Search in sources :

Example 16 with ObjectCreationException

use of org.xipki.common.ObjectCreationException in project xipki by xipki.

the class SecurityFactoryImpl method validateSigner.

private static void validateSigner(ConcurrentContentSigner signer, String signerType, SignerConf signerConf) throws ObjectCreationException {
    if (signer.getPublicKey() == null) {
        return;
    }
    String signatureAlgoName = signer.getAlgorithmName();
    try {
        byte[] dummyContent = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
        Signature verifier = Signature.getInstance(signatureAlgoName, "BC");
        byte[] signatureValue = signer.sign(dummyContent);
        verifier.initVerify(signer.getPublicKey());
        verifier.update(dummyContent);
        boolean valid = verifier.verify(signatureValue);
        if (!valid) {
            StringBuilder sb = new StringBuilder();
            sb.append("private key and public key does not match, ");
            sb.append("key type='").append(signerType).append("'; ");
            String pwd = signerConf.getConfValue("password");
            if (pwd != null) {
                signerConf.putConfEntry("password", "****");
            }
            signerConf.putConfEntry("algo", signatureAlgoName);
            sb.append("conf='").append(signerConf.getConf());
            X509Certificate cert = signer.getCertificate();
            if (cert != null) {
                String subject = X509Util.getRfc4519Name(cert.getSubjectX500Principal());
                sb.append("', certificate subject='").append(subject).append("'");
            }
            throw new ObjectCreationException(sb.toString());
        }
    } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException | NoSuchProviderException | NoIdleSignerException ex) {
        throw new ObjectCreationException(ex.getMessage(), ex);
    }
}
Also used : NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SignatureException(java.security.SignatureException) InvalidKeyException(java.security.InvalidKeyException) X509Certificate(java.security.cert.X509Certificate) ObjectCreationException(org.xipki.common.ObjectCreationException) Signature(java.security.Signature) NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 17 with ObjectCreationException

use of org.xipki.common.ObjectCreationException in project xipki by xipki.

the class SignerFactoryRegisterImpl method newKeystoreSigner.

private ConcurrentContentSigner newKeystoreSigner(SecurityFactory securityFactory, String type, SignerConf conf, X509Certificate[] certificateChain) throws ObjectCreationException {
    String str = conf.getConfValue("parallelism");
    int parallelism = securityFactory.getDefaultSignerParallelism();
    if (str != null) {
        try {
            parallelism = Integer.parseInt(str);
        } catch (NumberFormatException ex) {
            throw new ObjectCreationException("invalid parallelism " + str);
        }
        if (parallelism < 1) {
            throw new ObjectCreationException("invalid parallelism " + str);
        }
    }
    String passwordHint = conf.getConfValue("password");
    char[] password;
    if (passwordHint == null) {
        password = null;
    } else {
        PasswordResolver passwordResolver = securityFactory.getPasswordResolver();
        if (passwordResolver == null) {
            password = passwordHint.toCharArray();
        } else {
            try {
                password = passwordResolver.resolvePassword(passwordHint);
            } catch (PasswordResolverException ex) {
                throw new ObjectCreationException("could not resolve password. Message: " + ex.getMessage());
            }
        }
    }
    str = conf.getConfValue("keystore");
    String keyLabel = conf.getConfValue("key-label");
    InputStream keystoreStream;
    if (StringUtil.startsWithIgnoreCase(str, "base64:")) {
        keystoreStream = new ByteArrayInputStream(Base64.decode(str.substring("base64:".length())));
    } else if (StringUtil.startsWithIgnoreCase(str, "file:")) {
        String fn = str.substring("file:".length());
        try {
            keystoreStream = new FileInputStream(IoUtil.expandFilepath(fn));
        } catch (FileNotFoundException ex) {
            throw new ObjectCreationException("file not found: " + fn);
        }
    } else {
        throw new ObjectCreationException("unknown keystore content format");
    }
    try {
        AlgorithmIdentifier macAlgId = null;
        String algoName = conf.getConfValue("algo");
        if (algoName != null) {
            try {
                macAlgId = AlgorithmUtil.getMacAlgId(algoName);
            } catch (NoSuchAlgorithmException ex) {
            // do nothing
            }
        }
        if (macAlgId != null) {
            SoftTokenMacContentSignerBuilder signerBuilder = new SoftTokenMacContentSignerBuilder(type, keystoreStream, password, keyLabel, password);
            return signerBuilder.createSigner(macAlgId, parallelism, securityFactory.getRandom4Sign());
        } else {
            SoftTokenContentSignerBuilder signerBuilder = new SoftTokenContentSignerBuilder(type, keystoreStream, password, keyLabel, password, certificateChain);
            AlgorithmIdentifier signatureAlgId;
            if (conf.getHashAlgo() == null) {
                signatureAlgId = AlgorithmUtil.getSigAlgId(null, conf);
            } else {
                PublicKey pubKey = signerBuilder.getCertificate().getPublicKey();
                signatureAlgId = AlgorithmUtil.getSigAlgId(pubKey, conf);
            }
            return signerBuilder.createSigner(signatureAlgId, parallelism, securityFactory.getRandom4Sign());
        }
    } catch (NoSuchAlgorithmException | NoSuchPaddingException | XiSecurityException ex) {
        throw new ObjectCreationException(String.format("%s: %s", ex.getClass().getName(), ex.getMessage()));
    }
}
Also used : PasswordResolver(org.xipki.password.PasswordResolver) ByteArrayInputStream(java.io.ByteArrayInputStream) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) PublicKey(java.security.PublicKey) FileNotFoundException(java.io.FileNotFoundException) NoSuchPaddingException(javax.crypto.NoSuchPaddingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) FileInputStream(java.io.FileInputStream) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) XiSecurityException(org.xipki.security.exception.XiSecurityException) ByteArrayInputStream(java.io.ByteArrayInputStream) ObjectCreationException(org.xipki.common.ObjectCreationException) SoftTokenContentSignerBuilder(org.xipki.security.pkcs12.SoftTokenContentSignerBuilder) PasswordResolverException(org.xipki.password.PasswordResolverException) SoftTokenMacContentSignerBuilder(org.xipki.security.pkcs12.SoftTokenMacContentSignerBuilder)

