Begin to add support for encrypted pkcs8 keys to file credential resolver.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 8 Dec 2003 04:03:16 +0000 (04:03 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 8 Dec 2003 04:03:16 +0000 (04:03 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@804 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

data/credentials11.xml [new file with mode: 0644]
src/edu/internet2/middleware/shibboleth/common/Credentials.java
tests/edu/internet2/middleware/shibboleth/common/CredentialsTests.java

diff --git a/data/credentials11.xml b/data/credentials11.xml
new file mode 100644 (file)
index 0000000..b8e7656
--- /dev/null
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Credentials xmlns="urn:mace:shibboleth:credentials:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" 
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+       xsi:schemaLocation="urn:mace:shibboleth:credentials:1.0 credentials.xsd">
+       
+       <FileResolver Id="test">
+               <Certificate format="PEM">
+                       <Path>/conf/test.pemcrt</Path>
+               </Certificate>
+               <Key format="DER">
+                       <Path>/conf/test.pkcs8.enc.derkey</Path>
+               </Key>
+       </FileResolver>
+</Credentials>
\ No newline at end of file
index a1eb7b8..4ef840e 100644 (file)
 
 package edu.internet2.middleware.shibboleth.common;
 
+
 import java.io.BufferedReader;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
+import java.security.AlgorithmParameters;
 import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.KeyStore;
@@ -62,11 +64,20 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Hashtable;
 
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.interfaces.PBEKey;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+
 import org.apache.log4j.Logger;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
+import edu.internet2.middleware.shibboleth.common.EncryptedPrivateKeyInfo;
+
 import sun.misc.BASE64Decoder;
 import sun.security.util.DerValue;
 
@@ -194,6 +205,7 @@ class FileCredentialResolver implements CredentialResolver {
                log.debug("Key Path: (" + keyPath + ").");
 
                //TODO encrypted keys
+               //TODO maybe more info statements
 
                PrivateKey key = null;
 
@@ -376,8 +388,10 @@ class FileCredentialResolver implements CredentialResolver {
                                }
 
                                System.err.println("OID: " + grandChild.getOID().toString());
-                               log.error("Credential load cannot yet read encrypted keys.");
-                               throw new CredentialFactoryException("Unable to load private key.");
+                               log.debug("Key appears to be formatted as encrypted PKCS8. Loading...");
+                               return getEncryptedPkcs8Key(inputBytes.toByteArray());
+                               //log.error("Credential loader cannot yet read encrypted private keys.");
+                               //throw new CredentialFactoryException("Unable to load private key.");
 
                        } else if (childValues[0].tag == DerValue.tag_Integer) {
 
@@ -409,7 +423,7 @@ class FileCredentialResolver implements CredentialResolver {
                                                throw new CredentialFactoryException("Unable to load private key.");
                                        }
 
-                                       log.debug("Key appears to be PKCS8. Loading...");
+                                       log.debug("Key appears to be formatted as PKCS8. Loading...");
                                        return getRSAPkcs8DerKey(inputBytes.toByteArray());
 
                                } else if (childValues[1].tag == DerValue.tag_Integer) {
@@ -698,6 +712,41 @@ class FileCredentialResolver implements CredentialResolver {
                        throw new CredentialFactoryException("Unable to load private key.");
                }
        }
+       
+       private PrivateKey getEncryptedPkcs8Key(byte[] bytes) throws CredentialFactoryException {
+
+               try {
+                       String password = "test123";
+                       EncryptedPrivateKeyInfo encryptedKeyInfo = new EncryptedPrivateKeyInfo(bytes);
+                       AlgorithmParameters params = encryptedKeyInfo.getAlgParameters();
+                       System.err.println(params);
+                       System.err.println(encryptedKeyInfo.getAlgName());
+                       //PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, count); 
+                       SecretKeyFactory keyFactory =
+                                               SecretKeyFactory.getInstance("pbeWithMD5AndDES");
+                       PBEKeySpec passwordSpec = new PBEKeySpec("test123".toCharArray());
+                       //PBEParameterSpec paramSpec = new PBEParameterSpec();
+                       SecretKey key = keyFactory.generateSecret(passwordSpec);
+                       System.err.println(key.getClass().getName());
+                       Cipher cipher = Cipher.getInstance("pbeWithMD5AndDES");
+                       cipher.init(Cipher.DECRYPT_MODE, key, new PBEParameterSpec(new byte[0], 0));
+                       
+                       return null;
+                       
+                       /*
+                       
+                       KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+                       PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(bytes);
+                       return keyFactory.generatePrivate(keySpec);
+*/
+               } catch (Exception e) {
+                       e.printStackTrace();
+                       log.error("Unable to load private key: " + e);
+                       throw new CredentialFactoryException("Unable to load private key.");
+               }
+       }
+       
+       
 
        private byte[] singleDerFromPEM(byte[] bytes, String beginToken, String endToken) throws IOException {
 
index 00e4e82..7e09454 100644 (file)
@@ -432,5 +432,36 @@ public class CredentialsTests extends TestCase {
                        fail("Failed to load credentials: " + e);
                }
        }
+       
+       public void testKeyStoreX509_PEM_PKCS8_Encrypted_RSA_Key() {
+
+               try {
+                       InputStream inStream = new FileInputStream("data/credentials11.xml");
+                       parser.parse(new InputSource(inStream));
+                       Credentials credentials = new Credentials(parser.getDocument().getDocumentElement());
+
+                       assertTrue("Credential could not be found.", credentials.containsCredential("test"));
+                       Credential credential = credentials.getCredential("test");
+
+                       assertTrue(
+                               "Credential was loaded with an incorrect type.",
+                               credential.getCredentialType() == Credential.X509);
+                       assertNotNull("Private key was not loaded correctly.", credential.getPrivateKey());
+                       assertEquals(
+                               "Unexpected X509 certificate found.",
+                               credential.getX509Certificate().getSubjectDN().getName(),
+                               "CN=shib2.internet2.edu, OU=Unknown, O=Unknown, ST=Unknown, C=Unknown");
+                       assertEquals(
+                               "Unexpected certificate chain length.",
+                               new Integer(credential.getX509CertificateChain().length),
+                               new Integer(3));
+                       assertEquals(
+                               "Unexpected X509 certificate found.",
+                               credential.getX509CertificateChain()[2].getSubjectDN().getName(),
+                               "CN=HEPKI Master CA -- 20020701A, OU=Division of Information Technology, O=University of Wisconsin, L=Madison, ST=Wisconsin, C=US");
+               } catch (Exception e) {
+                       fail("Failed to load credentials: " + e);
+               }
+       }
 
 }