diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2019-10-03 10:34:51 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-03 10:34:51 +0200 |
commit | 86f1ba0c9e34978196ebbb8247dcea18a1d6a014 (patch) | |
tree | fa1486520c2cc0580992e7016baff30b16845b14 | |
parent | 42813a5f158973444253db38f006d25e62dd66cd (diff) | |
parent | 7f31c41e3a434033a4ce47a97dd1cc32ccb4d58b (diff) |
Merge pull request #10857 from vespa-engine/mortent/read-sigalg-fromkey
Read signature algorithm from key
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/SignatureUtils.java | 23 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java | 11 |
2 files changed, 26 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java index 7560fbbd40d..13bc140d797 100644 --- a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java @@ -2,6 +2,7 @@ package com.yahoo.security; import java.security.GeneralSecurityException; +import java.security.Key; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; @@ -24,6 +25,11 @@ public class SignatureUtils { } } + /** Returns a signature instance which computes a hash of its content, before signing with the given private key. */ + public static Signature createSigner(PrivateKey key) { + return createSigner(key, getSignatureAlgorithm(key)); + } + /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */ public static Signature createVerifier(PublicKey key, SignatureAlgorithm algorithm) { try { @@ -34,4 +40,21 @@ public class SignatureUtils { throw new IllegalStateException(e); } } + + /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */ + public static Signature createVerifier(PublicKey key) { + return createVerifier(key, getSignatureAlgorithm(key)); + } + + /* Returns a signature algorithm supported by the key based on SHA512 */ + private static SignatureAlgorithm getSignatureAlgorithm(Key key) { + switch (key.getAlgorithm()) { + case "EC": + return SignatureAlgorithm.SHA512_WITH_ECDSA; + case "RSA": + return SignatureAlgorithm.SHA512_WITH_RSA; + default: + throw new RuntimeException("Unknown Key algorithm " + key.getAlgorithm()); + } + } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java index e63cd9750fb..a28ab788fc1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java @@ -1,15 +1,14 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.client; +import com.yahoo.security.SignatureUtils; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.security.SignatureAlgorithm; import java.nio.ByteBuffer; import java.security.GeneralSecurityException; -import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; @@ -37,7 +36,7 @@ public class IdentityDocumentSigner { IdentityType identityType, PrivateKey privateKey) { try { - Signature signer = createSigner(); + Signature signer = SignatureUtils.createSigner(privateKey); signer.initSign(privateKey); writeToSigner(signer, providerUniqueId, providerService, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType); byte[] signature = signer.sign(); @@ -49,7 +48,7 @@ public class IdentityDocumentSigner { public boolean hasValidSignature(SignedIdentityDocument doc, PublicKey publicKey) { try { - Signature signer = createSigner(); + Signature signer = SignatureUtils.createVerifier(publicKey); signer.initVerify(publicKey); writeToSigner(signer, doc.providerUniqueId(), doc.providerService(), doc.configServerHostname(), doc.instanceHostname(), doc.createdAt(), doc.ipAddresses(), doc.identityType()); return signer.verify(Base64.getDecoder().decode(doc.signature())); @@ -58,10 +57,6 @@ public class IdentityDocumentSigner { } } - private static Signature createSigner() throws NoSuchAlgorithmException { - return Signature.getInstance(SignatureAlgorithm.SHA512_WITH_RSA.getAlgorithmName()); - } - private static void writeToSigner(Signature signer, VespaUniqueInstanceId providerUniqueId, AthenzService providerService, |