Example 18 with ObjectCreationException

use of org.xipki.common.ObjectCreationException in project xipki by xipki.

the class SignerFactoryRegisterImpl method newPkcs11Signer.

private ConcurrentContentSigner newPkcs11Signer(SecurityFactory securityFactory, String type, SignerConf conf, X509Certificate[] certificateChain) throws ObjectCreationException {
    if (p11CryptServiceFactory == null) {
        throw new ObjectCreationException("p11CryptServiceFactory is not set");
    }
    String str = conf.getConfValue("parallelism");
    int parallelism = securityFactory.getDefaultSignerParallelism();
    if (str != null) {
        try {
            parallelism = Integer.parseInt(str);
        } catch (NumberFormatException ex) {
            throw new ObjectCreationException("invalid parallelism " + str);
        }
        if (parallelism < 1) {
            throw new ObjectCreationException("invalid parallelism " + str);
        }
    }
    String moduleName = conf.getConfValue("module");
    str = conf.getConfValue("slot");
    Integer slotIndex = (str == null) ? null : Integer.parseInt(str);
    str = conf.getConfValue("slot-id");
    Long slotId = (str == null) ? null : Long.parseLong(str);
    if ((slotIndex == null && slotId == null) || (slotIndex != null && slotId != null)) {
        throw new ObjectCreationException("exactly one of slot (index) and slot-id must be specified");
    }
    String keyLabel = conf.getConfValue("key-label");
    str = conf.getConfValue("key-id");
    byte[] keyId = null;
    if (str != null) {
        keyId = Hex.decode(str);
    }
    if ((keyId == null && keyLabel == null) || (keyId != null && keyLabel != null)) {
        throw new ObjectCreationException("exactly one of key-id and key-label must be specified");
    }
    P11CryptService p11Service;
    P11Slot slot;
    try {
        p11Service = p11CryptServiceFactory.getP11CryptService(moduleName);
        P11Module module = p11Service.getModule();
        P11SlotIdentifier p11SlotId;
        if (slotId != null) {
            p11SlotId = module.getSlotIdForId(slotId);
        } else if (slotIndex != null) {
            p11SlotId = module.getSlotIdForIndex(slotIndex);
        } else {
            throw new RuntimeException("should not reach here");
        }
        slot = module.getSlot(p11SlotId);
    } catch (P11TokenException | XiSecurityException ex) {
        throw new ObjectCreationException(ex.getMessage(), ex);
    }
    P11ObjectIdentifier p11ObjId = (keyId != null) ? slot.getObjectIdForId(keyId) : slot.getObjectIdForLabel(keyLabel);
    if (p11ObjId == null) {
        String str2 = (keyId != null) ? "id " + Hex.encode(keyId) : "label " + keyLabel;
        throw new ObjectCreationException("cound not find identity with " + str2);
    }
    P11EntityIdentifier entityId = new P11EntityIdentifier(slot.getSlotId(), p11ObjId);
    try {
        AlgorithmIdentifier macAlgId = null;
        String algoName = conf.getConfValue("algo");
        if (algoName != null) {
            try {
                macAlgId = AlgorithmUtil.getMacAlgId(algoName);
