summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--hosted-api/src/main/java/ai/vespa/hosted/api/RequestSigner.java4
-rw-r--r--hosted-api/src/main/java/ai/vespa/hosted/api/RequestVerifier.java5
-rw-r--r--security-utils/src/main/java/com/yahoo/security/KeyUtils.java37
-rw-r--r--security-utils/src/main/java/com/yahoo/security/SignatureUtils.java37
4 files changed, 44 insertions, 39 deletions
diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/RequestSigner.java b/hosted-api/src/main/java/ai/vespa/hosted/api/RequestSigner.java
index 48ff10695d3..cd72c589713 100644
--- a/hosted-api/src/main/java/ai/vespa/hosted/api/RequestSigner.java
+++ b/hosted-api/src/main/java/ai/vespa/hosted/api/RequestSigner.java
@@ -1,6 +1,7 @@
package ai.vespa.hosted.api;
import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SignatureUtils;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
@@ -12,6 +13,7 @@ import java.util.Base64;
import java.util.function.Supplier;
import static ai.vespa.hosted.api.Signatures.sha256Digest;
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
/**
* Signs HTTP request headers using a private key, for verification by the indicated public key.
@@ -31,7 +33,7 @@ public class RequestSigner {
/** Creates a new request signer with a custom clock. */
public RequestSigner(String pemPrivateKey, String keyId, Clock clock) {
- this.signer = KeyUtils.createSigner(KeyUtils.fromPemEncodedPrivateKey(pemPrivateKey));
+ this.signer = SignatureUtils.createSigner(KeyUtils.fromPemEncodedPrivateKey(pemPrivateKey), SHA256_WITH_ECDSA);
this.keyId = keyId;
this.clock = clock;
}
diff --git a/hosted-api/src/main/java/ai/vespa/hosted/api/RequestVerifier.java b/hosted-api/src/main/java/ai/vespa/hosted/api/RequestVerifier.java
index 1d672a56dcb..96a0196bf04 100644
--- a/hosted-api/src/main/java/ai/vespa/hosted/api/RequestVerifier.java
+++ b/hosted-api/src/main/java/ai/vespa/hosted/api/RequestVerifier.java
@@ -1,6 +1,7 @@
package ai.vespa.hosted.api;
import com.yahoo.security.KeyUtils;
+import com.yahoo.security.SignatureUtils;
import java.net.URI;
import java.security.Signature;
@@ -10,6 +11,8 @@ import java.time.Duration;
import java.time.Instant;
import java.util.Base64;
+import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
+
/**
* Verifies that signed HTTP requests match the indicated public key.
*
@@ -26,7 +29,7 @@ public class RequestVerifier {
}
public RequestVerifier(String pemPublicKey, Clock clock) {
- this.verifier = KeyUtils.createVerifier(KeyUtils.fromPemEncodedPublicKey(pemPublicKey));
+ this.verifier = SignatureUtils.createVerifier(KeyUtils.fromPemEncodedPublicKey(pemPublicKey), SHA256_WITH_ECDSA);
this.clock = clock;
}
diff --git a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
index 7d39c0d54e0..fa999ee521a 100644
--- a/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
+++ b/security-utils/src/main/java/com/yahoo/security/KeyUtils.java
@@ -3,11 +3,9 @@ package com.yahoo.security;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Primitive;
-import org.bouncycastle.asn1.eac.ECDSAPublicKey;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.jce.spec.ECParameterSpec;
import org.bouncycastle.jce.spec.ECPublicKeySpec;
import org.bouncycastle.math.ec.ECPoint;
@@ -23,18 +21,14 @@ import java.io.StringReader;
import java.io.StringWriter;
import java.io.UncheckedIOException;
import java.security.GeneralSecurityException;
-import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
-import java.security.Signature;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPublicKeySpec;
-import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.List;
@@ -168,35 +162,4 @@ public class KeyUtils {
return primitive.getEncoded();
}
- /** Returns a signature instance which computes a SHA-256 hash of its content, before signing with the given private key. */
- public static Signature createSigner(PrivateKey key) {
- try {
- Signature signer = Signature.getInstance(SignatureAlgorithm.SHA256_WITH_ECDSA.getAlgorithmName(),
- BouncyCastleProviderHolder.getInstance());
- signer.initSign(key);
- return signer;
- }
- catch (NoSuchAlgorithmException e) {
- throw new IllegalStateException(e);
- }
- catch (InvalidKeyException e) {
- throw new IllegalArgumentException(e);
- }
- }
-
- /** Returns a signature instance which computes a SHA-256 hash of its content, before verifying with the given public key. */
- public static Signature createVerifier(PublicKey key) {
- try {
- Signature signer = Signature.getInstance(SignatureAlgorithm.SHA256_WITH_ECDSA.getAlgorithmName(),
- BouncyCastleProviderHolder.getInstance());
- signer.initVerify(key);
- return signer;
- }
- catch (NoSuchAlgorithmException e) {
- throw new IllegalStateException(e);
- }
- catch (InvalidKeyException e) {
- throw new IllegalArgumentException(e);
- }
- }
}
diff --git a/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java
new file mode 100644
index 00000000000..7560fbbd40d
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/SignatureUtils.java
@@ -0,0 +1,37 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+
+/**
+ * Misc signature utils
+ *
+ * @author bjorncs
+ */
+public class SignatureUtils {
+
+ /** Returns a signature instance which computes a hash of its content, before signing with the given private key. */
+ public static Signature createSigner(PrivateKey key, SignatureAlgorithm algorithm) {
+ try {
+ Signature signer = Signature.getInstance(algorithm.getAlgorithmName(), BouncyCastleProviderHolder.getInstance());
+ signer.initSign(key);
+ return signer;
+ } catch (GeneralSecurityException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+
+ /** Returns a signature instance which computes a hash of its content, before verifying with the given public key. */
+ public static Signature createVerifier(PublicKey key, SignatureAlgorithm algorithm) {
+ try {
+ Signature signer = Signature.getInstance(algorithm.getAlgorithmName(), BouncyCastleProviderHolder.getInstance());
+ signer.initVerify(key);
+ return signer;
+ } catch (GeneralSecurityException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+}