-
-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New JCA security provider to be used with other signing tools
- Loading branch information
Showing
7 changed files
with
342 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
105 changes: 105 additions & 0 deletions
105
jsign-core/src/main/java/net/jsign/jca/AbstractKeyStoreSpi.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| /** | ||
| * Copyright 2023 Emmanuel Bourg | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package net.jsign.jca; | ||
|
|
||
| import java.io.InputStream; | ||
| import java.io.OutputStream; | ||
| import java.security.Key; | ||
| import java.security.KeyStoreSpi; | ||
| import java.security.cert.Certificate; | ||
| import java.util.Collections; | ||
| import java.util.Date; | ||
| import java.util.Enumeration; | ||
|
|
||
| /** | ||
| * Base class for JCA keystore implementations. | ||
| * | ||
| * @since 5.1 | ||
| */ | ||
| abstract class AbstractKeyStoreSpi extends KeyStoreSpi { | ||
|
|
||
| @Override | ||
| public Certificate engineGetCertificate(String alias) { | ||
| Certificate[] chain = engineGetCertificateChain(alias); | ||
| return chain != null && chain.length > 0 ? chain[0] : null; | ||
| } | ||
|
|
||
| @Override | ||
| public Date engineGetCreationDate(String alias) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public void engineSetKeyEntry(String alias, Key key, char[] password, Certificate[] chain) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public void engineSetKeyEntry(String alias, byte[] key, Certificate[] chain) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public void engineSetCertificateEntry(String alias, Certificate cert) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public void engineDeleteEntry(String alias) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean engineContainsAlias(String alias) { | ||
| Enumeration<String> aliases = engineAliases(); | ||
| while (aliases.hasMoreElements()) { | ||
| if (aliases.nextElement().equals(alias)) { | ||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| @Override | ||
| public int engineSize() { | ||
| return Collections.list(engineAliases()).size(); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean engineIsKeyEntry(String alias) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean engineIsCertificateEntry(String alias) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public String engineGetCertificateAlias(Certificate cert) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public void engineStore(OutputStream stream, char[] password) { | ||
| throw new UnsupportedOperationException(); | ||
| } | ||
|
|
||
| @Override | ||
| public void engineLoad(InputStream stream, char[] password) { | ||
| } | ||
| } |
140 changes: 140 additions & 0 deletions
140
jsign-core/src/main/java/net/jsign/jca/JsignJcaProvider.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,140 @@ | ||
| /** | ||
| * Copyright 2023 Emmanuel Bourg | ||
| * | ||
| * Licensed under the Apache License, Version 2.0 (the "License"); | ||
| * you may not use this file except in compliance with the License. | ||
| * You may obtain a copy of the License at | ||
| * | ||
| * http://www.apache.org/licenses/LICENSE-2.0 | ||
| * | ||
| * Unless required by applicable law or agreed to in writing, software | ||
| * distributed under the License is distributed on an "AS IS" BASIS, | ||
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| * See the License for the specific language governing permissions and | ||
| * limitations under the License. | ||
| */ | ||
|
|
||
| package net.jsign.jca; | ||
|
|
||
| import java.io.InputStream; | ||
| import java.security.AccessController; | ||
| import java.security.InvalidParameterException; | ||
| import java.security.Key; | ||
| import java.security.KeyStore; | ||
