Fix certificate creation with cross-keys (#31866)

fixes #31864

Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
This commit is contained in:
Pascal Knüppel 2024-08-07 12:41:12 +02:00 committed by GitHub
parent 35c8c09b8d
commit bf951a5554
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 34 additions and 7 deletions

View file

@ -183,6 +183,36 @@ public abstract class JWKTest {
verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk); verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk);
} }
@Test
public void testCertificateGenerationWithRsaAndEc() throws Exception {
KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
SecureRandom randomGen = new SecureRandom();
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
keyGenEc.initialize(ecSpec, randomGen);
KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
KeyPair keyPairEc = keyGenEc.generateKeyPair();
X509Certificate certificateRsa = generateV1SelfSignedCertificate(keyPairRsa, "root");
X509Certificate certificateEc = generateV3Certificate(keyPairEc, keyPairRsa.getPrivate(), certificateRsa, "child");
certificateRsa.verify(keyPairRsa.getPublic());
certificateEc.verify(keyPairRsa.getPublic());
}
@Test
public void testCertificateGenerationWithEcAndRsa() throws Exception {
KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
SecureRandom randomGen = new SecureRandom();
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
keyGenEc.initialize(ecSpec, randomGen);
KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
KeyPair keyPairEc = keyGenEc.generateKeyPair();
X509Certificate certificateEc = generateV1SelfSignedCertificate(keyPairEc, "root");
X509Certificate certificateRsa = generateV3Certificate(keyPairRsa, keyPairEc.getPrivate(), certificateEc, "child");
certificateRsa.verify(keyPairEc.getPublic());
certificateEc.verify(keyPairEc.getPublic());
}
@Test @Test
public void publicEs256P256() throws Exception { public void publicEs256P256() throws Exception {
testPublicEs256("secp256r1"); testPublicEs256("secp256r1");

View file

@ -84,10 +84,9 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
* @param caCert the CA certificate * @param caCert the CA certificate
* @param subject the subject name * @param subject the subject name
* @return the x509 certificate * @return the x509 certificate
* @throws Exception the exception
*/ */
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
String subject) throws Exception { String subject) {
try { try {
X500Name subjectDN = new X500Name("CN=" + subject); X500Name subjectDN = new X500Name("CN=" + subject);
@ -131,7 +130,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
// Content Signer // Content Signer
ContentSigner sigGen; ContentSigner sigGen;
switch (keyPair.getPublic().getAlgorithm()) switch (caCert.getPublicKey().getAlgorithm())
{ {
case "EC": case "EC":
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER) sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)

View file

@ -86,11 +86,9 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
* @param subject the subject name * @param subject the subject name
* *
* @return the x509 certificate * @return the x509 certificate
*
* @throws Exception the exception
*/ */
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
String subject) throws Exception { String subject) {
try { try {
X500Name subjectDN = new X500Name("CN=" + subject); X500Name subjectDN = new X500Name("CN=" + subject);
@ -134,7 +132,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
// Content Signer // Content Signer
ContentSigner sigGen; ContentSigner sigGen;
switch (caPrivateKey.getAlgorithm()){ switch (caCert.getPublicKey().getAlgorithm()){
case "EC": case "EC":
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER) sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
.build(caPrivateKey); .build(caPrivateKey);