enable PQ keys, algorithms and certs for enrollment and protection

CHANGELOG.md

@@ -128,7 +128,7 @@ feat: implement configurable recipient
 
 fix: extension processing in CMP client
 
-### 4.1.0 (Dec 14 2023)
+### 4.1.0 (Dec 14 2024)
 
 feat: revocation checking via inventory interface
 

pom.xml

@@ -8,7 +8,7 @@
 	<groupId>com.siemens.pki</groupId>
 	<artifactId>CmpRaComponent</artifactId>
 	<packaging>jar</packaging>
-	<version>4.2.0</version>
+	<version>4.3.0</version>
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<parent.basedir>.</parent.basedir>
@@ -93,7 +93,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.10.0</version>
+				<version>3.10.1</version>
 				<executions>
 					<execution>
 						<id>javadoc-jar</id>
@@ -118,7 +118,7 @@
 							<include>src/test/java/**/*.java</include>
 						</includes>
 						<palantirJavaFormat>
-							<version>2.38.0</version>
+							<version>2.39.0</version>
 						</palantirJavaFormat>
 						<importOrder />
 						<removeUnusedImports />
@@ -177,7 +177,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-gpg-plugin</artifactId>
-				<version>3.2.5</version>
+				<version>3.2.7</version>
 				<executions>
 					<execution>
 						<id>sign-artifacts</id>
@@ -204,7 +204,7 @@
 			<plugin>
 				<groupId>org.cyclonedx</groupId>
 				<artifactId>cyclonedx-maven-plugin</artifactId>
-				<version>2.8.1</version>
+				<version>2.8.2</version>
 				<executions>
 					<execution>
 						<phase>package</phase>
@@ -225,12 +225,17 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcprov-jdk18on</artifactId>
-			<version>1.78.1</version>
+			<version>1.79</version>
 		</dependency>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcpkix-jdk18on</artifactId>
-			<version>1.78.1</version>
+			<version>1.79</version>
+		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcutil-jdk18on</artifactId>
+			<version>1.79</version>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
@@ -240,12 +245,12 @@
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.17.2</version>
+			<version>2.18.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.dataformat</groupId>
 			<artifactId>jackson-dataformat-yaml</artifactId>
-			<version>2.17.2</version>
+			<version>2.18.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.jacoco</groupId>

src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java

@@ -76,7 +76,7 @@ class ValidatorAndProtector {
 
         private final MessageHeaderValidator headerValidator;
 
-        private final ValidatorIF<String> bodyValidator;
+        private final ValidatorIF<Boolean> bodyValidator;
 
         private final VerificationContext inputVerification;
 

src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java

@@ -40,12 +40,10 @@
 import com.siemens.pki.cmpracomponent.protection.ProtectionProvider;
 import com.siemens.pki.cmpracomponent.protection.SignatureBasedProtection;
 import com.siemens.pki.cmpracomponent.util.MessageDumper;
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.KeyPair;
 import java.security.PrivateKey;
 import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -63,6 +61,7 @@
 import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
 import org.bouncycastle.asn1.cmp.CRLSource;
 import org.bouncycastle.asn1.cmp.CRLStatus;
+import org.bouncycastle.asn1.cmp.CertOrEncCert;
 import org.bouncycastle.asn1.cmp.CertRepMessage;
 import org.bouncycastle.asn1.cmp.CertReqTemplateContent;
 import org.bouncycastle.asn1.cmp.CertResponse;
@@ -76,6 +75,7 @@
 import org.bouncycastle.asn1.cmp.PKIStatus;
 import org.bouncycastle.asn1.cmp.RevRepContent;
 import org.bouncycastle.asn1.cmp.RootCaKeyUpdateContent;
+import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.cms.EnvelopedData;
 import org.bouncycastle.asn1.crmf.AttributeTypeAndValue;
 import org.bouncycastle.asn1.crmf.CertId;
@@ -89,6 +89,11 @@
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.cms.CMSEnvelopedData;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.RecipientInformation;
+import org.bouncycastle.cms.RecipientInformationStore;
+import org.bouncycastle.cms.jcajce.JceKEMEnvelopedRecipient;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -140,6 +145,7 @@ public interface EnrollmentResult {
 
