diff --git a/README.MD b/README.MD index d9826b8..0428c35 100644 --- a/README.MD +++ b/README.MD @@ -5,9 +5,10 @@ Scala wrappers for JCA/BouncyCastle classes Add to `build.sbt`: ```scala libraryDependencies ++= Seq( - "org.bouncycastle" % "bcprov-jdk15on" % "1.58", - "org.bouncycastle" % "bcpkix-jdk15on" % "1.58", - "com.github.karasiq" %% "cryptoutils" % "1.4.3" + "org.bouncycastle" % "bcprov-jdk15on" % "1.67", + "org.bouncycastle" % "bcpkix-jdk15on" % "1.67", + "org.bouncycastle" % "bctls-jdk15on" % "1.67", + "com.github.karasiq" %% "cryptoutils" % "2.0.0" ) ``` @@ -105,4 +106,4 @@ serverSocket.bind(new InetSocketAddress("0.0.0.0", 443)) val socket = serverWrapper(serverSocket.accept()) // ... Do read/write, etc ... socket.close() -``` \ No newline at end of file +``` diff --git a/build.sbt b/build.sbt index 3f0900f..3805fd2 100644 --- a/build.sbt +++ b/build.sbt @@ -2,7 +2,7 @@ name := "cryptoutils" organization := "com.github.karasiq" -version := "1.4.3" +version := "2.0.0-SNAPSHOT" isSnapshot := version.value.endsWith("SNAPSHOT") @@ -14,8 +14,9 @@ resolvers += "softprops-maven" at "http://dl.bintray.com/content/softprops/maven libraryDependencies ++= Seq( "commons-io" % "commons-io" % "2.5", - "org.bouncycastle" % "bcprov-jdk15on" % "1.58" % "provided", - "org.bouncycastle" % "bcpkix-jdk15on" % "1.58" % "provided", + "org.bouncycastle" % "bcprov-jdk15on" % "1.67" % "provided", + "org.bouncycastle" % "bcpkix-jdk15on" % "1.67" % "provided", + "org.bouncycastle" % "bctls-jdk15on" % "1.67" % "provided", "com.typesafe" % "config" % "1.3.1", "org.scalatest" %% "scalatest" % "3.0.4" % "test" ) diff --git a/src/main/scala/com/karasiq/tls/TLS.scala b/src/main/scala/com/karasiq/tls/TLS.scala index b6c1de3..3eeb7ac 100644 --- a/src/main/scala/com/karasiq/tls/TLS.scala +++ b/src/main/scala/com/karasiq/tls/TLS.scala @@ -1,14 +1,14 @@ package com.karasiq.tls object TLS { - type CertificateChain = org.bouncycastle.crypto.tls.Certificate + type CertificateChain = org.bouncycastle.tls.Certificate type Certificate = org.bouncycastle.asn1.x509.Certificate type CertificateKeyPair = org.bouncycastle.crypto.AsymmetricCipherKeyPair case class CertificateKey(certificateChain: CertificateChain, key: CertificateKeyPair) { def certificate: TLS.Certificate = { import com.karasiq.tls.internal.BCConversions._ - certificateChain.toTlsCertificate + certificateChain.toCertificate } } diff --git a/src/main/scala/com/karasiq/tls/TLSClientWrapper.scala b/src/main/scala/com/karasiq/tls/TLSClientWrapper.scala index 6b0270c..93f02d4 100644 --- a/src/main/scala/com/karasiq/tls/TLSClientWrapper.scala +++ b/src/main/scala/com/karasiq/tls/TLSClientWrapper.scala @@ -4,10 +4,12 @@ import java.net.InetSocketAddress import java.nio.channels.SocketChannel import java.security.SecureRandom -import com.karasiq.tls.internal.BCConversions.CipherSuiteId +import com.karasiq.tls.internal.BCConversions._ import com.karasiq.tls.internal.{SocketChannelWrapper, TLSUtils} import com.karasiq.tls.x509.CertificateVerifier -import org.bouncycastle.crypto.tls._ +import org.bouncycastle.tls._ +import org.bouncycastle.tls.crypto.TlsCryptoParameters +import org.bouncycastle.tls.crypto.impl.bc.