| import java.security.KeyStoreException; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.security.PrivilegedAction; | ||
| import java.security.Provider; | ||
| import java.security.UnrecoverableKeyException; | ||
| import java.security.cert.Certificate; | ||
| import java.util.Enumeration; | ||
|
|
||
| import net.jsign.DigestAlgorithm; | ||
| import net.jsign.KeyStoreBuilder; | ||
| import net.jsign.KeyStoreType; | ||
|
|
||
| /** | ||
| * JCA provider using a Jsign keystore and compatible with jarsigner. | ||
| * | ||
| * <p>The provider must be configured with the keystore parameter (the value depends on the keystore type). | ||
| * The type of the keystore is one of the names from the {@link KeyStoreType} enum.</p> | ||
| * | ||
| * <p>Example:</p> | ||
| * <pre> | ||
| * Provider provider = new JsignJcaProvider(); | ||
| * provider.configure(vaultname) | ||
| * KeyStore keystore = KeyStore.getInstance(AZUREKEYVAULT.name(), provider); | ||
| * keystore.load(null, accessToken); | ||
| * </pre> | ||
| * | ||
| * @since 5.1 | ||
| */ | ||
| public class JsignJcaProvider extends Provider { | ||
|
|
||
| private String keystore; | ||
|
|
||
| public JsignJcaProvider() { | ||
| super("Jsign", 1.0, "Jsign security provider"); | ||
|
|
||
| AccessController.doPrivileged((PrivilegedAction<Object>) () -> { | ||
| for (KeyStoreType type : KeyStoreType.values()) { | ||
| putService(new ProviderService(this, "KeyStore", type.name(), JsignJcaKeyStore.class.getName(), () -> new JsignJcaKeyStore(type, keystore))); | ||
| } | ||
| for (String alg : new String[]{"RSA", "ECDSA"}) { | ||
| for (DigestAlgorithm digest : DigestAlgorithm.values()) { | ||
| if (digest != DigestAlgorithm.MD5) { | ||
| String algorithm = digest.name() + "with" + alg; | ||
| putService(new ProviderService(this, "Signature", algorithm, SigningServiceSignature.class.getName(), () -> new SigningServiceSignature(algorithm))); | ||
| } | ||
| } | ||
| } | ||
| return null; | ||
| }); | ||
| } | ||
|
|
||
| public Provider configure(String configArg) throws InvalidParameterException { | ||
| this.keystore = configArg; | ||
|
|
||
| return this; | ||
| } | ||
|
|
||
| static class JsignJcaKeyStore extends AbstractKeyStoreSpi { | ||
|
|
||
| private KeyStoreBuilder builder = new KeyStoreBuilder(); | ||
| private KeyStore keystore; | ||
|
|
||
| public JsignJcaKeyStore(KeyStoreType type, String keystore) { | ||
| builder.storetype(type); | ||
| builder.keystore(keystore); | ||
| builder.certfile(""); | ||
| } | ||
|
|
||
| private KeyStore getKeyStore() throws KeyStoreException { | ||
| if (keystore == null) { | ||
| keystore = builder.build(); | ||
| } | ||
|
|
||
| return keystore; | ||
| } | ||
|
|
||
| @Override | ||
| public Key engineGetKey(String alias, char[] password) throws UnrecoverableKeyException { | ||
| if (password != null) { | ||
| builder.keypass(new String(password)); | ||
| } | ||
| try { | ||
| return getKeyStore().getKey(alias, password); | ||
| } catch (UnrecoverableKeyException e) { | ||
| e.printStackTrace(); // because jarsigner swallows the root cause and hides what's going on | ||
| throw e; | ||
| } catch (KeyStoreException | NoSuchAlgorithmException e) { | ||
| throw new RuntimeException(e); | ||
| } | ||
| } | ||
|
|
||
| @Override | ||
| public Certificate[] engineGetCertificateChain(String alias) { | ||
| try { | ||
| return getKeyStore().getCertificateChain(alias); | ||
| } catch (KeyStoreException e) { | ||
| return null; | ||
| } | ||
| } | ||
|
|
||
| @Override | ||
| public Enumeration<String> engineAliases() { | ||
| try { | ||
| return getKeyStore().aliases(); | ||
| } catch (KeyStoreException e) { | ||
| throw new RuntimeException(e); | ||
| } | ||
| } | ||
|
|
||
| @Override | ||
| public void engineLoad(InputStream stream, char[] password) { | ||
| if (password != null) { | ||
| builder.storepass(new String(password)); | ||
| } | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.