WolfSSL
/
wolfssljni
mirror of https://github.com/wolfSSL/wolfssljni.git
1
0
Fork 0
Code Issues Releases Wiki Activity

add rsa_pss support in wolfJSSE

pull/218/head
Sage Stefonic 2024-08-08 15:18:08 -07:00
parent 74101dd4b1
commit bde37eec21
13 changed files with 171 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
examples/provider/ca-client.jks
View File

Binary file not shown.

BIN
examples/provider/ca-server.jks
View File

Binary file not shown.

BIN
examples/provider/client-rsapss.jks 100644
View File

Binary file not shown.

BIN
examples/provider/server-rsapss.jks 100644
View File

Binary file not shown.

16
examples/provider/update-jks.sh
View File

@ -107,6 +107,12 @@ rm client-ecc.jks &> /dev/null
add_cert_key "client-ecc.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
printf "done\n"
# Client cert: RSAPSS only
printf "\tCreating client-rsapss.jks ..."
rm client-rsapss.jks &> /dev/null
add_cert_key "client-rsapss.jks" "/rsapss/client-rsapss.pem" "/rsapss/client-rsapss-priv.pem" "client-rsapss" "wolfSSL test"
printf "done\n"
#################### SERVER KEYSTORES ####################
# Server cert: both RSA 2048-bit and ECC
@ -134,6 +140,12 @@ rm server-ecc.jks &> /dev/null
add_cert_key "server-ecc.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfSSL test"
printf "done\n"
# Server cert: RSAPSS only
printf "\tCreating server-rsapss.jks ..."
rm server-rsapss.jks &> /dev/null
add_cert_key "server-rsapss.jks" "/rsapss/server-rsapss.pem" "/rsapss/server-rsapss-priv.pem" "server-rsapss" "wolfSSL test"
printf "done\n"
#################### CA CERT KEYSTORES ###################
# Contains all CA certs (RSA and ECC), verifies both client and server certs
@ -150,18 +162,22 @@ printf "done\n"
# Contains CA certs used to verify client certs:
# client-cert.pem verifies itself (self signed)
# client-ecc-cert.pem verifies itself (self signed)
# client-rsapss.pem verifies itself (self signed)
printf "\tCreating ca-client.jks ..."
rm ca-client.jks &> /dev/null
add_cert_key "ca-client.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfSSL test"
add_cert_key "ca-client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfSSL test"
add_cert_key "ca-client.jks" "/rsapss/client-rsapss.pem" "/rsapss/client-rsapss-priv.pem" "client-rsapss" "wolfSSL test"
printf "done\n"
# Contains CA certs used to verify server certs:
# ca-cert.pem verifies server-cert.pem
# ca-ecc-cert.pem verifies server-ecc.pem
# ca-rsapss.pem verifies server-rsapss.pem
printf "\tCreating ca-server.jks ..."
rm ca-server.jks &> /dev/null
add_cert_key "ca-server.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfSSL test"
add_cert_key "ca-server.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfSSL test"
add_cert_key "ca-server.jks" "/rsapss/ca-rsapss.pem" "/rsapss/ca-rsapss-priv.pem" "ca-rsapss" "wolfSSL test"
printf "done\n"

13
native/com_wolfssl_WolfSSL.c
View File

@ -532,6 +532,19 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaEnabled
#endif
}
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaPssEnabled
(JNIEnv* jenv, jclass jcl)
{
(void)jenv;
(void)jcl;
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
return JNI_TRUE;
#else
return JNI_FALSE;
#endif
}
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_Curve25519Enabled
(JNIEnv* jenv, jclass jcl)
{

8
native/com_wolfssl_WolfSSL.h
View File

@ -621,6 +621,14 @@ JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_EccEnabled
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaEnabled
(JNIEnv *, jclass);
/*
* Class: com_wolfssl_WolfSSL
* Method: RsaPssEnabled
* Signature: ()Z
*/
JNIEXPORT jboolean JNICALL Java_com_wolfssl_WolfSSL_RsaPssEnabled
(JNIEnv *, jclass);
/*
* Class: com_wolfssl_WolfSSL
* Method: Curve25519Enabled