{BcDefaultTlsCredentialedSigner, BcTlsCrypto} import scala.concurrent.Await import scala.concurrent.duration._ @@ -20,30 +22,39 @@ class TLSClientWrapper(verifier: CertificateVerifier, address: InetSocketAddress } override def apply(connection: SocketChannel): SocketChannel = { - val protocol = new TlsClientProtocol(SocketChannelWrapper.inputStream(connection), SocketChannelWrapper.outputStream(connection), SecureRandom.getInstanceStrong) - val client = new DefaultTlsClient() { - override def getMinimumVersion: ProtocolVersion = { - TLSUtils.minVersion() + val protocol = new TlsClientProtocol(SocketChannelWrapper.inputStream(connection), SocketChannelWrapper.outputStream(connection)) + val crypto = new BcTlsCrypto(SecureRandom.getInstanceStrong) + val client = new DefaultTlsClient(crypto) { + @volatile + protected var selectedCipherSuite = 0 + + override def getSupportedVersions: Array[ProtocolVersion] = { + TLSUtils.maxVersion().downTo(TLSUtils.minVersion()) } override def getCipherSuites: Array[Int] = { TLSUtils.defaultCipherSuites() } + override def notifySelectedCipherSuite(selectedCipherSuite: Int): Unit = { + this.selectedCipherSuite = selectedCipherSuite + } + override def notifyHandshakeComplete(): Unit = { handshake.trySuccess(true) + this.cipherSuites onInfo(s"Selected cipher suite: ${CipherSuiteId.asString(selectedCipherSuite)}") } override def getAuthentication: TlsAuthentication = new TlsAuthentication { override def getClientCredentials(certificateRequest: CertificateRequest): TlsCredentials = wrapException("Could not provide client credentials") { getClientCertificate(certificateRequest) - .map(ck ⇒ new DefaultTlsSignerCredentials(context, ck.certificateChain, ck.key.getPrivate, TLSUtils.signatureAlgorithm(ck.key.getPrivate))) // Ignores certificateRequest data + .map(ck ⇒ new BcDefaultTlsCredentialedSigner(new TlsCryptoParameters(context), crypto, ck.key.getPrivate, ck.certificateChain, TLSUtils.signatureAlgorithm(ck.key.getPrivate))) // Ignores certificateRequest data .orNull } - override def notifyServerCertificate(serverCertificate: TLS.CertificateChain): Unit = wrapException("Server certificate error") { - val chain: List[TLS.Certificate] = serverCertificate.getCertificateList.toList + override def notifyServerCertificate(serverCertificate: TlsServerCertificate): Unit = wrapException("Server certificate error") { + val chain: List[TLS.Certificate] = serverCertificate.getCertificate.getCertificateList.toList.map(_.toCertificate) if (chain.nonEmpty) { onInfo(s"Server certificate chain: ${chain.map(_.getSubject).mkString("; ")}") diff --git a/src/main/scala/com/karasiq/tls/TLSConnectionWrapper.scala b/src/main/scala/com/karasiq/tls/TLSConnectionWrapper.scala index 7f1eb7c..479659b 100644 --- a/src/main/scala/com/karasiq/tls/TLSConnectionWrapper.scala +++ b/src/main/scala/com/karasiq/tls/TLSConnectionWrapper.scala @@ -2,7 +2,7 @@ package com.karasiq.tls import java.nio.channels.SocketChannel -import org.bouncycastle.crypto.tls.{AlertDescription, TlsFatalAlert} +import org.bouncycastle.tls.