            } catch (NoSuchAlgorithmException ex) {
            // do nothing
            }
        }
        if (macAlgId != null) {
            P11MacContentSignerBuilder signerBuilder = new P11MacContentSignerBuilder(p11Service, entityId);
            return signerBuilder.createSigner(macAlgId, parallelism);
        } else {
            AlgorithmIdentifier signatureAlgId;
            if (conf.getHashAlgo() == null) {
                signatureAlgId = AlgorithmUtil.getSigAlgId(null, conf);
            } else {
                PublicKey pubKey = slot.getIdentity(p11ObjId).getPublicKey();
                signatureAlgId = AlgorithmUtil.getSigAlgId(pubKey, conf);
            }
            P11ContentSignerBuilder signerBuilder = new P11ContentSignerBuilder(p11Service, securityFactory, entityId, certificateChain);
            return signerBuilder.createSigner(signatureAlgId, parallelism);
        }
    } catch (P11TokenException | NoSuchAlgorithmException | XiSecurityException ex) {
        throw new ObjectCreationException(ex.getMessage(), ex);
    }
}
Also used : P11MacContentSignerBuilder(org.xipki.security.pkcs11.P11MacContentSignerBuilder) P11Module(org.xipki.security.pkcs11.P11Module) P11SlotIdentifier(org.xipki.security.pkcs11.P11SlotIdentifier) PublicKey(java.security.PublicKey) P11Slot(org.xipki.security.pkcs11.P11Slot) P11TokenException(org.xipki.security.exception.P11TokenException) P11EntityIdentifier(org.xipki.security.pkcs11.P11EntityIdentifier) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) P11ContentSignerBuilder(org.xipki.security.pkcs11.P11ContentSignerBuilder) P11CryptService(org.xipki.security.pkcs11.P11CryptService) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) XiSecurityException(org.xipki.security.exception.XiSecurityException) ObjectCreationException(org.xipki.common.ObjectCreationException) P11ObjectIdentifier(org.xipki.security.pkcs11.P11ObjectIdentifier)

Aggregations

ObjectCreationException (org.xipki.common.ObjectCreationException)18 X509Certificate (java.security.cert.X509Certificate)11 SignerConf (org.xipki.security.SignerConf)11 IOException (java.io.IOException)7 XiSecurityException (org.xipki.security.exception.XiSecurityException)7 CaMgmtException (org.xipki.ca.server.mgmt.api.CaMgmtException)6 ConcurrentContentSigner (org.xipki.security.ConcurrentContentSigner)6 CertificateException (java.security.cert.CertificateException)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 InvalidConfException (org.xipki.common.InvalidConfException)4 BigInteger (java.math.BigInteger)3 InvalidKeyException (java.security.InvalidKeyException)3 PublicKey (java.security.PublicKey)3 CertificateEncodingException (java.security.cert.CertificateEncodingException)3 X509CaEntry (org.xipki.ca.server.mgmt.api.x509.X509CaEntry)3 ConfPairs (org.xipki.common.ConfPairs)3 FileInputStream (java.io.FileInputStream)2 FileNotFoundException (java.io.FileNotFoundException)2 NoSuchProviderException (java.security.NoSuchProviderException)2 SignatureException (java.security.SignatureException)2