     /**
      * ctor
+     *
      * @param certProfile           certificate profile to be used for enrollment.
      *                              <code>null</code> if no certificate profile
      *                              should be used.
@@ -299,12 +305,11 @@ public List<X509CRL> getCrls(
                             if (infoValue == null) {
                                 return null;
                             }
-                            final CertificateFactory certificateFactory = CertUtility.getCertificateFactory();
                             final ASN1Sequence crls = ASN1Sequence.getInstance(infoValue);
                             final List<X509CRL> ret = new ArrayList<>(crls.size());
                             for (final ASN1Encodable aktCrl : crls) {
-                                ret.add((X509CRL) certificateFactory.generateCRL(new ByteArrayInputStream(
-                                        aktCrl.toASN1Primitive().getEncoded())));
+                                ret.add(CertUtility.parseCrl(
+                                        aktCrl.toASN1Primitive().getEncoded()));
                             }
                             return ret;
                         }
@@ -497,8 +502,31 @@ public EnrollmentResult invokeEnrollment() {
                 return null;
             }
             final CertifiedKeyPair certifiedKeyPair = certResponse.getCertifiedKeyPair();
-            final CMPCertificate enrolledCertificate =
-                    certifiedKeyPair.getCertOrEncCert().getCertificate();
+            CertOrEncCert certOrEncCert = certifiedKeyPair.getCertOrEncCert();
+            CMPCertificate enrolledCertificate = null;
+            if (certOrEncCert.hasEncryptedCertificate()) {
+                JceKEMEnvelopedRecipient jkr = new JceKEMEnvelopedRecipient(certificateKeypair.getPrivate());
+                EnvelopedData envelopedData =
+                        (EnvelopedData) certOrEncCert.getEncryptedCert().getValue();
+                final CMSEnvelopedData cmsEnvelopedData = new CMSEnvelopedData(
+                        new ContentInfo(envelopedData.getEncryptedContentInfo().getContentType(), envelopedData));
+                final RecipientInformationStore recipients = cmsEnvelopedData.getRecipientInfos();
+                for (RecipientInformation recipient : recipients.getRecipients()) {
+                    try {
+                        byte[] content = recipient.getContent(jkr);
+                        enrolledCertificate = CMPCertificate.getInstance(content);
+                        break;
+                    } catch (CMSException ex) {
+                        // try next recipient
+                    }
+                }
+            } else {
+                enrolledCertificate = certOrEncCert.getCertificate();
+            }
+            if (enrolledCertificate == null) {
+                LOGGER.error("could not extract enrolled certificate from response");
+                return null;
+            }
 
             if (enrollmentType != PKIBody.TYPE_P10_CERT_REQ && enrolledPrivateKey == null) {
                 // central key generation in place, decrypt private key

src/main/java/com/siemens/pki/cmpracomponent/configuration/SignatureCredentialContext.java

@@ -47,6 +47,17 @@ public interface SignatureCredentialContext extends CredentialContext {
      */
     PrivateKey getPrivateKey();
 
+    /**
+     * provide the alternative private key for the end certificate, see X.509 (2019)
+     * section 9.8
+     *
+     * @return private key for first certificate returned by
+     *         {@link #getCertificateChain()}
+     */
+    default PrivateKey getAlternativePrivateKey() {
+        return null;
+    }
+
     /**
      * provide name or OID of signature algorithm, see <a
      * href=https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#signature-algorithms>Signature

src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/AlgorithmHelper.java

@@ -22,6 +22,7 @@
 import java.security.Key;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
 import java.util.HashMap;
 import java.util.Map;
 import javax.crypto.Mac;
@@ -245,6 +246,7 @@ String[] extractAliases(final ASN1ObjectIdentifier cmpId) {
 
     /**
      * convert shared secrets from byte[] to char[]
+     *
      * @param sharedSecret sharedSecret as byte[]
      * @return sharedSecret as char[]
      */
@@ -261,6 +263,7 @@ public static char[] convertSharedSecretToPassword(final byte[] sharedSecret) {
 
     /**
      * get AlgorithmIdentifier for MessageDigest
+     *
      * @param dig digest
      * @return AlgorithmIdentifier
      */
@@ -295,6 +298,7 @@ public static AlgorithmIdentifier getAlgOID(final String algorithm) {
 
     /**
      * get OID for name of KEK algorithm
+     *
      * @param id name of KEK algorithm
      * @return KEK OID
      * @throws NoSuchAlgorithmException if id is unknown
@@ -305,6 +309,7 @@ public static ASN1ObjectIdentifier getKekOID(final String id) throws NoSuchAlgor
 
