2 files changed, 26 insertions, 8 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java
index 7560fbbd40d..13bc140d797 100644
--- a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java
@@ -2,6 +2,7 @@
 package com.yahoo.security;
 
 import java.security.GeneralSecurityException;
+import java.security.Key;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Signature;
@@ -24,6 +25,11 @@ public class SignatureUtils {
         }
     }
 
+    /** Returns a signature instance which computes a hash of its content, before signing with the given private key. */
+    public static Signature createSigner(PrivateKey key) {
+        return createSigner(key, getSignatureAlgorithm(key));
+    }
+
     /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */
     public static Signature createVerifier(PublicKey key, SignatureAlgorithm algorithm) {
         try {
@@ -34,4 +40,21 @@ public class SignatureUtils {
             throw new IllegalStateException(e);
         }
     }
+
+    /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */
+    public static Signature createVerifier(PublicKey key) {
+        return createVerifier(key, getSignatureAlgorithm(key));
+    }
+
+    /* Returns a signature algorithm supported by the key based on SHA512 */
+    private static SignatureAlgorithm getSignatureAlgorithm(Key key) {
+        switch (key.getAlgorithm()) {
+            case "EC":
+                return SignatureAlgorithm.SHA512_WITH_ECDSA;
+            case "RSA":
+                return SignatureAlgorithm.SHA512_WITH_RSA;
+            default:
+                throw new RuntimeException("Unknown Key algorithm " + key.getAlgorithm());
+        }
+    }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
index e63cd9750fb..a28ab788fc1 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSigner.java
@@ -1,15 +1,14 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.client;
 
+import com.yahoo.security.SignatureUtils;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
-import com.yahoo.security.SignatureAlgorithm;
 
 import java.nio.ByteBuffer;
 import java.security.GeneralSecurityException;
-import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Signature;
@@ -37,7 +36,7 @@ public class IdentityDocumentSigner {
                                     IdentityType identityType,
                                     PrivateKey privateKey) {
         try {
-            Signature signer = createSigner();
+            Signature signer = SignatureUtils.createSigner(privateKey);
             signer.initSign(privateKey);
             writeToSigner(signer, providerUniqueId, providerService, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType);
             byte[] signature = signer.sign();
@@ -49,7 +48,7 @@ public class IdentityDocumentSigner {
 
     public boolean hasValidSignature(SignedIdentityDocument doc, PublicKey publicKey) {
         try {
-            Signature signer = createSigner();
+            Signature signer = SignatureUtils.createVerifier(publicKey);
             signer.initVerify(publicKey);
             writeToSigner(signer, doc.providerUniqueId(), doc.providerService(), doc.configServerHostname(), doc.instanceHostname(), doc.createdAt(), doc.ipAddresses(), doc.identityType());
             return signer.verify(Base64.getDecoder().decode(doc.signature()));
@@ -58,10 +57,6 @@ public class IdentityDocumentSigner {
         }
     }
 
-    private static Signature createSigner() throws NoSuchAlgorithmException {
-        return Signature.getInstance(SignatureAlgorithm.SHA512_WITH_RSA.getAlgorithmName());
-    }
-
     private static void writeToSigner(Signature signer,
                                       VespaUniqueInstanceId providerUniqueId,
                                       AthenzService providerService,