feat: BCFIPS support (sub-part 02) (#5779)

* feat (jans_bom): bc-fips modules have been added; * feat (jans-auth-server): KeyGenerator has been updated; * feat (jans-auth-server): bc-fips support has been added;
JanssenProject · Aug 4, 2023 · bdc2dc5 · bdc2dc5
1 parent 632e00e
commit bdc2dc5
Show file tree

Hide file tree

Showing 6 changed files with 268 additions and 205 deletions.
diff --git a/jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java b/jans-auth-server/client/src/main/java/io/jans/as/client/util/KeyGenerator.java
@@ -16,7 +16,13 @@
 import io.jans.util.StringHelper;
 import io.jans.util.security.SecurityProviderUtility;
 
-import org.apache.commons.cli.*;
+import org.apache.commons.cli.BasicParser;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
 import org.apache.log4j.Logger;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.status.StatusLogger;
@@ -94,12 +100,12 @@ public Cli(String[] args) {
             options.addOption(KEY_STORE_FILE, true, "Key Store file.");
             options.addOption(KEY_STORE_PASSWORD, true, "Key Store password.");
             options.addOption(DN_NAME, true, "DN of certificate issuer.");
-            options.addOption(OXELEVEN_ACCESS_TOKEN, true, "oxEleven Access Token");
+            options.addOption(OXELEVEN_ACCESS_TOKEN, true, "oxEleven Access Token.");
             options.addOption(OXELEVEN_GENERATE_KEY_ENDPOINT, true, "oxEleven Generate Key Endpoint.");
             options.addOption(EXPIRATION, true, "Expiration in days.");
             options.addOption(EXPIRATION_HOURS, true, "Expiration in hours.");
-            options.addOption(KEY_LENGTH, true, "Key length");
-            options.addOption(KEY_OPS_TYPE, true, "Key Operations Type");
+            options.addOption(KEY_LENGTH, true, "Key length.");
+            options.addOption(KEY_OPS_TYPE, true, "Key Operations Type.");
             options.addOption(TEST_PROP_FILE, true, "Tests property file.");
             options.addOption(HELP, false, "Show help.");
         }

diff --git a/...uth-server/common/src/main/java/io/jans/as/common/cert/fingerprint/FingerprintHelper.java b/...uth-server/common/src/main/java/io/jans/as/common/cert/fingerprint/FingerprintHelper.java
@@ -18,6 +18,7 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
 import java.security.interfaces.RSAPublicKey;
+import java.security.interfaces.ECPublicKey;
 
 /**
  * Utility which help to calculate SSH RSA public key fingerprint
@@ -33,10 +34,18 @@ public class FingerprintHelper {
      * Return SSH RSA public key fingerprint
      */
     public static String getPublicKeySshFingerprint(PublicKey publicKey) throws NoSuchAlgorithmException, IOException {
-        if (publicKey instanceof RSAPublicKey) {
-            return getPublicKeySshFingerprint((RSAPublicKey) publicKey);
+        if (publicKey instanceof RSAPublicKey || publicKey instanceof ECPublicKey) {
+            MessageDigest digest = MessageDigest.getInstance("MD5");
+            byte[] derEncoded = null;
+            if(publicKey instanceof RSAPublicKey) {
+                derEncoded = getDerEncoding((RSAPublicKey)publicKey);
+            }
+            else if (publicKey instanceof ECPublicKey) {
+                derEncoded = getDerEncoding((ECPublicKey)publicKey);
+            }
+            byte[] fingerprint = digest.digest(derEncoded);
+            return Hex.encodeHexString(fingerprint);
         }
-
         throw new NoSuchAlgorithmException("Unsopported PublicKey type");
     }
 
@@ -59,6 +68,21 @@ private static byte[] getDerEncoding(RSAPublicKey key) throws IOException {
         return buffer.toByteArray();
     }
 
+    /* 
+     * here is a pseudo SSH encoding (start string is 'ssh-ecdsa'), as format of SSH for EC something like that:
+     *    ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCzhFSVzzMlfUih30HB8k7Dpmn95NWQMQRcYpHWhIcMsXQL7TFD8izlr0bRA9XTmBDyKhgA80XMr33r4jeiP+MI=
+     * or for EDDSA (ed25519) 
+     *    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFPZ6PEne43qIHzRihLo4wbo9+E7IFgPp7HLYLFoDiXz
+     * but current encoding is enough for generating a unique fingerprint.
+     */
+    private static byte[] getDerEncoding(ECPublicKey key) throws IOException {
+        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+        DataOutputStream dataOutput = new DataOutputStream(buffer);
+        writeDataWithLength("ssh-ecdsa".getBytes(), dataOutput);
+        writeDataWithLength(key.getEncoded(), dataOutput);
+        return buffer.toByteArray();
+    }
+
     private static void writeDataWithLength(byte[] data, DataOutput byteBuffer) throws IOException {
         byteBuffer.writeInt(data.length);
         byteBuffer.write(data);

diff --git a/...server/common/src/main/java/io/jans/as/common/cert/validation/CRLCertificateVerifier.java b/...server/common/src/main/java/io/jans/as/common/cert/validation/CRLCertificateVerifier.java
@@ -27,9 +27,7 @@
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
-import org.bouncycastle.asn1.x509.X509Extensions;
-import org.bouncycastle.x509.NoSuchParserException;
-import org.bouncycastle.x509.util.StreamParsingException;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -72,7 +70,7 @@ public CRLCertificateVerifier(final int maxCrlSize) {
         this.maxCrlSize = maxCrlSize;
 
         CacheLoader<String, X509CRL> checkedLoader = new CacheLoader<String, X509CRL>() {
-            public X509CRL load(String crlURL) throws CertificateException, CRLException, NoSuchProviderException, NoSuchParserException, StreamParsingException, IOException, ExecutionException {
+            public X509CRL load(String crlURL) throws CertificateException, CRLException, NoSuchProviderException, IOException, ExecutionException {
                 X509CRL result = requestCRL(crlURL);
                 Preconditions.checkNotNull(result);
 
@@ -234,7 +232,7 @@ public X509CRL requestCRL(String url) throws IOException, CertificateException,
 
     @SuppressWarnings({"deprecation", "resource"})
     private BigInteger getCrlNumber(X509CRL crl) throws IOException {
-        byte[] crlNumberExtensionValue = crl.getExtensionValue(X509Extensions.CRLNumber.getId());
+        byte[] crlNumberExtensionValue = crl.getExtensionValue(Extension.cRLNumber.getId());
         if (crlNumberExtensionValue == null) {
             return null;
         }