feat(SS): EC key support for signing/authentication

make it work Refs: XRDDEV-2694
nordic-institute · Oct 28, 2024 · de4db72 · de4db72
1 parent 4824261
commit de4db72
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 10 deletions.
diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java
@@ -448,6 +448,7 @@ private SystemProperties() {
     public static final String SOFT_TOKEN_EC_SIGN_MECHANISM = SIGNER_PREFIX + "soft-token-ec-sign-mechanism";
     public static final String SOFT_TOKEN_PIN_KEYSTORE_ALGORITHM = SIGNER_PREFIX + "soft-token-pin-keystore-algorithm";
     public static final String SIGNER_DEFAULT_KEY_ALGORITHM = SIGNER_PREFIX + "default-key-algorithm";
+    public static final String SIGNER_SELF_SIGNED_CERT_DIGEST_ALGORITHM = SIGNER_PREFIX + "selfsigned-cert-digest-algorithm";
 
     public static final String DEFAULT_SIGNER_MODULE_MANAGER_UPDATE_INTERVAL = "60";
     public static final KeyAlgorithm DEFAULT_SIGNER_DEFAULT_KEY_ALGORITHM = KeyAlgorithm.RSA;
@@ -1194,6 +1195,15 @@ public static KeyAlgorithm getSignerDefaultKeyAlgorithm() {
                 .orElse(DEFAULT_SIGNER_DEFAULT_KEY_ALGORITHM);
     }
 
+    /**
+     * @return software token keystore PIN file algorithm, RSA by default
+     */
+    public static DigestAlgorithm getSelfSignedCertDigestAlgorithm() {
+        return Optional.ofNullable(System.getProperty(SIGNER_SELF_SIGNED_CERT_DIGEST_ALGORITHM))
+                .map(DigestAlgorithm::ofName)
+                .orElse(DigestAlgorithm.SHA512);
+    }
+
     /**
      * @return the ACME certificate renewal toggle
      */

diff --git a/.../src/main/java/org/niis/xroad/common/managementrequest/ManagementRequestSoapExecutor.java b/.../src/main/java/org/niis/xroad/common/managementrequest/ManagementRequestSoapExecutor.java
@@ -52,7 +52,7 @@ public class ManagementRequestSoapExecutor {
 
     public ResponseEntity<String> process(String contentType, InputStream body,
                                           ToIntFunction<ManagementRequestVerifier.Result> onSuccess) {
-        try (var bos = new BoundedInputStream(body, MAX_REQUEST_SIZE)) {
+        try (var bos = BoundedInputStream.builder().setInputStream(body).setMaxCount(MAX_REQUEST_SIZE).get()) {
             var verificationResult = managementRequestVerifier.readRequest(contentType, bos);
 
             var createdRequestId = onSuccess.applyAsInt(verificationResult);

diff --git a/...quest/src/main/java/org/niis/xroad/common/managementrequest/model/AuthCertRegRequest.java b/...quest/src/main/java/org/niis/xroad/common/managementrequest/model/AuthCertRegRequest.java
@@ -27,6 +27,7 @@
 
 import ee.ria.xroad.common.CodedException;
 import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.crypto.Signatures;
 import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm;
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.common.identifier.ClientId;
@@ -176,7 +177,7 @@ private MemberSigningInfoDto getMemberSigningInfo() {
 
     private static byte[] createSignature(String keyId, SignAlgorithm signAlgoId, byte[] digest) {
         try {
-            return SignerProxy.sign(keyId, signAlgoId, digest);
+            return Signatures.useAsn1DerFormat(signAlgoId, SignerProxy.sign(keyId, signAlgoId, digest));
         } catch (Exception e) {
             throw translateWithPrefix(X_CANNOT_CREATE_SIGNATURE, e);
         }

diff --git a/...est/src/main/java/org/niis/xroad/common/managementrequest/model/GenericClientRequest.java b/...est/src/main/java/org/niis/xroad/common/managementrequest/model/GenericClientRequest.java
@@ -26,6 +26,7 @@
 package org.niis.xroad.common.managementrequest.model;
 
 import ee.ria.xroad.common.SystemProperties;
+import ee.ria.xroad.common.crypto.Signatures;
 import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm;
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.common.identifier.ClientId;
@@ -140,7 +141,7 @@ private MemberSigningInfoDto getMemberSigningInfo() {
 
     private static byte[] createSignature(String keyId, SignAlgorithm signAlgoId, byte[] digest) {
         try {
-            return SignerProxy.sign(keyId, signAlgoId, digest);
+            return Signatures.useAsn1DerFormat(signAlgoId, SignerProxy.sign(keyId, signAlgoId, digest));
         } catch (Exception e) {
             throw translateWithPrefix(X_CANNOT_CREATE_SIGNATURE, e);
         }

diff --git a/src/proxy/core/src/main/java/ee/ria/xroad/common/signature/SignatureCtx.java b/src/proxy/core/src/main/java/ee/ria/xroad/common/signature/SignatureCtx.java
@@ -26,6 +26,7 @@
 package ee.ria.xroad.common.signature;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.crypto.Signatures;
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.common.hashchain.HashChainBuilder;
 import ee.ria.xroad.common.util.MessageFileNames;
@@ -87,7 +88,7 @@ synchronized void add(SigningRequest request) {
      * Produces the XML signature from the given signed data.
      */
     synchronized String createSignatureXml(byte[] signatureValue) throws Exception {
-        return builder.createSignatureXml(signatureValue);
+        return builder.createSignatureXml(Signatures.useRawFormat(signatureAlgorithmId, signatureValue));
     }
 
     /**

diff --git a/.../src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java b/.../src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java
@@ -26,8 +26,8 @@
 package ee.ria.xroad.signer.protocol.handler;
 
 import ee.ria.xroad.common.CodedException;
+import ee.ria.xroad.common.SystemProperties;
 import ee.ria.xroad.common.crypto.KeyManagers;
-import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm;
 import ee.ria.xroad.common.crypto.identifier.SignAlgorithm;
 import ee.ria.xroad.signer.protocol.AbstractRpcHandler;
 import ee.ria.xroad.signer.protocol.dto.CertificateInfo;
@@ -79,9 +79,6 @@ public class GenerateSelfSignedCertReqHandler extends AbstractRpcHandler<Generat
     private final SignReqHandler signReqHandler;
     private final ImportCertReqHandler importCertReqHandler;
 
-    // TODO make configurable
-    private static final DigestAlgorithm SIGNATURE_DIGEST_ALGORITHM = DigestAlgorithm.SHA512;
-
     @Override
     protected GenerateSelfSignedCertResp handle(GenerateSelfSignedCertReq request) throws Exception {
         TokenAndKey tokenAndKey = TokenManager.findTokenAndKey(request.getKeyId());
@@ -96,8 +93,10 @@ protected GenerateSelfSignedCertResp handle(GenerateSelfSignedCertReq request) t
 
         PublicKey pk = KeyManagers.getFor(tokenAndKey.getSignMechanism()).readX509PublicKey(tokenAndKey.key().getPublicKey());
 
-        SignAlgorithm signAlgoId = SignAlgorithm.ofDigestAndMechanism(SIGNATURE_DIGEST_ALGORITHM,
-                tokenAndKey.getSignMechanism());
+        SignAlgorithm signAlgoId = SignAlgorithm.ofDigestAndMechanism(
+                SystemProperties.getSelfSignedCertDigestAlgorithm(),
+                tokenAndKey.getSignMechanism()
+        );
 
         X509Certificate cert = new DummyCertBuilder().build(tokenAndKey, request, pk, signAlgoId);