forked from bcgit/bc-java
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added DSASigner to the constraint set.
refactored CryptoService to CryptoServiceProperties. added Purpose test and legacy algorithm support to constraints.
- Loading branch information
Showing
14 changed files
with
442 additions
and
52 deletions.
There are no files selected for viewing
8 changes: 0 additions & 8 deletions
8
core/src/main/java/org/bouncycastle/crypto/CryptoService.java
This file was deleted.
Oops, something went wrong.
19 changes: 19 additions & 0 deletions
19
core/src/main/java/org/bouncycastle/crypto/CryptoServiceProperties.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| package org.bouncycastle.crypto; | ||
|
|
||
| public interface CryptoServiceProperties | ||
| { | ||
| enum Purpose | ||
| { | ||
| ENCRYPTION, | ||
| DECRYPTION, | ||
| SIGNING, | ||
| VERIFYING, | ||
| BOTH | ||
| } | ||
|
|
||
| int bitsOfSecurity(); | ||
|
|
||
| String getServiceName(); | ||
|
|
||
| Purpose getPurpose(); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28 changes: 24 additions & 4 deletions
28
core/src/main/java/org/bouncycastle/crypto/constraints/BitsOfSecurityConstraint.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
105 changes: 105 additions & 0 deletions
105
core/src/main/java/org/bouncycastle/crypto/constraints/LegacyBitsOfSecurityConstraint.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| package org.bouncycastle.crypto.constraints; | ||
|
|
||
| import java.util.Collections; | ||
| import java.util.Set; | ||
| import java.util.logging.Level; | ||
|
|
||
| import org.bouncycastle.crypto.CryptoServiceConstraintsException; | ||
| import org.bouncycastle.crypto.CryptoServiceProperties; | ||
|
|
||
| import static org.bouncycastle.crypto.CryptoServiceProperties.Purpose.BOTH; | ||
|
|
||
| /** | ||
| * Legacy bits of security constraint. By default, legacy algorithms are all acceptable but can only | ||
| * be used for decryption and verification tasks. Algorithms with the required bits of security can be | ||
| * used for anything. If a minimum level of security is given for legacy algorithms, then anything below | ||
| * that will be treated as an error unless it appears in the exception list. | ||
| */ | ||
| public class LegacyBitsOfSecurityConstraint | ||
| extends ServicesConstraint | ||
| { | ||
| private final int requiredBitsOfSecurity; | ||
| private final int legacyRequiredBitsOfSecurity; | ||
|
|
||
| /** | ||
| * Base constructor, legacy level is set to 0. | ||
| * | ||
| * @param requiredBitsOfSecurity required bits of security for encryption and signing operations. | ||
| */ | ||
| public LegacyBitsOfSecurityConstraint(int requiredBitsOfSecurity) | ||
| { | ||
| this(requiredBitsOfSecurity, 0); | ||
| } | ||
|
|
||
| /** | ||
| * Provide required bits of security and legacy requirements. | ||
| * | ||
| * @param requiredBitsOfSecurity required bits of security for encryption and signing operations. | ||
| * @param legacyRequiredBitsOfSecurity acceptable bits of security for decryption and verification operations. | ||
| */ | ||
| public LegacyBitsOfSecurityConstraint(int requiredBitsOfSecurity, int legacyRequiredBitsOfSecurity) | ||
| { | ||
| super(Collections.EMPTY_SET); | ||
|
|
||
| this.requiredBitsOfSecurity = requiredBitsOfSecurity; | ||
| this.legacyRequiredBitsOfSecurity = legacyRequiredBitsOfSecurity; | ||
| } | ||
|
|
||
| /** | ||
| * Provide required bits of security, and a set of exceptions. Legacy requirement will default to 0. | ||
| * | ||
| * @param requiredBitsOfSecurity required bits of security for encryption and signing operations. | ||
| * @param exceptions set service names which are exceptions to the above rules. | ||
| */ | ||
| public LegacyBitsOfSecurityConstraint(int requiredBitsOfSecurity, Set<String> exceptions) | ||
| { | ||
| this(requiredBitsOfSecurity, 0, exceptions); | ||
| } | ||
|
|
||
| /** | ||
| * Provide required bits of security, legacy requirements, and a set of exceptions. | ||
| * | ||
| * @param requiredBitsOfSecurity required bits of security for encryption and signing operations. | ||
