Skip to content

Commit

Permalink
fix(jans-auth-server): corrected signature algorithm identification w…
Browse files Browse the repository at this point in the history 
…ith java 11 and later

GluuFederation/oxAuth#1661
  • Loading branch information
@yuriyz
yuriyz committed Apr 12, 2022
1 parent 2ad0e23 commit 3e203f2
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 10 deletions.
12 changes: 2 additions & 10 deletions jans-auth-server/model/src/main/java/io/jans/as/model/crypto/AuthCryptoProvider.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import io.jans.as.model.jwk.KeySelectionStrategy;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.util.Base64Util;
import io.jans.as.model.util.CertUtils;
import io.jans.as.model.util.Util;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
Expand Down Expand Up @@ -412,16 +413,7 @@ public SignatureAlgorithm getSignatureAlgorithm(String alias) throws KeyStoreExc
}

X509Certificate cert = (X509Certificate) chain[0];

String sighAlgName = cert.getSigAlgName();

for (SignatureAlgorithm sa : SignatureAlgorithm.values()) {
if (sighAlgName.equalsIgnoreCase(sa.getAlgorithm())) {
return sa;
}
}

return null;
return CertUtils.getSignatureAlgorithm(cert);
}

private void checkKeyExpiration(String alias) {
Expand Down
49 changes: 49 additions & 0 deletions jans-auth-server/model/src/main/java/io/jans/as/model/util/CertUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

package io.jans.as.model.util;

import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.StringUtils;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
Expand All @@ -23,6 +24,7 @@
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.net.URLDecoder;
import java.security.AlgorithmParameters;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
Expand All @@ -37,6 +39,53 @@ public class CertUtils {
private CertUtils() {
}

public static SignatureAlgorithm getSignatureAlgorithm(X509Certificate cert) {
String signAlgName = cert.getSigAlgName();

for (SignatureAlgorithm sa : SignatureAlgorithm.values()) {
if (signAlgName.equalsIgnoreCase(sa.getAlgorithm())) {
return sa;
}
}

/*
Ensures that SignatureAlgorithms `PS256`, `PS384`, and `PS512` work properly on JDK 11 and later without the need
for BouncyCastle. Previous releases referenced a BouncyCastle-specific
algorithm name instead of the Java Security Standard Algorithm Name of
[`RSASSA-PSS`](https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms).
This release ensures the standard name is used moving forward.
*/
if ("RSASSA-PSS".equals(signAlgName)) {
AlgorithmParameters algorithmParameters = CertUtils.getAlgorithmParameters(cert);
if (algorithmParameters == null) {
return null;
}

String algParamString = algorithmParameters.toString();
if (algParamString.contains("SHA-256")) {
return SignatureAlgorithm.PS256;
}
if (algParamString.contains("SHA-384")) {
return SignatureAlgorithm.PS384;
}
if (algParamString.contains("SHA-512")) {
return SignatureAlgorithm.PS512;
}
}
return null;
}

public static AlgorithmParameters getAlgorithmParameters(X509Certificate cert) {
try {
AlgorithmParameters result = AlgorithmParameters.getInstance(cert.getSigAlgName());
result.init(cert.getSigAlgParams());
return result;
} catch (Exception e) {
log.error(e.getMessage(), e);
}
return null;
}

public static X509Certificate x509CertificateFromBytes(byte[] cert) {
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Expand Down

0 comments on commit 3e203f2

Please sign in to comment.