2
native/com_wolfssl_WolfSSLCertificate.c
View File

@ -1174,6 +1174,8 @@ JNIEXPORT jstring JNICALL Java_com_wolfssl_WolfSSLCertificate_X509_1get_1signatu
return (*jenv)->NewStringUTF(jenv, "SHA512withECDSA");
case CTC_ED25519:
return (*jenv)->NewStringUTF(jenv, "ED25519");
case CTC_RSASSAPSS:
return (*jenv)->NewStringUTF(jenv, "RSASSA-PSS");
default:
(*jenv)->ThrowNew(jenv, jcl, "Unknown signature type");

8
src/java/com/wolfssl/WolfSSL.java
View File

@ -843,6 +843,14 @@ public class WolfSSL {
*/
public static native boolean RsaEnabled();
/**
* Tests if RSA_PSS support has been compiled into the native wolfSSL
* library.
*
* @return true if enabled, otherwise false if not compiled in.
*/
public static native boolean RsaPssEnabled();
/**
* Tests if Curve25519/X25519 support has been compiled into the native
* wolfSSL library.

3
src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java
View File

@ -222,6 +222,9 @@ public class WolfSSLEngineHelper {
}
if (WolfSSL.RsaEnabled()) {
keyAlgos.add("RSA");
if (WolfSSL.RsaPssEnabled()) {
keyAlgos.add("RSASSA-PSS");
}
}
String[] keyTypes = new String[keyAlgos.size()];

4
src/java/com/wolfssl/provider/jsse/WolfSSLKeyX509.java
View File

@ -293,7 +293,9 @@ public class WolfSSLKeyX509 extends X509ExtendedKeyManager
try {
key = (PrivateKey)store.getKey(alias, password);
} catch (Exception e) {
/* @TODO unable to get key */
/* @TODO unable to get key */
WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
"failed to load private key: " + e);
}
return key;
}

8
src/test/com/wolfssl/provider/jsse/test/WolfSSLTestFactory.java
View File

@ -67,10 +67,12 @@ class WolfSSLTestFactory {
protected String clientRSA1024JKS;
protected String clientRSAJKS;
protected String clientECCJKS;
protected String clientRSAPSSJKS;
protected static String serverJKS;
protected String serverRSA1024JKS;
protected String serverRSAJKS;
protected String serverECCJKS;
protected String serverRSAPSSJKS;
protected String caJKS;
protected static String caClientJKS;
protected String caServerJKS;
@ -91,10 +93,12 @@ class WolfSSLTestFactory {
* client-rsa-1024.jks RSA 1024-bit only client cert
* client-rsa.jks RSA 2048-bit only client cert
* client-ecc.jks ECC only client cert
* client-rsapss.jks RSA_PSS only client cert
* server.jks RSA 2048-bit and ECC server certs
* server-rsa-1024.jks RSA 1024-bit only server cert
* server-rsa.jks RSA 2048-bit only server cert
* server-ecc.jks ECC only server cert
* server-rsapss.jks RSA_PSS only server cert
* cacerts.jks All CA certs (RSA, ECC, 1024, 2048, etc)
* ca-client.jks CA certs used to verify client certs
* ca-server.jks CA certs used to verify server certs */
@ -104,10 +108,12 @@ class WolfSSLTestFactory {
clientRSA1024JKS = "examples/provider/client-rsa-1024.jks";
clientRSAJKS = "examples/provider/client-rsa.jks";
clientECCJKS = "examples/provider/client-ecc.jks";
clientRSAPSSJKS = "examples/provider/client-rsapss.jks";
serverJKS = "examples/provider/server.jks";
serverRSA1024JKS = "examples/provider/server-rsa-1024.jks";
serverRSAJKS = "examples/provider/server-rsa.jks";
serverECCJKS = "examples/provider/server-ecc.jks";
serverRSAPSSJKS = "examples/provider/server-rsapss.jks";
caJKS = "examples/provider/cacerts.jks";
caClientJKS = "examples/provider/ca-client.jks";
caServerJKS = "examples/provider/ca-server.jks";
@ -141,10 +147,12 @@ class WolfSSLTestFactory {
clientRSA1024JKS = in.concat(clientRSA1024JKS);
clientRSAJKS = in.concat(clientRSAJKS);
clientECCJKS = in.concat(clientECCJKS);
clientRSAPSSJKS = in.concat(clientRSAPSSJKS);
serverJKS = in.concat(serverJKS);
serverRSA1024JKS = in.concat(serverRSA1024JKS);
serverRSAJKS = in.concat(serverRSAJKS);
serverECCJKS = in.concat(serverECCJKS);
serverRSAPSSJKS = in.concat(serverRSAPSSJKS);
caJKS = in.concat(caJKS);
caClientJKS = in.concat(caClientJKS);
caServerJKS = in.concat(caServerJKS);