{AlertDescription, TlsFatalAlert} import scala.concurrent.Promise import scala.util.control.Exception diff --git a/src/main/scala/com/karasiq/tls/TLSKeyStore.scala b/src/main/scala/com/karasiq/tls/TLSKeyStore.scala index d55d013..4391a96 100644 --- a/src/main/scala/com/karasiq/tls/TLSKeyStore.scala +++ b/src/main/scala/com/karasiq/tls/TLSKeyStore.scala @@ -113,7 +113,7 @@ class TLSKeyStore(val keyStore: KeyStore = TLSKeyStore.defaultKeyStore(), val pa } def getCertificate(alias: String): TLS.Certificate = { - keyStore.getCertificate(alias).toTlsCertificate + keyStore.getCertificate(alias).toCertificate } def getKeySet(alias: String, password: String = password): TLS.KeySet = { diff --git a/src/main/scala/com/karasiq/tls/TLSServerWrapper.scala b/src/main/scala/com/karasiq/tls/TLSServerWrapper.scala index 83c1868..0d18740 100644 --- a/src/main/scala/com/karasiq/tls/TLSServerWrapper.scala +++ b/src/main/scala/com/karasiq/tls/TLSServerWrapper.scala @@ -4,11 +4,13 @@ import java.nio.channels.SocketChannel import java.security.SecureRandom import com.karasiq.tls.TLS.CertificateChain -import com.karasiq.tls.internal.BCConversions.CipherSuiteId +import com.karasiq.tls.internal.BCConversions._ import com.karasiq.tls.internal.{SocketChannelWrapper, TLSUtils} import com.karasiq.tls.x509.{CertificateVerifier, X509Utils} import org.bouncycastle.asn1.x509.KeyUsage -import org.bouncycastle.crypto.tls._ +import org.bouncycastle.tls._ +import org.bouncycastle.tls.crypto.TlsCryptoParameters +import org.bouncycastle.tls.crypto.impl.bc.{BcDefaultTlsCredentialedDecryptor, BcDefaultTlsCredentialedSigner, BcTlsCrypto} import scala.concurrent.Await import scala.concurrent.duration._ @@ -19,7 +21,7 @@ class TLSServerWrapper(keySet: TLS.KeySet, clientAuth: Boolean = false, verifier @throws(classOf[TlsFatalAlert]) protected def onClientAuth(clientCertificate: CertificateChain): Unit = { - val chain: List[TLS.Certificate] = clientCertificate.getCertificateList.toList + val chain: List[TLS.Certificate] = clientCertificate.getCertificateList.toList.map(_.toCertificate) if (chain.nonEmpty) { onInfo(s"Client certificate chain: ${chain.map(_.getSubject).mkString("; ")}") } @@ -33,14 +35,11 @@ class TLSServerWrapper(keySet: TLS.KeySet, clientAuth: Boolean = false, verifier } def apply(connection: SocketChannel): SocketChannel = { - val protocol = new TlsServerProtocol(SocketChannelWrapper.inputStream(connection), SocketChannelWrapper.outputStream(connection), SecureRandom.getInstanceStrong) - val server = new DefaultTlsServer() { - override def getMinimumVersion: ProtocolVersion = { - TLSUtils.minVersion() - } - - override def getMaximumVersion: ProtocolVersion = { - TLSUtils.maxVersion() + val protocol = new TlsServerProtocol(SocketChannelWrapper.inputStream(connection), SocketChannelWrapper.outputStream(connection)) + val crypto = new BcTlsCrypto(SecureRandom.getInstanceStrong) + val server = new DefaultTlsServer(crypto) { + override def getSupportedVersions: Array[ProtocolVersion] = { + TLSUtils.maxVersion().downTo(TLSUtils.minVersion()) } override def getCipherSuites: Array[Int] = { @@ -52,33 +51,33 @@ class TLSServerWrapper(keySet: TLS.KeySet, clientAuth: Boolean = false, verifier onInfo(s"Selected cipher suite: ${CipherSuiteId.asString(selectedCipherSuite)}") } - private def signerCredentials(certOption: Option[TLS.CertificateKey]): TlsSignerCredentials = { + private def signerCredentials(certOption: Option[TLS.CertificateKey]): TlsCredentialedSigner = { certOption.filter(c ⇒ X509Utils.isKeyUsageAllowed(c.certificate, KeyUsage.digitalSignature)).fold(throw new TLSException("No suitable signer credentials found")) { cert ⇒ - new DefaultTlsSignerCredentials(context, cert.certificateChain, cert.key.getPrivate, TLSUtils.signatureAlgorithm(cert.key.getPrivate)) + new