diff options
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/SignatureUtils.java | 23 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java | 11 |
2 files changed, 26 insertions, 8 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java index 7560fbbd40d..13bc140d797 100644 --- a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java +++ b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java @@ -2,6 +2,7 @@ package com.yahoo.security; import java.security.GeneralSecurityException; +import java.security.Key; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; @@ -24,6 +25,11 @@ public class SignatureUtils { } } + /** Returns a signature instance which computes a hash of its content, before signing with the given private key. */ + public static Signature createSigner(PrivateKey key) { + return createSigner(key, getSignatureAlgorithm(key)); + } + /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */ public static Signature createVerifier(PublicKey key, SignatureAlgorithm algorithm) { try { @@ -34,4 +40,21 @@ public class SignatureUtils { throw new IllegalStateException(e); } } + + /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */ + public static Signature createVerifier(PublicKey key) { + return createVerifier(key, getSignatureAlgorithm(key)); + } + + /* Returns a signature algorithm supported by the key based on SHA512 */ + private static SignatureAlgorithm getSignatureAlgorithm(Key key) { + switch (key.getAlgorithm()) { + case "EC": + return SignatureAlgorithm.SHA512_WITH_ECDSA; + case "RSA": + return SignatureAlgorithm.SHA512_WITH_RSA; + default: + throw new RuntimeException("Unknown Key algorithm " + key.getAlgorithm()); + } + } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java index e63cd9750fb..a28ab788fc1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java @@ -1,15 +1,14 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.client; +import com.yahoo.security.SignatureUtils; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identityprovider.api.IdentityType; import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; -import com.yahoo.security.SignatureAlgorithm; import java.nio.ByteBuffer; import java.security.GeneralSecurityException; -import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.Signature; @@ -37,7 +36,7 @@ public class IdentityDocumentSigner { IdentityType identityType, PrivateKey privateKey) { try { - Signature signer = createSigner(); + Signature signer = SignatureUtils.createSigner(privateKey); signer.initSign(privateKey); writeToSigner(signer, providerUniqueId, providerService, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType); byte[] signature = signer.sign(); @@ -49,7 +48,7 @@ public class IdentityDocumentSigner { public boolean hasValidSignature(SignedIdentityDocument doc, PublicKey publicKey) { try { - Signature signer = createSigner(); + Signature signer = SignatureUtils.createVerifier(publicKey); signer.initVerify(publicKey); writeToSigner(signer, doc.providerUniqueId(), doc.providerService(), doc.configServerHostname(), doc.instanceHostname(), doc.createdAt(), doc.ipAddresses(), doc.identityType()); return signer.verify(Base64.getDecoder().decode(doc.signature())); @@ -58,10 +57,6 @@ public class IdentityDocumentSigner { } } - private static Signature createSigner() throws NoSuchAlgorithmException { - return Signature.getInstance(SignatureAlgorithm.SHA512_WITH_RSA.getAlgorithmName()); - } - private static void writeToSigner(Signature signer, VespaUniqueInstanceId providerUniqueId, AthenzService providerService, |