110
src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java
View File

@ -480,6 +480,57 @@ public class WolfSSLTrustX509Test {
pass("\t\t\t... passed");
}
@Test
public void testVerifyRsaPss()
throws NoSuchProviderException, NoSuchAlgorithmException,
KeyStoreException, FileNotFoundException, IOException,
CertificateException {
/* skip if RSA_PSS is not compiled in at native level */
if (WolfSSL.RsaPssEnabled() == false) {
return;
}
TrustManager[] tm;
X509TrustManager x509tm;
X509Certificate cas[];
InputStream stream;
KeyStore ks;
System.out.print("\tTesting verify rsa_pss");
tm = tf.createTrustManager("SunX509", tf.caServerJKS, provider);
if (tm == null) {
error("\t\t\t... failed");
fail("failed to create trustmanager");
return;
}
x509tm = (X509TrustManager) tm[0];
cas = x509tm.getAcceptedIssuers();
if (cas == null) {
error("\t\t\t... failed");
fail("no CAs where found");
return;
}
ks = KeyStore.getInstance(tf.keyStoreType);
stream = new FileInputStream(tf.serverRSAPSSJKS);
ks.load(stream, "wolfSSL test".toCharArray());
stream.close();
try {
x509tm.checkServerTrusted(new X509Certificate[] {
(X509Certificate)ks.getCertificate("server-rsapss") }, "RSASSA-PSS");
}
catch (Exception e) {
e.printStackTrace();
error("\t\t... failed");
fail("failed to verify");
}
pass("\t\t... passed");
}
@Test
public void testCheckServerTrustedWithChain()
throws NoSuchProviderException, NoSuchAlgorithmException,
@ -1447,6 +1498,65 @@ public class WolfSSLTrustX509Test {
pass("\t... passed");
}
@Test
public void testUsingRsaPssCert()
throws Exception {
/* skip if RSA_PSS is not compiled in at native level */
if (WolfSSL.RsaPssEnabled() == false) {
return;
}
System.out.print("\tTest using rsa_pss certs");
SSLContext srvCtx = tf.createSSLContext("TLSv1.3", provider,
tf.createTrustManager("SunX509", tf.caClientJKS, provider),
tf.createKeyManager("SunX509", tf.serverRSAPSSJKS, provider));
SSLContext cliCtx = tf.createSSLContext("TLSv1.3", provider,
tf.createTrustManager("SunX509", tf.caServerJKS, provider),
tf.createKeyManager("SunX509", tf.clientRSAPSSJKS, provider));
SSLServerSocket ss = (SSLServerSocket)srvCtx.getServerSocketFactory()
.createServerSocket(0);
TestArgs serverArgs = new TestArgs(null, null, true, true, true, null);
TestSSLSocketServer server = new TestSSLSocketServer(
srvCtx, ss, serverArgs, 1);
server.start();
TestArgs clientArgs = new TestArgs(
"HTTPS", "www.wolfssl.com", false, false, true, null);
TestSSLSocketClient client = new TestSSLSocketClient(
cliCtx, ss.getLocalPort(), clientArgs);
client.start();
try {
client.join(1000);
server.join(1000);
} catch (InterruptedException e) {
System.out.println("interrupt happened");
fail("RSA_PSS cert test failed");
}
/* Fail if client or server encountered exception */
Exception srvException = server.getException();
Exception cliException = client.getException();
if (srvException != null || cliException != null) {
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
if (srvException != null) {
srvException.printStackTrace(pw);
}
if (cliException != null) {
cliException.printStackTrace(pw);
}
String traceString = sw.toString();
throw new Exception(traceString);
}
pass("\t... passed");
}
@Test
public void testX509ExtendedTrustManagerInternal()
throws CertificateException, IOException, Exception {