From 8b100b2da7abd4d471d9f9d9decd3357f2d70cbd Mon Sep 17 00:00:00 2001 From: Andreas Kretschmer Date: Wed, 28 Feb 2024 13:59:40 +0100 Subject: [PATCH] feat: add logging while accessing configuration data --- CHANGELOG.md | 6 +- pom.xml | 2 +- .../main/ClientRequestHandler.java | 19 ++- .../cmpclientcomponent/main/CmpClient.java | 24 ++- .../cryptoservices/BaseCredentialService.java | 19 ++- .../cryptoservices/CmsEncryptorBase.java | 25 ++- .../cryptoservices/DataSignVerifier.java | 5 +- .../cryptoservices/DataSigner.java | 25 +-- .../cryptoservices/KeyAgreementEncryptor.java | 31 +++- .../cryptoservices/KeyTransportEncryptor.java | 11 +- .../cryptoservices/PasswordEncryptor.java | 32 +++- .../TrustCredentialAdapter.java | 42 +++-- .../msggeneration/MsgOutputProtector.java | 31 +++- .../msgprocessing/CmpRaUpstream.java | 18 ++- .../msgprocessing/RaDownstream.java | 152 ++++++++++++------ .../msgprocessing/ServiceImplementation.java | 59 +++++-- .../msgvalidation/InputValidator.java | 9 +- .../msgvalidation/MacValidator.java | 11 +- .../msgvalidation/MessageBodyValidator.java | 6 +- .../PBMAC1ProtectionValidator.java | 2 +- .../SignatureProtectionValidator.java | 99 ++++++------ .../protection/MacProtection.java | 11 +- .../protection/PBMAC1Protection.java | 31 +++- .../PasswordBasedMacProtection.java | 22 ++- .../protection/ProtectionProviderFactory.java | 24 +-- .../protection/SignatureBasedProtection.java | 5 +- .../pki/cmpracomponent/util/ConfigLogger.java | 113 +++++++++++++ .../test/EnrollmentTestcaseBase.java | 2 + ...tCentralKeyGenerationWithKeyAgreement.java | 4 +- ...tCentralKeyGenerationWithKeyTransport.java | 2 +- .../TestCentralKeyGenerationWithPassword.java | 55 ++++--- .../test/CkgOnlineEnrollmentTestcaseBase.java | 28 +++- ...tCentralKeyGenerationWithKeyAgreement.java | 69 ++++---- ...tCentralKeyGenerationWithKeyTransport.java | 3 +- .../TestCentralKeyGenerationWithPassword.java | 39 +++-- .../test/framework/CmpCaMock.java | 3 +- .../test/framework/ConfigurationFactory.java | 11 +- 37 files changed, 728 insertions(+), 322 deletions(-) create mode 100644 src/main/java/com/siemens/pki/cmpracomponent/util/ConfigLogger.java diff --git a/CHANGELOG.md b/CHANGELOG.md index a886ad5e..e7f953b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -128,6 +128,10 @@ feat: implement configurable recipient fix: extension processing in CMP client -### 4.1.0 (Dec 14 2024) +### 4.1.0 (Dec 14 2023) feat: revocation checking via inventory interface + +### 4.1.2 (Feb 28 2024) + +feat: add logging while accessing configuration data diff --git a/pom.xml b/pom.xml index 71ef8b8e..f5816533 100644 --- a/pom.xml +++ b/pom.xml @@ -8,7 +8,7 @@ com.siemens.pki CmpRaComponent jar - 4.1.1 + 4.1.2 UTF-8 . diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java index 05db0f48..5b8775dd 100644 --- a/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java @@ -35,6 +35,7 @@ import com.siemens.pki.cmpracomponent.msgvalidation.MessageHeaderValidator; import com.siemens.pki.cmpracomponent.msgvalidation.ProtectionValidator; import com.siemens.pki.cmpracomponent.msgvalidation.ValidatorIF; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import com.siemens.pki.cmpracomponent.util.FileTracer; import com.siemens.pki.cmpracomponent.util.MessageDumper; import java.security.GeneralSecurityException; @@ -81,7 +82,10 @@ class ValidatorAndProtector { public ValidatorAndProtector(NestedEndpointContext nestedEndpoint) throws GeneralSecurityException, CmpProcessingException { - final VerificationContext inputVerification = nestedEndpoint.getInputVerification(); + final VerificationContext inputVerification = ConfigLogger.logOptional( + NESTED_INTERFACE_NAME, + "NestedEndpointContext.getInputVerification()", + () -> nestedEndpoint.getInputVerification()); headerValidator = new MessageHeaderValidator(NESTED_INTERFACE_NAME); outputProtection = new MsgOutputProtector(nestedEndpoint, NESTED_INTERFACE_NAME); this.inputVerification = inputVerification; @@ -91,7 +95,10 @@ public ValidatorAndProtector(NestedEndpointContext nestedEndpoint) private ValidatorAndProtector(String certProfile, final CmpMessageInterface upstreamConfiguration) throws GeneralSecurityException, CmpProcessingException { - this.inputVerification = upstreamConfiguration.getInputVerification(); + this.inputVerification = ConfigLogger.logOptional( + INTERFACE_NAME, + "CmpMessageInterface.getInputVerification()", + () -> upstreamConfiguration.getInputVerification()); headerValidator = new MessageHeaderValidator(INTERFACE_NAME); outputProtection = new MsgOutputProtector(upstreamConfiguration, INTERFACE_NAME, null); protectionValidator = new ProtectionValidator(INTERFACE_NAME, inputVerification); @@ -155,8 +162,12 @@ private void validateResponse(final PKIMessage response) throws BaseCmpException this.upstreamExchange = upstreamExchange; this.certProfile = certProfile; validatorAndProtector = new ValidatorAndProtector(certProfile, upstreamConfiguration); - nestedValidatorAndProtector = - ifNotNull(upstreamConfiguration.getNestedEndpointContext(), ValidatorAndProtector::new); + nestedValidatorAndProtector = ifNotNull( + ConfigLogger.logOptional( + INTERFACE_NAME, + "CmpMessageInterface.getNestedEndpointContext()", + () -> upstreamConfiguration.getNestedEndpointContext()), + ValidatorAndProtector::new); } PKIMessage buildFurtherRequest(final PKIMessage formerResponse, final PKIBody requestBody) throws Exception { diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java index 6bc37114..87ea3e6f 100644 --- a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java +++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java @@ -28,6 +28,7 @@ import com.siemens.pki.cmpracomponent.configuration.GetCaCertificatesHandler; import com.siemens.pki.cmpracomponent.configuration.GetCertificateRequestTemplateHandler; import com.siemens.pki.cmpracomponent.configuration.GetRootCaCertificateUpdateHandler; +import com.siemens.pki.cmpracomponent.configuration.VerificationContext; import com.siemens.pki.cmpracomponent.cryptoservices.AlgorithmHelper; import com.siemens.pki.cmpracomponent.cryptoservices.CertUtility; import com.siemens.pki.cmpracomponent.cryptoservices.CmsDecryptor; @@ -131,6 +132,8 @@ public interface EnrollmentResult { private static final Logger LOGGER = LoggerFactory.getLogger(CmpClient.class); + private static final String INTERFACE_NAME = "cmpclient"; + private final ClientRequestHandler requestHandler; private final ClientContext clientContext; @@ -451,14 +454,16 @@ public EnrollmentResult invokeEnrollment() { case PKIBody.TYPE_CERT_REQ: case PKIBody.TYPE_INIT_REQ: { final String subject = enrollmentContext.getSubject(); - final Extension[] extensions = ifNotNull(enrollmentContext.getExtensions(), exts -> exts.stream() - .map(ext -> new Extension( - new ASN1ObjectIdentifier(ext.getId()), ext.isCritical(), ext.getValue())) - .toArray(Extension[]::new)); + final Extension[] arrayOfExtensions = + ifNotNull(enrollmentContext.getExtensions(), exts -> exts.stream() + .map(ext -> new Extension( + new ASN1ObjectIdentifier(ext.getId()), ext.isCritical(), ext.getValue())) + .toArray(Extension[]::new)); + final Extensions extensions = ifNotNull(arrayOfExtensions, Extensions::new); final CertTemplateBuilder ctb = new CertTemplateBuilder() .setSubject(ifNotNull(subject, X500Name::new)) .setPublicKey(enrolledPublicKeyInfo) - .setExtensions((Extensions) ifNotNull(extensions, Extensions::new)); + .setExtensions(extensions); requestBody = PkiMessageGenerator.generateIrCrKurBody( enrollmentType, ctb.build(), null, enrolledPrivateKey); pvno = enrolledPrivateKey == null ? PKIHeader.CMP_2021 : PKIHeader.CMP_2000; @@ -511,7 +516,12 @@ public EnrollmentResult invokeEnrollment() { LOGGER.error("wrong or missing local credentials, no key decryption possible"); return null; } - final DataSignVerifier verifier = new DataSignVerifier(requestHandler.getInputVerification()); + final VerificationContext inputVerification = requestHandler.getInputVerification(); + if (inputVerification == null) { + LOGGER.error("wrong or missing local trust, no key verification possible"); + return null; + } + final DataSignVerifier verifier = new DataSignVerifier(inputVerification, INTERFACE_NAME); final byte[] decryptedKey = decryptor.decrypt(EnvelopedData.getInstance( certifiedKeyPair.getPrivateKey().getValue())); enrolledPrivateKey = verifier.verifySignedKey(decryptedKey); @@ -533,7 +543,7 @@ public EnrollmentResult invokeEnrollment() { if (enrollmentContext.getEnrollmentTrust() != null) { try { final List validationResult = new TrustCredentialAdapter( - enrollmentContext.getEnrollmentTrust()) + enrollmentContext.getEnrollmentTrust(), INTERFACE_NAME) .validateCertAgainstTrust( enrolledCertAsX509, CertUtility.asX509Certificates(responseMessage.getExtraCerts())); diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java index 35ec81b6..173bec14 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java @@ -18,6 +18,7 @@ package com.siemens.pki.cmpracomponent.cryptoservices; import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.util.List; @@ -29,17 +30,21 @@ public class BaseCredentialService { private final SignatureCredentialContext config; + final String interfaceName; /** * ctor * @param config related config + * @param interfaceName CMP interface name for logging */ - public BaseCredentialService(final SignatureCredentialContext config) { + public BaseCredentialService(final SignatureCredentialContext config, String interfaceName) { this.config = config; + this.interfaceName = interfaceName; } protected List getCertChain() { - return config.getCertificateChain(); + return ConfigLogger.log( + interfaceName, "SignatureCredentialContext.getCertificateChain()", () -> config.getCertificateChain()); } /** @@ -47,7 +52,7 @@ protected List getCertChain() { * @return end certificate */ public X509Certificate getEndCertificate() { - return config.getCertificateChain().get(0); + return getCertChain().get(0); } /** @@ -55,7 +60,8 @@ public X509Certificate getEndCertificate() { * @return private key related to end certificate */ public PrivateKey getPrivateKey() { - return config.getPrivateKey(); + return ConfigLogger.log( + interfaceName, "SignatureCredentialContext.getPrivateKey()", () -> config.getPrivateKey()); } protected AlgorithmIdentifier getSignatureAlgorithm() { @@ -63,6 +69,9 @@ protected AlgorithmIdentifier getSignatureAlgorithm() { } protected String getSignatureAlgorithmName() { - return config.getSignatureAlgorithmName(); + return ConfigLogger.log( + interfaceName, + "SignatureCredentialContext.getSignatureAlgorithmName()", + () -> config.getSignatureAlgorithmName()); } } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java index 1f95d6a2..2bc091a4 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java @@ -18,11 +18,17 @@ package com.siemens.pki.cmpracomponent.cryptoservices; import com.siemens.pki.cmpracomponent.configuration.CkgContext; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import java.io.IOException; import java.security.NoSuchAlgorithmException; import org.bouncycastle.asn1.cms.EnvelopedData; import org.bouncycastle.asn1.cms.SignedData; -import org.bouncycastle.cms.