BcDefaultTlsCredentialedSigner(new TlsCryptoParameters(context), crypto, cert.key.getPrivate, cert.certificateChain, TLSUtils.signatureAlgorithm(cert.key.getPrivate)) } } - override def getRSASignerCredentials: TlsSignerCredentials = wrapException("Could not provide server RSA credentials") { + override def getRSASignerCredentials: TlsCredentialedSigner = wrapException("Could not provide server RSA credentials") { signerCredentials(keySet.rsa) } - override def getECDSASignerCredentials: TlsSignerCredentials = wrapException("Could not provide server ECDSA credentials") { + override def getECDSASignerCredentials: TlsCredentialedSigner = wrapException("Could not provide server ECDSA credentials") { signerCredentials(keySet.ecdsa) } - override def getDSASignerCredentials: TlsSignerCredentials = wrapException("Could not provide server DSA credentials") { + override def getDSASignerCredentials: TlsCredentialedSigner = wrapException("Could not provide server DSA credentials") { signerCredentials(keySet.dsa) } - override def getRSAEncryptionCredentials: TlsEncryptionCredentials = wrapException("Could not provide server RSA encryption credentials") { + override def getRSAEncryptionCredentials: TlsCredentialedDecryptor = wrapException("Could not provide server RSA encryption credentials") { keySet.rsa.filter(c ⇒ X509Utils.isKeyUsageAllowed(c.certificate, KeyUsage.keyEncipherment)).fold(super.getRSAEncryptionCredentials) { cert ⇒ - new DefaultTlsEncryptionCredentials(context, cert.certificateChain, cert.key.getPrivate) + new BcDefaultTlsCredentialedDecryptor(crypto, cert.certificateChain, cert.key.getPrivate) } } override def getCertificateRequest: CertificateRequest = { if (clientAuth) { - TLSUtils.certificateRequest(this.getServerVersion, verifier) + TLSUtils.certificateRequest(this.getServerVersion, verifier, context) } else { null } diff --git a/src/main/scala/com/karasiq/tls/internal/BCConversions.scala b/src/main/scala/com/karasiq/tls/internal/BCConversions.scala index 5c11160..d07782e 100644 --- a/src/main/scala/com/karasiq/tls/internal/BCConversions.scala +++ b/src/main/scala/com/karasiq/tls/internal/BCConversions.scala @@ -3,7 +3,7 @@ package com.karasiq.tls.internal import java.io.ByteArrayInputStream import java.security.cert.CertificateFactory import java.security.spec.{PKCS8EncodedKeySpec, X509EncodedKeySpec} -import java.security.{KeyFactory, PrivateKey, PublicKey} +import java.security.{KeyFactory, PrivateKey, PublicKey, SecureRandom} import com.karasiq.tls.TLS import org.apache.commons.io.IOUtils @@ -11,9 +11,11 @@ import org.bouncycastle.asn1.pkcs.PrivateKeyInfo import org.bouncycastle.asn1.x509.{AlgorithmIdentifier, SubjectPublicKeyInfo} import org.bouncycastle.crypto.AsymmetricCipherKeyPair import org.bouncycastle.crypto.params.{AsymmetricKeyParameter, DSAKeyParameters, ECKeyParameters, RSAKeyParameters} -import org.bouncycastle.crypto.tls.CipherSuite +import org.bouncycastle.tls.CipherSuite import org.bouncycastle.crypto.util.{PrivateKeyFactory, PrivateKeyInfoFactory, PublicKeyFactory, SubjectPublicKeyInfoFactory} import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder +import org.bouncycastle.tls.crypto.TlsCertificate +import org.bouncycastle.tls.crypto.impl.bc.