Fix certificate creation with cross-keys (#31866)
fixes #31864 Signed-off-by: Pascal Knüppel <pascal.knueppel@governikus.de>
This commit is contained in:
parent
35c8c09b8d
commit
bf951a5554
3 changed files with 34 additions and 7 deletions
|
@ -183,6 +183,36 @@ public abstract class JWKTest {
|
||||||
verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk);
|
verify(data, sign, JavaAlgorithm.ES256, publicKeyFromJwk);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCertificateGenerationWithRsaAndEc() throws Exception {
|
||||||
|
KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
|
||||||
|
KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
|
||||||
|
SecureRandom randomGen = new SecureRandom();
|
||||||
|
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
|
||||||
|
keyGenEc.initialize(ecSpec, randomGen);
|
||||||
|
KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
|
||||||
|
KeyPair keyPairEc = keyGenEc.generateKeyPair();
|
||||||
|
X509Certificate certificateRsa = generateV1SelfSignedCertificate(keyPairRsa, "root");
|
||||||
|
X509Certificate certificateEc = generateV3Certificate(keyPairEc, keyPairRsa.getPrivate(), certificateRsa, "child");
|
||||||
|
certificateRsa.verify(keyPairRsa.getPublic());
|
||||||
|
certificateEc.verify(keyPairRsa.getPublic());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCertificateGenerationWithEcAndRsa() throws Exception {
|
||||||
|
KeyPairGenerator keyGenRsa = CryptoIntegration.getProvider().getKeyPairGen(KeyType.RSA);
|
||||||
|
KeyPairGenerator keyGenEc = CryptoIntegration.getProvider().getKeyPairGen(KeyType.EC);
|
||||||
|
SecureRandom randomGen = new SecureRandom();
|
||||||
|
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp256r1");
|
||||||
|
keyGenEc.initialize(ecSpec, randomGen);
|
||||||
|
KeyPair keyPairRsa = keyGenRsa.generateKeyPair();
|
||||||
|
KeyPair keyPairEc = keyGenEc.generateKeyPair();
|
||||||
|
X509Certificate certificateEc = generateV1SelfSignedCertificate(keyPairEc, "root");
|
||||||
|
X509Certificate certificateRsa = generateV3Certificate(keyPairRsa, keyPairEc.getPrivate(), certificateEc, "child");
|
||||||
|
certificateRsa.verify(keyPairEc.getPublic());
|
||||||
|
certificateEc.verify(keyPairEc.getPublic());
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void publicEs256P256() throws Exception {
|
public void publicEs256P256() throws Exception {
|
||||||
testPublicEs256("secp256r1");
|
testPublicEs256("secp256r1");
|
||||||
|
|
|
@ -84,10 +84,9 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
|
||||||
* @param caCert the CA certificate
|
* @param caCert the CA certificate
|
||||||
* @param subject the subject name
|
* @param subject the subject name
|
||||||
* @return the x509 certificate
|
* @return the x509 certificate
|
||||||
* @throws Exception the exception
|
|
||||||
*/
|
*/
|
||||||
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
|
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
|
||||||
String subject) throws Exception {
|
String subject) {
|
||||||
try {
|
try {
|
||||||
X500Name subjectDN = new X500Name("CN=" + subject);
|
X500Name subjectDN = new X500Name("CN=" + subject);
|
||||||
|
|
||||||
|
@ -131,7 +130,7 @@ public class BCCertificateUtilsProvider implements CertificateUtilsProvider {
|
||||||
|
|
||||||
// Content Signer
|
// Content Signer
|
||||||
ContentSigner sigGen;
|
ContentSigner sigGen;
|
||||||
switch (keyPair.getPublic().getAlgorithm())
|
switch (caCert.getPublicKey().getAlgorithm())
|
||||||
{
|
{
|
||||||
case "EC":
|
case "EC":
|
||||||
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
|
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
|
||||||
|
|
|
@ -86,11 +86,9 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
|
||||||
* @param subject the subject name
|
* @param subject the subject name
|
||||||
*
|
*
|
||||||
* @return the x509 certificate
|
* @return the x509 certificate
|
||||||
*
|
|
||||||
* @throws Exception the exception
|
|
||||||
*/
|
*/
|
||||||
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
|
public X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert,
|
||||||
String subject) throws Exception {
|
String subject) {
|
||||||
try {
|
try {
|
||||||
X500Name subjectDN = new X500Name("CN=" + subject);
|
X500Name subjectDN = new X500Name("CN=" + subject);
|
||||||
|
|
||||||
|
@ -134,7 +132,7 @@ public class BCFIPSCertificateUtilsProvider implements CertificateUtilsProvider{
|
||||||
|
|
||||||
// Content Signer
|
// Content Signer
|
||||||
ContentSigner sigGen;
|
ContentSigner sigGen;
|
||||||
switch (caPrivateKey.getAlgorithm()){
|
switch (caCert.getPublicKey().getAlgorithm()){
|
||||||
case "EC":
|
case "EC":
|
||||||
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
|
sigGen = new JcaContentSignerBuilder("SHA256WithECDSA").setProvider(BouncyIntegration.PROVIDER)
|
||||||
.build(caPrivateKey);
|
.build(caPrivateKey);
|
||||||
|
|
Loading…
Reference in a new issue