     /**
      * get OID for key agreement algorithm name
+     *
      * @param id name of key agreement algorithm
      * @return key agreement OID
      * @throws NoSuchAlgorithmException if id is unknown
@@ -315,6 +320,7 @@ public static final ASN1ObjectIdentifier getKeyAgreementOID(final String id) thr
 
     /**
      * get OID for key encryption algorithm name
+     *
      * @param id name of key encryption algorithm
      * @return key encryption OID
      * @throws NoSuchAlgorithmException if id is unknown
@@ -324,7 +330,8 @@ public static ASN1ObjectIdentifier getKeyEncryptionOID(final String id) throws N
     }
 
     /**
-     * get OID for MAC name
+     * get MAC for name or OID
+     *
      * @param macId name of MAC
      * @return mac
      * @throws NoSuchAlgorithmException if macId is unknown
@@ -333,8 +340,20 @@ public static Mac getMac(final String macId) throws NoSuchAlgorithmException {
         return Mac.getInstance(macId, CertUtility.getBouncyCastleProvider());
     }
 
+    /**
+     * get Signature for name or OID
+     *
+     * @param signatureId name of Signature
+     * @return signature
+     * @throws NoSuchAlgorithmException if signatureId is unknown
+     */
+    public static Signature getSignature(String signatureId) throws NoSuchAlgorithmException {
+        return Signature.getInstance(signatureId, CertUtility.getBouncyCastleProvider());
+    }
+
     /**
      * get MessageDigest for MessageDigest name
+     *
      * @param id MessageDigest name
      * @return MessageDigest instance
      * @throws NoSuchAlgorithmException if nothing found
@@ -345,6 +364,7 @@ public static MessageDigest getMessageDigest(final String id) throws NoSuchAlgor
 
     /**
      * get OID for mac algorithm name
+     *
      * @param macAlg mac algorithm
      * @return OID for mac
      */
@@ -358,6 +378,7 @@ public static ASN1ObjectIdentifier getOidForMac(final String macAlg) {
 
     /**
      * get PRF for id of PRF
+     *
      * @param id id of PRF
      * @return PRF
      * @throws NoSuchAlgorithmException if id is unknown
@@ -384,6 +405,7 @@ public static SecretKeyFactory getSecretKeyFactory(final String id) throws NoSuc
 
     /**
      * get AlgorithmIdentifier of preferred signature algorithm for a key
+     *
      * @param key the key
      * @return AlgorithmIdentifier of preferred signature algorithm
      */
@@ -393,14 +415,17 @@ public static AlgorithmIdentifier getSigningAlgIdFromKey(final Key key) {
 
     /**
      * get AlgorithmIdentifier for keyAlgorithm name
+     *
      * @param keyAlgorithm name
      * @return AlgorithmIdentifier
      */
     public static AlgorithmIdentifier getSigningAlgIdFromKeyAlg(final String keyAlgorithm) {
         return DEFAULT_SIGNATURE_ALGORITHM_IDENTIFIER_FINDER.find(getSigningAlgNameFromKeyAlg(keyAlgorithm));
     }
+
     /**
      * get AlgorithmIdentifier for signatureAlgorithmName
+     *
      * @param signatureAlgorithmName the name
      * @return AlgorithmIdentifier
      */
@@ -427,15 +452,15 @@ public static String getSigningAlgNameFromKey(final Key key) {
      *         key uses algorithms beside RSA, EC or EdDSA
      */
     public static String getSigningAlgNameFromKeyAlg(final String keyAlgorithm) {
-        if (keyAlgorithm.startsWith("Ed")) {
-            // EdDSA key
-            return keyAlgorithm;
-        }
-        if ("EC".equals(keyAlgorithm)) {
+        if (keyAlgorithm.startsWith("EC")) {
             // EC key
             return "SHA256withECDSA";
         }
-        return "SHA256with" + keyAlgorithm;
+        if (keyAlgorithm.startsWith("RSA")) {
+            return "SHA256with" + keyAlgorithm;
+        }
+
+        return keyAlgorithm;
     }
 
     /**
@@ -454,6 +479,7 @@ public enum PasswordBasedMacAlg {
 
     /**
      * get an Password-based message authentication code (MAC) algorithms
+     *
      * @param passwordBasedMacAlgorithm id of Password-Based MAC used for protection
      * @return related {@link PasswordBasedMacAlg}
      * @throws NoSuchAlgorithmException if id is unknown