*; +import org.bouncycastle.cms.CMSAlgorithm; +import org.bouncycastle.cms.CMSEnvelopedData; +import org.bouncycastle.cms.CMSEnvelopedDataGenerator; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.CMSProcessableByteArray; +import org.bouncycastle.cms.RecipientInfoGenerator; import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder; /** @@ -32,9 +38,15 @@ public class CmsEncryptorBase { private final CMSEnvelopedDataGenerator envGen = new CMSEnvelopedDataGenerator(); private final CkgContext config; + private final String interfaceName; - protected CmsEncryptorBase(final CkgContext config) { + protected CmsEncryptorBase(final CkgContext config, String interfaceName) { this.config = config; + this.interfaceName = interfaceName; + } + + protected void addRecipientInfoGenerator(final RecipientInfoGenerator recipientGenerator) { + envGen.addRecipientInfoGenerator(recipientGenerator); } /** @@ -49,7 +61,10 @@ protected CmsEncryptorBase(final CkgContext config) { public EnvelopedData encrypt(final byte[] msg) throws CMSException, NoSuchAlgorithmException { final CMSEnvelopedData cmsEnvData = envGen.generate( new CMSProcessableByteArray(msg), - new JceCMSContentEncryptorBuilder(AlgorithmHelper.getKeyEncryptionOID(config.getContentEncryptionAlg())) + new JceCMSContentEncryptorBuilder(AlgorithmHelper.getKeyEncryptionOID(ConfigLogger.log( + interfaceName, + "CkgContext.getContentEncryptionAlg()", + () -> config.getContentEncryptionAlg()))) .setProvider(CertUtility.getBouncyCastleProvider()) .build()); return EnvelopedData.getInstance(cmsEnvData.toASN1Structure().getContent()); @@ -71,8 +86,4 @@ public EnvelopedData encrypt(final SignedData data) throws CMSException, IOExcep .build()); return EnvelopedData.getInstance(cmsEnvData.toASN1Structure().getContent()); } - - protected void addRecipientInfoGenerator(final RecipientInfoGenerator recipientGenerator) { - envGen.addRecipientInfoGenerator(recipientGenerator); - } } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java index 5c918838..05a7e9cd 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java @@ -100,9 +100,10 @@ private static byte[] verifySignature( /** * ctor * @param config context used for verification + * @param interfaceName CMP interface name for logging */ - public DataSignVerifier(final VerificationContext config) { - super(config); + public DataSignVerifier(final VerificationContext config, String interfaceName) { + super(config, interfaceName); } private boolean validate(final X509CertificateHolder cert, final List allCerts) diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java index 6f87b511..0ada2a5b 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java @@ -81,25 +81,28 @@ public DataSigner(final BaseCredentialService credentialService) * ctor * @param privateKey private key used for signing * @param endCertificate certificate used for signing + * @param interfaceName CMP interface name for logging * @throws CertificateEncodingException in case of error * @throws OperatorCreationException in case of error * @throws IOException in case of error * @throws CMSException in case of error */ - public DataSigner(final PrivateKey privateKey, final X509Certificate endCertificate) + public DataSigner(final PrivateKey privateKey, final X509Certificate endCertificate, String interfaceName) throws CertificateEncodingException, OperatorCreationException, IOException, CMSException { - this(new BaseCredentialService(new SignatureCredentialContext() { + this(new BaseCredentialService( + new SignatureCredentialContext() { - @Override - public List getCertificateChain() { - return Collections.singletonList(endCertificate); - } + @Override + public List getCertificateChain() { + return Collections.singletonList(endCertificate); + } - @Override - public PrivateKey getPrivateKey() { - return privateKey; - } - })); + @Override + public PrivateKey getPrivateKey() { + return