Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

tls/docs/GnuTLSSetup.html

@@ -8,7 +8,7 @@ <h3>Instructions for setting up a GnuTLS server for use with DTLSClientTest, Tls
 
 <li> Unpack to folder and add ${GNUTLS_HOME}/bin to PATH
 
-<li> Make a working folder somewhere and copy the x509-*.pem from this package (in src/test/resources) to there.
+<li> Make a working folder somewhere and copy the x509-*.pem from the bc-test-data repository (in tls/credentials) to there.
 
 <li> Go to working folder and start GnuTLS server (defaults to port 5556):
 <ul>

tls/docs/OpenSSLSetup.html

@@ -7,7 +7,7 @@ <h3>Instructions for setting up an OpenSSL server for use with DTLSClientTest, D
 <ul>
 <li> Download and Install OpenSSL (exercise for the reader)
 
-<li> Make a working folder somewhere and copy the x509-*.pem from this package (in src/test/resources) to there.
+<li> Make a working folder somewhere and copy the x509-*.pem from the bc-test-data repository (in tls/credentials) to there.
 
 <li> Go to working folder and start OpenSSL client or server:
 <ul>

tls/src/main/java/org/bouncycastle/jsse/provider/AbstractAlgorithmConstraints.java

@@ -14,31 +14,12 @@ abstract class AbstractAlgorithmConstraints implements BCAlgorithmConstraints
 
     AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer)
     {
-        this.decomposer = decomposer;
-    }
-
-    protected void checkAlgorithmName(String algorithm)
-    {
-        if (!JsseUtils.isNameSpecified(algorithm))
-        {
-            throw new IllegalArgumentException("No algorithm name specified");
-        }
-    }
-
-    protected void checkKey(Key key)
-    {
-        if (null == key)
+        if (decomposer == null)
         {
-            throw new NullPointerException("'key' cannot be null");
+            throw new NullPointerException("'decomposer' cannot be null");
         }
-    }
 
-    protected void checkPrimitives(Set<BCCryptoPrimitive> primitives)
-    {
-        if (!isPrimitivesSpecified(primitives))
-        {
-            throw new IllegalArgumentException("No cryptographic primitive specified");
-        }
+        this.decomposer = decomposer;
     }
 
     protected boolean containsAnyPartIgnoreCase(Set<String> elements, String algorithm)
@@ -53,21 +34,42 @@ protected boolean containsAnyPartIgnoreCase(Set<String> elements, String algorit
             return true;
         }
 
-        if (null != decomposer)
+        for (String part : decomposer.decompose(algorithm))
         {
-            for (String part : decomposer.decompose(algorithm))
+            if (containsIgnoreCase(elements, part))
             {
-                if (containsIgnoreCase(elements, part))
-                {
-                    return true;
-                }
+                return true;
             }
         }
 
         return false;
     }
 
-    protected boolean containsIgnoreCase(Set<String> elements, String s)
+    static void checkAlgorithmName(String algorithm)
+    {
+        if (!JsseUtils.isNameSpecified(algorithm))
+        {
+            throw new IllegalArgumentException("No algorithm name specified");
+        }
+    }
+
+    static void checkKey(Key key)
+    {
+        if (null == key)
+        {
+            throw new NullPointerException("'key' cannot be null");
+        }
+    }
+
+    static void checkPrimitives(Set<BCCryptoPrimitive> primitives)
+    {
+        if (!isPrimitivesSpecified(primitives))
+        {
+            throw new IllegalArgumentException("No cryptographic primitive specified");
+        }
+    }
+
+    static boolean containsIgnoreCase(Set<String> elements, String s)
     {
         for (String element : elements)
         {
@@ -79,12 +81,12 @@ protected boolean containsIgnoreCase(Set<String> elements, String s)
         return false;
     }
 
-    protected boolean isPrimitivesSpecified(Set<BCCryptoPrimitive> primitives)
+    static boolean isPrimitivesSpecified(Set<BCCryptoPrimitive> primitives)
     {
         return null != primitives && !primitives.isEmpty();
     }
 