{BcTlsCertificate, BcTlsCrypto} import scala.util.Try @@ -21,6 +23,9 @@ import scala.util.Try * Provides conversions between JCA and BouncyCastle classes */ object BCConversions { + + private val crypto = new BcTlsCrypto(SecureRandom.getInstanceStrong) + implicit class JavaKeyOps(private val key: java.security.Key) extends AnyVal { private def convertPKCS8Key(data: Array[Byte], public: SubjectPublicKeyInfo): AsymmetricCipherKeyPair = { new AsymmetricCipherKeyPair(PublicKeyFactory.createKey(public), PrivateKeyFactory.createKey(data)) @@ -123,16 +128,24 @@ object BCConversions { } implicit class JavaCertificateOps(private val cert: java.security.cert.Certificate) extends AnyVal { - def toTlsCertificate: TLS.Certificate = { + def toCertificate: TLS.Certificate = { org.bouncycastle.asn1.x509.Certificate.getInstance(cert.getEncoded) } + def toTlsCertificate: TlsCertificate = { + new BcTlsCertificate(crypto, cert.getEncoded) + } + def toTlsCertificateChain: TLS.CertificateChain = { - toTlsCertificate.toTlsCertificateChain + toCertificate.toTlsCertificateChain } } - implicit class CertificateOps(private val cert: TLS.Certificate) extends AnyVal { + implicit class TlsCertificateOps(private val cert: TlsCertificate) extends AnyVal { + def toCertificate: TLS.Certificate = { + org.bouncycastle.asn1.x509.Certificate.getInstance(cert.getEncoded) + } + def toTlsCertificateChain: TLS.CertificateChain = { new TLS.CertificateChain(Array(cert)) } @@ -148,8 +161,32 @@ object BCConversions { } } + implicit class CertificateOps(private val cert: TLS.Certificate) extends AnyVal { + def toTlsCertificate: TlsCertificate = { + new BcTlsCertificate(crypto, cert.getEncoded) + } + + def toTlsCertificateChain: TLS.CertificateChain = { + new TLS.CertificateChain(Array(cert.toTlsCertificate)) + } + + def toJavaCertificate: java.security.cert.Certificate = { + val certificateFactory = CertificateFactory.getInstance("X.509") + val inputStream = new ByteArrayInputStream(cert.getEncoded) + try { + certificateFactory.generateCertificate(inputStream) + } finally { + IOUtils.closeQuietly(inputStream) + } + } + } + implicit class CertificateChainOps(private val chain: TLS.CertificateChain) extends AnyVal { - def toTlsCertificate: TLS.Certificate = { + def toCertificate: TLS.Certificate = { + toTlsCertificate.toCertificate + } + + def toTlsCertificate: TlsCertificate = { chain.getCertificateList.headOption .getOrElse(throw new NoSuchElementException("Empty certificate chain")) } diff --git a/src/main/scala/com/karasiq/tls/internal/SocketChannelWrapper.scala b/src/main/scala/com/karasiq/tls/internal/SocketChannelWrapper.scala index 5aaad9d..df6ffa9 100644 --- a/src/main/scala/com/karasiq/tls/internal/SocketChannelWrapper.scala +++ b/src/main/scala/com/karasiq/tls/internal/SocketChannelWrapper.scala @@ -6,7 +6,7 @@ import java.nio.ByteBuffer import java.nio.channels.SocketChannel import java.util -import org.bouncycastle.crypto.tls.TlsProtocol +import org.bouncycastle.tls.TlsProtocol import sun.nio.ch.{SelChImpl, SelectionKeyImpl} private[tls] object SocketChannelWrapper { diff --git a/src/main/scala/com/karasiq/tls/internal/SocketWrapper.scala b/src/main/scala/com/karasiq/tls/internal/SocketWrapper.scala index 2242801..bcd5f57 100644 --- a/src/main/scala/com/karasiq/tls/internal/SocketWrapper.scala +++ b/src/main/scala/com/karasiq/tls/internal/SocketWrapper.scala @@ -4,7 +4,7 @@ import java.io.{InputStream, OutputStream} import java.net.