diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java index 9eb30f31a47..446d7e0fa58 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java @@ -21,6 +21,7 @@ import io.jans.as.model.jwk.KeySelectionStrategy; import io.jans.as.model.jwk.Use; import io.jans.as.model.util.Base64Util; +import io.jans.as.model.util.CertUtils; import io.jans.as.model.util.Util; import org.apache.commons.codec.binary.Base64; import org.apache.commons.lang.StringUtils; @@ -412,16 +413,7 @@ public SignatureAlgorithm getSignatureAlgorithm(String alias) throws KeyStoreExc } X509Certificate cert = (X509Certificate) chain[0]; - - String sighAlgName = cert.getSigAlgName(); - - for (SignatureAlgorithm sa : SignatureAlgorithm.values()) { - if (sighAlgName.equalsIgnoreCase(sa.getAlgorithm())) { - return sa; - } - } - - return null; + return CertUtils.getSignatureAlgorithm(cert); } private void checkKeyExpiration(String alias) { diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/util/CertUtils.java b/jans-auth-server/model/src/main/java/io/jans/as/model/util/CertUtils.java index 80f4b11263a..c9b12ba22a4 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/util/CertUtils.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/util/CertUtils.java @@ -6,6 +6,7 @@ package io.jans.as.model.util; +import io.jans.as.model.crypto.signature.SignatureAlgorithm; import org.apache.commons.codec.digest.DigestUtils; import org.apache.commons.lang.StringUtils; import org.bouncycastle.asn1.ASN1ObjectIdentifier; @@ -23,6 +24,7 @@ import java.io.ByteArrayInputStream; import java.io.InputStream; import java.net.URLDecoder; +import java.security.AlgorithmParameters; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -37,6 +39,53 @@ public class CertUtils { private CertUtils() { } + public static SignatureAlgorithm getSignatureAlgorithm(X509Certificate cert) { + String signAlgName = cert.getSigAlgName(); + + for (SignatureAlgorithm sa : SignatureAlgorithm.values()) { + if (signAlgName.equalsIgnoreCase(sa.getAlgorithm())) { + return sa; + } + } + + /* + Ensures that SignatureAlgorithms `PS256`, `PS384`, and `PS512` work properly on JDK 11 and later without the need + for BouncyCastle. Previous releases referenced a BouncyCastle-specific + algorithm name instead of the Java Security Standard Algorithm Name of + [`RSASSA-PSS`](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms). + This release ensures the standard name is used moving forward. + */ + if ("RSASSA-PSS".equals(signAlgName)) { + AlgorithmParameters algorithmParameters = CertUtils.getAlgorithmParameters(cert); + if (algorithmParameters == null) { + return null; + } + + String algParamString = algorithmParameters.toString(); + if (algParamString.contains("SHA-256")) { + return SignatureAlgorithm.PS256; + } + if (algParamString.contains("SHA-384")) { + return SignatureAlgorithm.PS384; + } + if (algParamString.contains("SHA-512")) { + return SignatureAlgorithm.PS512; + } + } + return null; + } + + public static AlgorithmParameters getAlgorithmParameters(X509Certificate cert) { + try { + AlgorithmParameters result = AlgorithmParameters.getInstance(cert.getSigAlgName()); + result.init(cert.getSigAlgParams()); + return result; + } catch (Exception e) { + log.error(e.getMessage(), e); + } + return null; + } + public static X509Certificate x509CertificateFromBytes(byte[] cert) { try { CertificateFactory certFactory = CertificateFactory.getInstance("X.509");