enable PQ certs for enrollment and protection

Adapt to NIST 203..205 align to BC 1.79
siemens · Nov 5, 2024 · 5abfe81 · 5abfe81
1 parent 552d765
commit 5abfe81
Show file tree

Hide file tree

Showing 44 changed files with 1,904 additions and 333 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -128,7 +128,7 @@ feat: implement configurable recipient
 
 fix: extension processing in CMP client
 
-### 4.1.0 (Dec 14 2023)
+### 4.1.0 (Dec 14 2024)
 
 feat: revocation checking via inventory interface
 

diff --git a/pom.xml b/pom.xml
@@ -8,7 +8,7 @@
 	<groupId>com.siemens.pki</groupId>
 	<artifactId>CmpRaComponent</artifactId>
 	<packaging>jar</packaging>
-	<version>4.2.0</version>
+	<version>4.3.0</version>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<parent.basedir>.</parent.basedir>
@@ -93,7 +93,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.10.0</version>
+				<version>3.10.1</version>
 				<executions>
 					<execution>
 						<id>javadoc-jar</id>
@@ -118,7 +118,7 @@
 							<include>src/test/java/**/*.java</include>
 						</includes>
 						<palantirJavaFormat>
-							<version>2.38.0</version>
+							<version>2.39.0</version>
 						</palantirJavaFormat>
 						<importOrder />
 						<removeUnusedImports />
@@ -177,7 +177,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-gpg-plugin</artifactId>
-				<version>3.2.5</version>
+				<version>3.2.7</version>
 				<executions>
 					<execution>
 						<id>sign-artifacts</id>
@@ -204,7 +204,7 @@
 			<plugin>
 				<groupId>org.cyclonedx</groupId>
 				<artifactId>cyclonedx-maven-plugin</artifactId>
-				<version>2.8.1</version>
+				<version>2.8.2</version>
 				<executions>
 					<execution>
 						<phase>package</phase>
@@ -225,12 +225,17 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk18on</artifactId>
-			<version>1.78.1</version>
+			<version>1.79</version>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcpkix-jdk18on</artifactId>
-			<version>1.78.1</version>
+			<version>1.79</version>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcutil-jdk18on</artifactId>
+			<version>1.79</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
@@ -240,12 +245,12 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.17.2</version>
+			<version>2.18.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.dataformat</groupId>
 			<artifactId>jackson-dataformat-yaml</artifactId>
-			<version>2.17.2</version>
+			<version>2.18.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.jacoco</groupId>

diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java
@@ -76,7 +76,7 @@ class ValidatorAndProtector {
 
         private final MessageHeaderValidator headerValidator;
 
-        private final ValidatorIF<String> bodyValidator;
+        private final ValidatorIF<Boolean> bodyValidator;
 
         private final VerificationContext inputVerification;
 

diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java
@@ -40,12 +40,10 @@
 import com.siemens.pki.cmpracomponent.protection.ProtectionProvider;
 import com.siemens.pki.cmpracomponent.protection.SignatureBasedProtection;
 import com.siemens.pki.cmpracomponent.util.MessageDumper;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -63,6 +61,7 @@
 import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
 import org.bouncycastle.asn1.cmp.CRLSource;
 import org.bouncycastle.asn1.cmp.CRLStatus;
+import org.bouncycastle.asn1.cmp.CertOrEncCert;
 import org.bouncycastle.asn1.cmp.CertRepMessage;
 import org.bouncycastle.asn1.cmp.CertReqTemplateContent;
 import org.bouncycastle.asn1.cmp.CertResponse;
@@ -76,6 +75,7 @@
 import org.bouncycastle.asn1.cmp.PKIStatus;
 import org.bouncycastle.asn1.cmp.RevRepContent;
 import org.bouncycastle.asn1.cmp.RootCaKeyUpdateContent;
+import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.cms.EnvelopedData;
 import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
 import org.bouncycastle.asn1.crmf.CertId;
@@ -89,6 +89,10 @@
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.cms.CMSEnvelopedData;
+import org.bouncycastle.cms.RecipientInformation;
+import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.jcajce.JceKEMEnvelopedRecipient;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -140,6 +144,7 @@ public interface EnrollmentResult {
 
     /**
      * ctor
+     *
      * @param certProfile           certificate profile to be used for enrollment.
      *                              <code>null</code> if no certificate profile
      *                              should be used.
@@ -299,12 +304,11 @@ public List<X509CRL> getCrls(
                             if (infoValue == null) {
                                 return null;
                             }
-                            final CertificateFactory certificateFactory = CertUtility.getCertificateFactory();
                             final ASN1Sequence crls = ASN1Sequence.getInstance(infoValue);
                             final List<X509CRL> ret = new ArrayList<>(crls.size());
                             for (final ASN1Encodable aktCrl : crls) {
-                                ret.add((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(
-                                        aktCrl.toASN1Primitive().getEncoded())));
+                                ret.add(CertUtility.parseCrl(
+                                        aktCrl.toASN1Primitive().getEncoded()));
                             }
                             return ret;
                         }
@@ -497,8 +501,23 @@ public EnrollmentResult invokeEnrollment() {
                 return null;
             }
             final CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair();
-            final CMPCertificate enrolledCertificate =
-                    certifiedKeyPair.getCertOrEncCert().getCertificate();
+            CertOrEncCert certOrEncCert = certifiedKeyPair.getCertOrEncCert();
+            CMPCertificate enrolledCertificate = null;
+            if (certOrEncCert.hasEncryptedCertificate()) {
+                JceKEMEnvelopedRecipient jkr = new JceKEMEnvelopedRecipient(certificateKeypair.getPrivate());
+                EnvelopedData envelopedData =
+                        (EnvelopedData) certOrEncCert.getEncryptedCert().getValue();
+                final CMSEnvelopedData cmsEnvelopedData = new CMSEnvelopedData(
+                        new ContentInfo(envelopedData.getEncryptedContentInfo().getContentType(), envelopedData));
+                final RecipientInformationStore recipients = cmsEnvelopedData.getRecipientInfos();
+                for (RecipientInformation recipient : recipients.getRecipients()) {
+                    byte[] content = recipient.getContent(jkr);
+                    enrolledCertificate = CMPCertificate.getInstance(content);
+                    break;
+                }
+            } else {
+                enrolledCertificate = certOrEncCert.getCertificate();
+            }
 
             if (enrollmentType != PKIBody.TYPE_P10_CERT_REQ && enrolledPrivateKey == null) {
                 // central key generation in place, decrypt private key

diff --git a/src/main/java/com/siemens/pki/cmpracomponent/configuration/SignatureCredentialContext.java b/src/main/java/com/siemens/pki/cmpracomponent/configuration/SignatureCredentialContext.java
@@ -47,6 +47,18 @@ public interface SignatureCredentialContext extends CredentialContext {
      */
     PrivateKey getPrivateKey();
 
+    /**
+     * provide the alternative private key for the end certificate, see X.509 (2019)
+     * section 9.8
+     *
+     * @return private key for first certificate returned by
+     *         {@link #getCertificateChain()}
+     */
+    default PrivateKey getAlternativePrivateKey() {
+        return null;
+    }
+    ;
+
     /**
      * provide name or OID of signature algorithm, see <a
      * href=https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms>Signature