privateKey; + } + }, + interfaceName)); } /** diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java index 3e3c3b4b..06fcbff0 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java @@ -20,6 +20,7 @@ import com.siemens.pki.cmpracomponent.configuration.CkgContext; import com.siemens.pki.cmpracomponent.configuration.CkgKeyAgreementContext; import com.siemens.pki.cmpracomponent.msgvalidation.CmpEnrollmentException; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; @@ -49,8 +50,9 @@ public KeyAgreementEncryptor( final int initialRequestType, final String interfaceName) throws GeneralSecurityException, CmpEnrollmentException { - super(config); - final CkgKeyAgreementContext keyAgreementContext = config.getKeyAgreementContext(); + super(config, interfaceName); + final CkgKeyAgreementContext keyAgreementContext = ConfigLogger.log( + interfaceName, "CkgContext.getKeyAgreementContext()", () -> config.getKeyAgreementContext()); if (keyAgreementContext == null) { throw new CmpEnrollmentException( initialRequestType, @@ -59,12 +61,27 @@ public KeyAgreementEncryptor( "support for key management technique Key Agreement is not configured for central key generation"); } final JceKeyAgreeRecipientInfoGenerator infGen = new JceKeyAgreeRecipientInfoGenerator( - AlgorithmHelper.getKeyAgreementOID(keyAgreementContext.getKeyAgreementAlg()), - keyAgreementContext.getOwnPrivateKey(), - keyAgreementContext.getOwnPublicKey(), - AlgorithmHelper.getKekOID(keyAgreementContext.getKeyEncryptionAlg())); + AlgorithmHelper.getKeyAgreementOID(ConfigLogger.log( + interfaceName, + "CkgKeyAgreementContext.getKeyAgreementAlg()", + () -> keyAgreementContext.getKeyAgreementAlg())), + ConfigLogger.log( + interfaceName, + "CkgKeyAgreementContext.getOwnPrivateKey()", + () -> keyAgreementContext.getOwnPrivateKey()), + ConfigLogger.log( + interfaceName, + "CkgKeyAgreementContext.getOwnPublicKey()", + () -> keyAgreementContext.getOwnPublicKey()), + AlgorithmHelper.getKekOID(ConfigLogger.log( + interfaceName, + "CkgKeyAgreementContext.getKeyEncryptionAlg()", + () -> keyAgreementContext.getKeyEncryptionAlg()))); - infGen.addRecipient(keyAgreementContext.getRecipient(protectingCert)); + infGen.addRecipient(ConfigLogger.log( + interfaceName, + "CkgKeyAgreementContext.getRecipient(X509Certificate)", + () -> keyAgreementContext.getRecipient(protectingCert))); addRecipientInfoGenerator(infGen.setProvider(CertUtility.getBouncyCastleProvider())); } } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java index a7628386..eacc1d74 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java @@ -20,6 +20,7 @@ import com.siemens.pki.cmpracomponent.configuration.CkgContext; import com.siemens.pki.cmpracomponent.configuration.CkgKeyTransportContext; import com.siemens.pki.cmpracomponent.msgvalidation.CmpEnrollmentException; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.cert.X509Certificate; @@ -49,8 +50,9 @@ public KeyTransportEncryptor( final int initialRequestType, final String interfaceName) throws NoSuchAlgorithmException, CmpEnrollmentException { - super(config); - final CkgKeyTransportContext transportContext = config.getKeyTransportContext(); + super(config, interfaceName); + final CkgKeyTransportContext transportContext = ConfigLogger.log( + interfaceName, "CkgContext.getKeyTransportContext()", () -> config.getKeyTransportContext()); if (transportContext == null) { throw new CmpEnrollmentException( initialRequestType, @@ -59,7 +61,10 @@ public KeyTransportEncryptor( "support for key management technique Key Transport is not configured for central key generation"); } final JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); - final X509Certificate encryptionCert = transportContext.getRecipient(protectingCert); + final X509Certificate encryptionCert = ConfigLogger.log( + interfaceName, + "CkgKeyTransportContext.getRecipient(X509Certificate)", + () -> transportContext.getRecipient(protectingCert)); final PublicKey publicKey = encryptionCert.getPublicKey(); addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator( jcaX509ExtensionUtils diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java index 9d515e4a..f2812726 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java @@ -21,6 +21,7 @@ import com.siemens.pki.cmpracomponent.configuration.CkgPasswordContext; import com.siemens.pki.cmpracomponent.configuration.SharedSecretCredentialContext; import com.siemens.pki.cmpracomponent.msgvalidation.CmpEnrollmentException; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import java.security.NoSuchAlgorithmException; import org.bouncycastle.asn1.cmp.PKIFailureInfo; import org.bouncycastle.cms.PasswordRecipient; @@ -42,8 +43,9 @@ public class PasswordEncryptor extends CmsEncryptorBase { */ public PasswordEncryptor(final CkgContext config, final int initialRequestType, final String interfaceName) throws NoSuchAlgorithmException, CmpEnrollmentException { - super(config); - final CkgPasswordContext passwordContext = config.getPasswordContext(); + super(config, interfaceName); + final CkgPasswordContext passwordContext = + ConfigLogger.log(interfaceName, "CkgContext.getPasswordContext()", () -> config.getPasswordContext()); if (passwordContext == null) { throw new CmpEnrollmentException( initialRequestType, @@ -51,13 +53,29 @@ public PasswordEncryptor(final CkgContext config, final int initialRequestType, PKIFailureInfo.notAuthorized, "support for key management technique Password-Based is not configured for central key generation"); } - final SharedSecretCredentialContext encryptionCredentials = passwordContext.getEncryptionCredentials(); + final SharedSecretCredentialContext encryptionCredentials = ConfigLogger.log( + interfaceName, + "CkgPasswordContext.getEncryptionCredentials()", + () -> passwordContext.getEncryptionCredentials()); addRecipientInfoGenerator(new JcePasswordRecipientInfoGenerator( - AlgorithmHelper.getKeyEncryptionOID(passwordContext.getKekAlg()), - AlgorithmHelper.convertSharedSecretToPassword(encryptionCredentials.getSharedSecret())) + AlgorithmHelper.getKeyEncryptionOID(ConfigLogger.log( + interfaceName, "CkgPasswordContext.getKekAlg()", () -> passwordContext.getKekAlg())), + AlgorithmHelper.convertSharedSecretToPassword(ConfigLogger.log( + interfaceName, + "SharedSecretCredentialContext.getSharedSecret()", + () -> encryptionCredentials.getSharedSecret()))) .setProvider(CertUtility.getBouncyCastleProvider()) .setPasswordConversionScheme(PasswordRecipient.PKCS5_SCHEME2_UTF8) - .setPRF(AlgorithmHelper.getPrf(encryptionCredentials.getPrf())) - .setSaltAndIterationCount(encryptionCredentials.getSalt(), encryptionCredentials.getIterationCount())); + .setPRF(AlgorithmHelper.getPrf(ConfigLogger.log( + interfaceName, "SharedSecretCredentialContext.getPrf()", () -> encryptionCredentials.getPrf()))) + .setSaltAndIterationCount( + ConfigLogger.log( + interfaceName, + "SharedSecretCredentialContext.getSalt()", + () -> encryptionCredentials.getSalt()), + ConfigLogger.log( + interfaceName, + "SharedSecretCredentialContext.getIterationCount()", + () -> encryptionCredentials.getIterationCount()))); } } diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java index af797847..665eacef 100644 --- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java +++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java @@ -18,6 +18,7 @@ package com.siemens.pki.cmpracomponent.cryptoservices; import com.siemens.pki.cmpracomponent.configuration.VerificationContext; +import com.siemens.pki.cmpracomponent.util.ConfigLogger; import java.net.URI; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; @@ -62,12 +63,23 @@ public class TrustCredentialAdapter { private final VerificationContext config; + private final String interfaceName; + /** * ctor * @param config specific configuration + * @param interfaceName CMP interface name for logging */ - public TrustCredentialAdapter(final VerificationContext config) { + public TrustCredentialAdapter(final VerificationContext config, String interfaceName) { this.config = config; + this.interfaceName = interfaceName; + } + + public boolean isIntermediateCertAcceptable(X509Certificate cert) { + return ConfigLogger.log( + interfaceName, + "VerificationContext.isIntermediateCertAcceptable(X509Certificate)", + () -> config.isIntermediateCertAcceptable(cert)); } /** @@ -87,7 +99,8 @@ public TrustCredentialAdapter(final VerificationContext config) { public synchronized List validateCertAgainstTrust( final X509Certificate cert, final List additionalIntermediateCerts) throws NoSuchProviderException { - final Collection trustedCertificates = config.getTrustedCertificates(); + final Collection trustedCertificates = ConfigLogger.logOptional( + interfaceName, "VerificationContext.getTrustedCertificates()", () -> config.getTrustedCertificates()); if (trustedCertificates == null) { return null; } @@ -107,7 +120,10 @@ public synchronized List validateCertAgainstTrust( try { final boolean[] leafKeyUsage = cert.getKeyUsage(); if (leafKeyUsage != null && !leafKeyUsage[0] // digitalSignature - || !config.isLeafCertAcceptable(cert)) { + || !ConfigLogger.log( + interfaceName, + "VerificationContext.isLeafCertAcceptable(X509Certificate)", + () -> config.isLeafCertAcceptable(cert))) { return null; } // initial state @@ -123,7 +139,7 @@ public synchronized List validateCertAgainstTrust( final PKIXBuilderParameters params = new PKIXBuilderParameters(trust, targetConstraints); - if (config.isAIAsEnabled()) { + if (ConfigLogger.log(interfaceName, "VerificationContext.isAIAsEnabled()", () -> config.isAIAsEnabled())) { revocationEnabled = true; java.security.Security.setProperty(OCSP_ENABLE_PROP, "true"); System.setProperty("com.sun.security.enableAIAcaIssuers", "true"); @@ -131,7 +147,7 @@ public synchronized List validateCertAgainstTrust( System.setProperty("com.sun.security.enableAIAcaIssuers", FALSE_STRING); } - if (config.isCDPsEnabled()) { + if (ConfigLogger.log(interfaceName, "VerificationContext.isCDPsEnabled()", () -> config.isCDPsEnabled())) { revocationEnabled = true; System.setProperty("com.sun.security.enableCRLDP", "true"); } else { @@ -142,12 +158,13 @@ public synchronized List validateCertAgainstTrust( if (additionalIntermediateCerts != null) { additionalIntermediateCerts.stream() - .filter(config::isIntermediateCertAcceptable) + .filter(this::isIntermediateCertAcceptable) .filter(CertUtility::isIntermediateCertificate) .forEach(lstCertCrlStores::add); } - final Collection additionalCertsFromConfig = config.getAdditionalCerts(); + final Collection additionalCertsFromConfig = + ConfigLogger.logOptional(interfaceName, "xx", () -> config.getAdditionalCerts()); if (additionalCertsFromConfig != null) { lstCertCrlStores.addAll(additionalCertsFromConfig); } @@ -156,7 +173,8 @@ public synchronized List validateCertAgainstTrust( CertStore.getInstance("Collection", new CollectionCertStoreParameters(lstCertCrlStores), PROVIDER); params.addCertStore(certStore); - final Collection crlsFromConfig = config.getCRLs(); + final Collection crlsFromConfig = + ConfigLogger.logOptional(interfaceName, "VerificationContext.getCRLs()", () -> config.getCRLs()); if (crlsFromConfig != null) { if (!crlsFromConfig.isEmpty()) { revocationEnabled = true; @@ -170,12 +188,16 @@ public synchronized List validateCertAgainstTrust( final PKIXRevocationChecker revChecker = (PKIXRevocationChecker) cpb.getRevocationChecker(); - final EnumSet