X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms.lib.sshd%2Fsrc%2Forg%2Fargeo%2Fcms%2Fbc%2FBcUtils.java;h=81ab6772768264a5afbf942be6f1b97b93d11f2a;hb=HEAD;hp=d2fc89f795a2e3a872147b0e8ebe78cfcbea56c9;hpb=d2bca81ff63496bf1d879f4cbcd6a531f598e69c;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java b/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java index d2fc89f79..81ab67727 100644 --- a/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java +++ b/org.argeo.cms.lib.sshd/src/org/argeo/cms/bc/BcUtils.java @@ -4,6 +4,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.Reader; +import java.lang.reflect.InvocationTargetException; import java.math.BigInteger; import java.net.InetAddress; import java.nio.file.Files; @@ -13,6 +14,7 @@ import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.KeyStore; import java.security.PrivateKey; +import java.security.Provider; import java.security.SecureRandom; import java.security.Security; import java.security.cert.Certificate; @@ -29,7 +31,6 @@ import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder; @@ -44,12 +45,43 @@ import org.bouncycastle.pkcs.PKCSException; public class BcUtils { private final static CmsLog log = CmsLog.getLog(BcUtils.class); - private final static String BC_SECURITY_PROVIDER; + private final static String BC_SECURITY_PROVIDER_FIPS = "BCFIPS"; +// private final static String BC_SECURITY_PROVIDER_NON_FIPS = "BC"; + public final static String BC_SECURITY_PROVIDER; static { - Security.addProvider(new BouncyCastleProvider()); - BC_SECURITY_PROVIDER = "BC"; + Class clss = null; + try { + clss = Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider"); + } catch (ClassNotFoundException e) { + log.warn("Bouncy Castle FIPS provider could not be initialised," + + " we assume the non-FIPS provider is configured externally. (" + e + ")"); + try { + clss = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider"); + } catch (ClassNotFoundException e1) { + // silent + } + } + if (clss != null) { + try { + Provider provider = (Provider) clss.getDeclaredConstructor().newInstance(); + Security.addProvider(provider); + BC_SECURITY_PROVIDER = provider.getName(); + } catch (IllegalAccessException | InstantiationException | IllegalArgumentException + | InvocationTargetException | NoSuchMethodException | SecurityException e) { + throw new IllegalStateException("Cannot load Bouncy Castle provider " + clss, e); + } + } else { + throw new IllegalStateException("Cannot load any Bouncy Castle provider"); + } } + public static boolean isFipsProvider() { + return BC_SECURITY_PROVIDER.equals(BC_SECURITY_PROVIDER_FIPS); + } + + /* + * openssl req -x509 -newkey rsa:3072 -keyout node.key -out node.crt -sha256 -days 365 -nodes -subj "/O=UNSECURE/OU=UNSECURE/CN=$(hostname)" + */ public static void createSelfSignedKeyStore(Path keyStorePath, char[] keyStorePassword, String keyStoreType) { // for (Provider provider : Security.getProviders()) // System.out.println(provider.getName()); @@ -61,7 +93,7 @@ public class BcUtils { KeyStore keyStore = getKeyStore(keyStorePath, keyStorePassword, keyStoreType); generateSelfSignedCertificate(keyStore, new X500Principal("CN=" + InetAddress.getLocalHost().getHostName() + ",OU=UNSECURE,O=UNSECURE"), - 1024, keyPwd); + 3072, keyPwd); saveKeyStore(keyStorePath, keyStorePassword, keyStore); if (log.isDebugEnabled()) log.debug("Created self-signed unsecure keystore " + keyStorePath); @@ -165,4 +197,8 @@ public class BcUtils { /** singleton */ private BcUtils() { } + +// public static void main(String args[]) { +// createSelfSignedKeyStore(Paths.get("./selfsigned.p12"), "demo".toCharArray(), "PKCS12"); +// } }