signer.");
                        TlsSigner signer = new SmartCardSignerCredential(info);
                        cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, null);
                        credentials.add(cred);
                    }
                } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                    LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                } catch (UnsupportedAlgorithmException ex) {
                    LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                } catch (WSHelper.WSException ex) {
                    LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                }
            }
        } else {
            // TLS >= 1.2
            LOG.info("Looking for most specific DIDs.");
            // looping over the servers alg list preserves its ordering
            for (SignatureAndHashAlgorithm reqAlg : crSigAlgs) {
                for (DidInfo info : infos) {
                    LOG.debug("Checking DID={}.", info.getDidName());
                    try {
                        AlgorithmInfoType algInfo = info.getGenericCryptoMarker().getAlgorithmInfo();
                        SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algInfo.getAlgorithmIdentifier().getAlgorithm());
                        TlsCredentialedSigner cred;
                        List<X509Certificate> chain = info.getRelatedCertificateChain();
                        Certificate clientCert = convertCert(context.getCrypto(), chain);
                        // find one DID for this problem, then continue with the next algorithm
                        if (matchesAlg(reqAlg, alg) && (alg.getHashAlg() != null || isSafeForNoneDid(reqAlg))) {
                            LOG.debug("Adding {} signer.", alg.getJcaAlg());
                            TlsSigner signer = new SmartCardSignerCredential(info);
                            cred = new DefaultTlsCredentialedSigner(tlsCrypto, signer, clientCert, reqAlg);
                            credentials.add(cred);
                            // break;
                            return credentials;
                        }
                    } catch (SecurityConditionUnsatisfiable | NoSuchDid | CertificateException | IOException ex) {
                        LOG.error("Failed to read certificates from card. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (UnsupportedAlgorithmException ex) {
                        LOG.error("Unsupported algorithm used in CIF. Skipping DID " + info.getDidName() + ".", ex);
                    } catch (WSHelper.WSException ex) {
                        LOG.error("Unknown error accessing DID " + info.getDidName() + ".", ex);
                    }
                }
            }
        }
    } catch (NoSuchDid | WSHelper.WSException ex) {
        LOG.error("Failed to access DIDs of smartcard. Proceeding without client authentication.", ex);
    }
    return credentials;
}
Also used : ArrayList(java.util.ArrayList) SecurityConditionUnsatisfiable(org.openecard.common.SecurityConditionUnsatisfiable) CertificateException(java.security.cert.CertificateException) SignatureAndHashAlgorithm(org.openecard.bouncycastle.tls.SignatureAndHashAlgorithm) DidInfo(org.openecard.crypto.common.sal.did.DidInfo) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCryptoParameters(org.openecard.bouncycastle.tls.crypto.TlsCryptoParameters) TlsSigner(org.openecard.bouncycastle.tls.crypto.TlsSigner) WSHelper(org.openecard.common.WSHelper) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) DefaultTlsCredentialedSigner(org.openecard.bouncycastle.tls.DefaultTlsCredentialedSigner) TlsCredentialedSigner(org.openecard.bouncycastle.tls.TlsCredentialedSigner) NoSuchDid(org.openecard.crypto.common.sal.did.NoSuchDid) DidInfos(org.openecard.crypto.common.sal.did.DidInfos) X509Certificate(java.security.cert.X509Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) Certificate(org.openecard.bouncycastle.tls.Certificate)

Example 10 with UnsupportedAlgorithmException

use of org.openecard.crypto.common.UnsupportedAlgorithmException in project open-ecard by ecsec.

the class SmartCardCredentialFactory method removeUnsupportedAlgs.

private List<DidInfo> removeUnsupportedAlgs(List<DidInfo> infos) {
    ArrayList<DidInfo> result = new ArrayList<>();
    for (DidInfo next : infos) {
        try {
            AlgorithmInfoType algInfo = next.getGenericCryptoMarker().getAlgorithmInfo();
            String algStr = algInfo.getAlgorithmIdentifier().getAlgorithm();
            SignatureAlgorithms alg = SignatureAlgorithms.fromAlgId(algStr);
            switch(alg) {
                case CKM_ECDSA:
                // case CKM_ECDSA_SHA1: // too weak
                case CKM_ECDSA_SHA256:
                case CKM_ECDSA_SHA384:
                case CKM_ECDSA_SHA512:
                case CKM_RSA_PKCS:
                // case CKM_SHA1_RSA_PKCS: // too weak
                case CKM_SHA256_RSA_PKCS:
                case CKM_SHA384_RSA_PKCS:
                case CKM_SHA512_RSA_PKCS:
                    result.add(next);
            }
        } catch (UnsupportedAlgorithmException ex) {
            LOG.error("Unsupported algorithm used in CIF. Skipping DID " + next.getDidName() + ".", ex);
        } catch (WSHelper.WSException ex) {
            LOG.error("Unknown error accessing DID " + next.getDidName() + ".", ex);
        }
    }
    return result;
}
Also used : WSHelper(org.openecard.common.WSHelper) DidInfo(org.openecard.crypto.common.sal.did.DidInfo) AlgorithmInfoType(iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType) SignatureAlgorithms(org.openecard.crypto.common.SignatureAlgorithms) UnsupportedAlgorithmException(org.openecard.crypto.common.UnsupportedAlgorithmException) ArrayList(java.util.ArrayList)

Aggregations

UnsupportedAlgorithmException (org.openecard.crypto.common.UnsupportedAlgorithmException)12 SignatureAlgorithms (org.openecard.crypto.common.SignatureAlgorithms)8 WSHelper (org.openecard.common.WSHelper)6 AlgorithmInfoType (iso.std.iso_iec._24727.tech.schema.AlgorithmInfoType)5 DidInfo (org.openecard.crypto.common.sal.did.DidInfo)5 ArrayList (java.util.ArrayList)4 SecurityConditionUnsatisfiable (org.openecard.common.SecurityConditionUnsatisfiable)4 DidInfos (org.openecard.crypto.common.sal.did.DidInfos)4 ThreadTerminateException (org.openecard.common.ThreadTerminateException)3 ConnectionHandleType (iso.std.iso_iec._24727.tech.schema.ConnectionHandleType)2 IOException (java.io.IOException)2 X509Certificate (java.security.cert.X509Certificate)2 ParameterInvalid (org.openecard.addons.cg.ex.ParameterInvalid)2 SlotHandleInvalid (org.openecard.addons.cg.ex.SlotHandleInvalid)2 InvocationTargetExceptionUnchecked (org.openecard.common.interfaces.InvocationTargetExceptionUnchecked)2 CryptoMarkerType (org.openecard.crypto.common.sal.did.CryptoMarkerType)2 NoSuchDid (org.openecard.crypto.common.sal.did.NoSuchDid)2 AlgorithmIdentifierType (iso.std.iso_iec._24727.tech.schema.AlgorithmIdentifierType)1 DIDStructureType (iso.std.iso_iec._24727.tech.schema.DIDStructureType)1 HashGenerationInfoType (iso.std.iso_iec._24727.tech.schema.HashGenerationInfoType)1