| * @param legacyRequiredBitsOfSecurity acceptable bits of security for decryption and verification operations. | ||
| * @param exceptions set service names which are exceptions to the above rules. | ||
| */ | ||
| public LegacyBitsOfSecurityConstraint(int requiredBitsOfSecurity, int legacyRequiredBitsOfSecurity, Set<String> exceptions) | ||
| { | ||
| super(exceptions); | ||
|
|
||
| this.requiredBitsOfSecurity = requiredBitsOfSecurity; | ||
| this.legacyRequiredBitsOfSecurity = legacyRequiredBitsOfSecurity; | ||
| } | ||
|
|
||
| public void check(CryptoServiceProperties service) | ||
| { | ||
| if (isException(service.getServiceName())) | ||
| { | ||
| return; | ||
| } | ||
|
|
||
| CryptoServiceProperties.Purpose purpose = service.getPurpose(); | ||
|
|
||
| // BOTH is allowed as we assume verifying/encryption will be blocked later. | ||
| switch (purpose) | ||
| { | ||
| case BOTH: | ||
| case VERIFYING: | ||
| case DECRYPTION: | ||
| if (service.bitsOfSecurity() < legacyRequiredBitsOfSecurity) | ||
| { | ||
| throw new CryptoServiceConstraintsException("service does not provide " + requiredBitsOfSecurity + " bits of security only " + service.bitsOfSecurity()); | ||
| } | ||
| if (purpose != BOTH && LOG.isLoggable(Level.FINE)) | ||
| { | ||
| LOG.fine("usage of legacy cryptography service for algorithm " + service.getServiceName()); | ||
| } | ||
| return; | ||
| } | ||
|
|
||
| if (service.bitsOfSecurity() < requiredBitsOfSecurity) | ||
| { | ||
| throw new CryptoServiceConstraintsException("service does not provide " + requiredBitsOfSecurity + " bits of security only " + service.bitsOfSecurity()); | ||
| } | ||
| } | ||
| } |
49 changes: 49 additions & 0 deletions
49
core/src/main/java/org/bouncycastle/crypto/constraints/ServicesConstraint.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| package org.bouncycastle.crypto.constraints; | ||
|
|
||
| import java.util.Collections; | ||
| import java.util.HashSet; | ||
| import java.util.Iterator; | ||
| import java.util.Set; | ||
| import java.util.logging.Logger; | ||
|
|
||
| import org.bouncycastle.crypto.CryptoServicesConstraints; | ||
| import org.bouncycastle.util.Strings; | ||
|
|
||
| /** | ||
| * Base class for a constraint, serves to provide storage for the set of exceptions (if any). | ||
| */ | ||
| abstract public class ServicesConstraint | ||
| implements CryptoServicesConstraints | ||
| { | ||
| protected static final Logger LOG = Logger.getLogger(ServicesConstraint.class.getName()); | ||
|
|
||
| private final Set<String> exceptions; | ||
|
|
||
| protected ServicesConstraint(Set<String> exceptions) | ||
| { | ||
| if (exceptions.isEmpty()) | ||
| { | ||
| this.exceptions = Collections.EMPTY_SET; | ||
| } | ||
| else | ||
| { | ||
| this.exceptions = new HashSet<>(exceptions.size()); | ||
| for (Iterator it = exceptions.iterator(); it.hasNext();) | ||
| { | ||
| this.exceptions.add(Strings.toUpperCase(it.next().toString())); | ||
| } | ||
|
|
||
| Utils.addAliases(this.exceptions); | ||
| } | ||
| } | ||
|
|
||
| protected boolean isException(String algorithm) | ||
| { | ||
| if (exceptions.isEmpty()) | ||
| { | ||
| return false; | ||
| } | ||
|
|
||
| return exceptions.contains(Strings.toUpperCase(algorithm)); | ||
| } | ||
| } |
24 changes: 24 additions & 0 deletions
24
core/src/main/java/org/bouncycastle/crypto/constraints/Utils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| package org.bouncycastle.crypto.constraints; | ||
|
|
||
| import java.util.Set; | ||
|
|
||
| class Utils | ||
| { | ||
| /** | ||
| * Depending on usage, in some places algorithms are referred to slightly | ||
| * differently. We try to sort that out here. | ||
| * | ||
| * @param exceptions set of exceptions from constraint checking. | ||
| */ | ||
| static void addAliases(Set<String> exceptions) | ||
| { | ||
| if (exceptions.contains("RC4")) | ||
| { | ||
| exceptions.add("ARC4"); | ||
| } | ||
| else if (exceptions.contains("ARC4")) | ||
| { | ||
| exceptions.add("RC4"); | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.