From de4db725f3dd48c177db2509af582ac01ab63b5b Mon Sep 17 00:00:00 2001 From: Ovidijus Narkevicius Date: Mon, 28 Oct 2024 13:15:55 +0200 Subject: [PATCH] feat(SS): EC key support for signing/authentication make it work Refs: XRDDEV-2694 --- .../java/ee/ria/xroad/common/SystemProperties.java | 10 ++++++++++ .../ManagementRequestSoapExecutor.java | 2 +- .../managementrequest/model/AuthCertRegRequest.java | 3 ++- .../managementrequest/model/GenericClientRequest.java | 3 ++- .../ee/ria/xroad/common/signature/SignatureCtx.java | 3 ++- .../handler/GenerateSelfSignedCertReqHandler.java | 11 +++++------ 6 files changed, 22 insertions(+), 10 deletions(-) diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java index bd284c8d31..4014773967 100644 --- a/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java +++ b/src/common/common-core/src/main/java/ee/ria/xroad/common/SystemProperties.java @@ -448,6 +448,7 @@ private SystemProperties() { public static final String SOFT_TOKEN_EC_SIGN_MECHANISM = SIGNER_PREFIX + "soft-token-ec-sign-mechanism"; public static final String SOFT_TOKEN_PIN_KEYSTORE_ALGORITHM = SIGNER_PREFIX + "soft-token-pin-keystore-algorithm"; public static final String SIGNER_DEFAULT_KEY_ALGORITHM = SIGNER_PREFIX + "default-key-algorithm"; + public static final String SIGNER_SELF_SIGNED_CERT_DIGEST_ALGORITHM = SIGNER_PREFIX + "selfsigned-cert-digest-algorithm"; public static final String DEFAULT_SIGNER_MODULE_MANAGER_UPDATE_INTERVAL = "60"; public static final KeyAlgorithm DEFAULT_SIGNER_DEFAULT_KEY_ALGORITHM = KeyAlgorithm.RSA; @@ -1194,6 +1195,15 @@ public static KeyAlgorithm getSignerDefaultKeyAlgorithm() { .orElse(DEFAULT_SIGNER_DEFAULT_KEY_ALGORITHM); } + /** + * @return software token keystore PIN file algorithm, RSA by default + */ + public static DigestAlgorithm getSelfSignedCertDigestAlgorithm() { + return Optional.ofNullable(System.getProperty(SIGNER_SELF_SIGNED_CERT_DIGEST_ALGORITHM)) + .map(DigestAlgorithm::ofName) + .orElse(DigestAlgorithm.SHA512); + } + /** * @return the ACME certificate renewal toggle */ diff --git a/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/ManagementRequestSoapExecutor.java b/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/ManagementRequestSoapExecutor.java index 15e5a493e2..00f4e38c15 100644 --- a/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/ManagementRequestSoapExecutor.java +++ b/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/ManagementRequestSoapExecutor.java @@ -52,7 +52,7 @@ public class ManagementRequestSoapExecutor { public ResponseEntity process(String contentType, InputStream body, ToIntFunction onSuccess) { - try (var bos = new BoundedInputStream(body, MAX_REQUEST_SIZE)) { + try (var bos = BoundedInputStream.builder().setInputStream(body).setMaxCount(MAX_REQUEST_SIZE).get()) { var verificationResult = managementRequestVerifier.readRequest(contentType, bos); var createdRequestId = onSuccess.applyAsInt(verificationResult); diff --git a/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/AuthCertRegRequest.java b/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/AuthCertRegRequest.java index b6c6c7c5bb..489a10d8ec 100644 --- a/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/AuthCertRegRequest.java +++ b/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/AuthCertRegRequest.java @@ -27,6 +27,7 @@ import ee.ria.xroad.common.CodedException; import ee.ria.xroad.common.SystemProperties; +import ee.ria.xroad.common.crypto.Signatures; import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.identifier.ClientId; @@ -176,7 +177,7 @@ private MemberSigningInfoDto getMemberSigningInfo() { private static byte[] createSignature(String keyId, SignAlgorithm signAlgoId, byte[] digest) { try { - return SignerProxy.sign(keyId, signAlgoId, digest); + return Signatures.useAsn1DerFormat(signAlgoId, SignerProxy.sign(keyId, signAlgoId, digest)); } catch (Exception e) { throw translateWithPrefix(X_CANNOT_CREATE_SIGNATURE, e); } diff --git a/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/GenericClientRequest.java b/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/GenericClientRequest.java index 9bdda3bc76..786b2e52bd 100644 --- a/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/GenericClientRequest.java +++ b/src/common/common-management-request/src/main/java/org/niis/xroad/common/managementrequest/model/GenericClientRequest.java @@ -26,6 +26,7 @@ package org.niis.xroad.common.managementrequest.model; import ee.ria.xroad.common.SystemProperties; +import ee.ria.xroad.common.crypto.Signatures; import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.identifier.ClientId; @@ -140,7 +141,7 @@ private MemberSigningInfoDto getMemberSigningInfo() { private static byte[] createSignature(String keyId, SignAlgorithm signAlgoId, byte[] digest) { try { - return SignerProxy.sign(keyId, signAlgoId, digest); + return Signatures.useAsn1DerFormat(signAlgoId, SignerProxy.sign(keyId, signAlgoId, digest)); } catch (Exception e) { throw translateWithPrefix(X_CANNOT_CREATE_SIGNATURE, e); } diff --git a/src/proxy/core/src/main/java/ee/ria/xroad/common/signature/SignatureCtx.java b/src/proxy/core/src/main/java/ee/ria/xroad/common/signature/SignatureCtx.java index cdf69384a2..754feb9b30 100644 --- a/src/proxy/core/src/main/java/ee/ria/xroad/common/signature/SignatureCtx.java +++ b/src/proxy/core/src/main/java/ee/ria/xroad/common/signature/SignatureCtx.java @@ -26,6 +26,7 @@ package ee.ria.xroad.common.signature; import ee.ria.xroad.common.CodedException; +import ee.ria.xroad.common.crypto.Signatures; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.common.hashchain.HashChainBuilder; import ee.ria.xroad.common.util.MessageFileNames; @@ -87,7 +88,7 @@ synchronized void add(SigningRequest request) { * Produces the XML signature from the given signed data. */ synchronized String createSignatureXml(byte[] signatureValue) throws Exception { - return builder.createSignatureXml(signatureValue); + return builder.createSignatureXml(Signatures.useRawFormat(signatureAlgorithmId, signatureValue)); } /** diff --git a/src/signer/core/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java b/src/signer/core/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java index 7b27abd1b1..db30a2cfa0 100644 --- a/src/signer/core/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java +++ b/src/signer/core/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertReqHandler.java @@ -26,8 +26,8 @@ package ee.ria.xroad.signer.protocol.handler; import ee.ria.xroad.common.CodedException; +import ee.ria.xroad.common.SystemProperties; import ee.ria.xroad.common.crypto.KeyManagers; -import ee.ria.xroad.common.crypto.identifier.DigestAlgorithm; import ee.ria.xroad.common.crypto.identifier.SignAlgorithm; import ee.ria.xroad.signer.protocol.AbstractRpcHandler; import ee.ria.xroad.signer.protocol.dto.CertificateInfo; @@ -79,9 +79,6 @@ public class GenerateSelfSignedCertReqHandler extends AbstractRpcHandler