{InetAddress, Socket, SocketAddress} import java.nio.channels.SocketChannel -import org.bouncycastle.crypto.tls.TlsProtocol +import org.bouncycastle.tls.TlsProtocol final private[tls] class SocketWrapper(connection: Socket, protocol: TlsProtocol) extends Socket { override def shutdownInput(): Unit = connection.shutdownInput() diff --git a/src/main/scala/com/karasiq/tls/internal/TLSUtils.scala b/src/main/scala/com/karasiq/tls/internal/TLSUtils.scala index 4773fa2..64d9e03 100644 --- a/src/main/scala/com/karasiq/tls/internal/TLSUtils.scala +++ b/src/main/scala/com/karasiq/tls/internal/TLSUtils.scala @@ -3,11 +3,11 @@ package com.karasiq.tls.internal import java.security.Provider import com.karasiq.tls.TLS -import com.karasiq.tls.internal.BCConversions.CipherSuiteId +import com.karasiq.tls.internal.BCConversions._ import com.karasiq.tls.x509.CertificateVerifier import com.typesafe.config.ConfigFactory import org.bouncycastle.crypto.params._ -import org.bouncycastle.crypto.tls._ +import org.bouncycastle.tls._ import org.bouncycastle.jce.ECNamedCurveTable import org.bouncycastle.jce.provider.BouncyCastleProvider import org.bouncycastle.jce.spec.ECParameterSpec @@ -55,9 +55,9 @@ object TLSUtils { asJavaVector(trustStore.trustedRootCertificates.map(_.getSubject)) } - def certificateRequest(protocolVersion: ProtocolVersion, verifier: CertificateVerifier): CertificateRequest = { + def certificateRequest(protocolVersion: ProtocolVersion, verifier: CertificateVerifier, context: TlsContext): CertificateRequest = { val certificateTypes = Array(ClientCertificateType.rsa_sign, ClientCertificateType.ecdsa_sign, ClientCertificateType.dss_sign) - new CertificateRequest(certificateTypes, defaultSignatureAlgorithms(protocolVersion), authoritiesOf(verifier)) + new CertificateRequest(certificateTypes, defaultSignatureAlgorithms(protocolVersion, context), authoritiesOf(verifier)) } def certificateFor(keySet: TLS.KeySet, certificateRequest: CertificateRequest): Option[TLS.CertificateKey] = { @@ -76,7 +76,8 @@ object TLSUtils { } def isInAuthorities(chain: TLS.CertificateChain, certificateRequest: CertificateRequest): Boolean = { - chain.getCertificateList.exists { cert ⇒ + chain.getCertificateList.exists { tlsCert ⇒ + val cert = tlsCert.toCertificate certificateRequest.getCertificateAuthorities.contains(cert.getSubject) || certificateRequest.getCertificateAuthorities.contains(cert.getIssuer) } } @@ -119,9 +120,9 @@ object TLSUtils { config.getString("hash-algorithm") } - def defaultSignatureAlgorithms(protocolVersion: ProtocolVersion): java.util.Vector[_] = { + def defaultSignatureAlgorithms(protocolVersion: ProtocolVersion, context: TlsContext): java.util.Vector[_] = { if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(protocolVersion)) { - TlsUtils.getDefaultSupportedSignatureAlgorithms + TlsUtils.getDefaultSupportedSignatureAlgorithms(context) } else { null } diff --git a/src/main/scala/com/karasiq/tls/x509/CertificateGenerator.scala b/src/main/scala/com/karasiq/tls/x509/CertificateGenerator.scala index 5f2435c..8ff62c0 100644 --- a/src/main/scala/com/karasiq/tls/x509/CertificateGenerator.scala +++ b/src/main/scala/com/karasiq/tls/x509/CertificateGenerator.scala @@ -23,7 +23,7 @@ class CertificateGenerator { protected val secureRandom: SecureRandom = SecureRandom.getInstanceStrong private def makeChain(issuer: TLS.CertificateChain, certificate: TLS.Certificate): TLS.CertificateChain = { - new TLS.CertificateChain(Array(certificate) ++ issuer.getCertificateList) + new TLS.CertificateChain(Array(certificate.toTlsCertificate) ++ issuer.getCertificateList) } /** @@ -55,7 +55,7 @@ class CertificateGenerator { val certificateBuilder = new X509v3CertificateBuilder(issuer.certificate.getSubject, serial.underlying(), new Date(), Date.from(notAfter), request.getSubject, request.getSubjectPublicKeyInfo) - + (extensions ++ CertExtension.identifiers(request.getSubjectPublicKeyInfo, Some(issuer.certificate)) ++ CSRUtils.extensionsOf(request)).foreach { ext ⇒ certificateBuilder.addExtension(ext.id, ext.critical, ext.value) } diff --git a/src/main/scala/com/karasiq/tls/x509/ocsp/OCSP.scala b/src/main/scala/com/karasiq/tls/x509/ocsp/OCSP.scala index b6af158..9a00ffd 100644 --- a/src/main/scala/com/karasiq/tls/x509/ocsp/OCSP.scala +++ b/src/main/scala/com/karasiq/tls/x509/ocsp/OCSP.scala @@ -93,7 +93,9 @@ object OCSP { extGen.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, nonce) builder.setRequestExtensions(extGen.generate()) - builder.build(X509Utils.contentSigner(signer.key.getPrivate.toPrivateKey), signer.certificateChain.getCertificateList.map(new X509CertificateHolder(_))) + builder.build( + X509Utils.contentSigner(signer.key.getPrivate.toPrivateKey), + signer.certificateChain.getCertificateList.map(tlsCert => new X509CertificateHolder(tlsCert.toCertificate))) } /** @@ -117,7 +119,10 @@ object OCSP { case (b, Status(id, status)) ⇒ b.addResponse(id, status) } - builder.build(X509Utils.contentSigner(signer.key.getPrivate.toPrivateKey), signer.certificateChain.getCertificateList.map(new X509CertificateHolder(_)), new Date()) + builder.build( + X509Utils.contentSigner(signer.key.getPrivate.toPrivateKey), + signer.certificateChain.getCertificateList.map(tlsCert => new X509CertificateHolder(tlsCert.toCertificate)), + new Date()) } private def loadUrl(url: String, request: OCSPReq): OCSPResp = concurrent.blocking { diff --git a/src/test/scala/X509Test.scala b/src/test/scala/X509Test.scala index 896381f..08c8693 100644 --- a/src/test/scala/X509Test.scala +++ b/src/test/scala/X509Test.scala @@ -51,10 +51,10 @@ class X509Test extends FreeSpec with Matchers { PEM.certificationRequest.fromString(encoded).getSubject shouldBe request.getSubject val cert = keyGenerator.signRequest(request, certificationAuthority) val verifier = CertificateVerifier(CertificateStatusProvider.AlwaysValid, certificationAuthority.certificate) - assert(verifier.isChainValid(cert.getCertificateList.toList)) - X509Utils.verifyAuthorityIdentifier(cert.toTlsCertificate, certificationAuthority.certificate) shouldBe Some(true) - X509Utils.verifyPublicKeyIdentifier(cert.toTlsCertificate, serverKeySet.ecdsa.get.key.getPublic.toSubjectPublicKeyInfo) shouldBe Some(true) - println("CSR signed: " + cert.toTlsCertificate.getSubject) + assert(verifier.isChainValid(cert.getCertificateList.toList.map(_.toCertificate))) + X509Utils.verifyAuthorityIdentifier(cert.toCertificate, certificationAuthority.certificate) shouldBe Some(true) + X509Utils.verifyPublicKeyIdentifier(cert.toCertificate, serverKeySet.ecdsa.get.key.getPublic.toSubjectPublicKeyInfo) shouldBe Some(true) + println("CSR signed: " + cert.toCertificate.getSubject) } "should read CRL" in {