-    protected static Set<String> asUnmodifiableSet(String[] algorithms)
+    static Set<String> asUnmodifiableSet(String[] algorithms)
     {
         if (null != algorithms && algorithms.length > 0)
         {
@@ -97,7 +99,7 @@ protected static Set<String> asUnmodifiableSet(String[] algorithms)
         return Collections.<String> emptySet();
     }
 
-    protected static Set<String> asSet(String[] algorithms)
+    static Set<String> asSet(String[] algorithms)
     {
         Set<String> result = new HashSet<String>();
         if (null != algorithms)

tls/src/main/java/org/bouncycastle/jsse/provider/JcaAlgorithmDecomposer.java

@@ -1,26 +1,85 @@
 package org.bouncycastle.jsse.provider;
 
-import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 import java.util.regex.Pattern;
 
 class JcaAlgorithmDecomposer
     implements AlgorithmDecomposer
 {
+    private static final Map<String, String> SHA_DIGEST_MAP = createSHADigestMap();
+
     private static final Pattern PATTERN = Pattern.compile("with|and|(?<!padd)in", Pattern.CASE_INSENSITIVE);
 
     static final JcaAlgorithmDecomposer INSTANCE_JCA = new JcaAlgorithmDecomposer();
 
     public Set<String> decompose(String algorithm)
     {
-        if (algorithm.indexOf('/') < 0)
+        HashSet<String> result = new HashSet<String>();
+
+        if (JsseUtils.isNameSpecified(algorithm))
         {
-            return Collections.emptySet();
+            implDecompose(result, algorithm);
+
+            if (algorithm.contains("SHA"))
+            {
+                for (Map.Entry<String, String> entry : SHA_DIGEST_MAP.entrySet())
+                {
+                    includeBothIfEither(result, entry.getKey(), entry.getValue());
+                }
+            }
         }
 
-        Set<String> result = new HashSet<String>();
+        return result;
+    }
 
+    static String decomposeDigestName(String algorithm)
+    {
+        String result = SHA_DIGEST_MAP.get(algorithm);
+        if (result == null)
+        {
+            result = algorithm;
+        }
+        return result;
+    }
+
+    static Set<String> decomposeName(String algorithm)
+    {
+        HashSet<String> result = new HashSet<String>();
+
+        if (JsseUtils.isNameSpecified(algorithm))
+        {
+            implDecompose(result, algorithm);
+
+            if (algorithm.contains("SHA"))
+            {
+                for (Map.Entry<String, String> entry : SHA_DIGEST_MAP.entrySet())
+                {
+                    replaceFirstWithSecond(result, entry.getKey(), entry.getValue());
+                }
+            }
+        }
+
+        return result;
+    }
+
+    private static Map<String, String> createSHADigestMap()
+    {
+        HashMap<String, String> result = new HashMap<String, String>();
+        result.put("SHA-1", "SHA1");
+        result.put("SHA-224", "SHA224");
+        result.put("SHA-256", "SHA256");
+        result.put("SHA-384", "SHA384");
+        result.put("SHA-512", "SHA512");
+        result.put("SHA-512/224", "SHA512/224");
+        result.put("SHA-512/256", "SHA512/256");
+        return result;
+    }
+
+    private static void implDecompose(HashSet<String> result, String algorithm)
+    {
         for (String section : algorithm.split("/"))
         {
             if (section.length() > 0)
@@ -34,22 +93,25 @@ public Set<String> decompose(String algorithm)
                 }
             }
         }
+    }
 
-        ensureBothIfEither(result, "SHA1", "SHA-1");
-        ensureBothIfEither(result, "SHA224", "SHA-224");
-        ensureBothIfEither(result, "SHA256", "SHA-256");
-        ensureBothIfEither(result, "SHA384", "SHA-384");
-        ensureBothIfEither(result, "SHA512", "SHA-512");
-
-        return result;
+    private static void includeBothIfEither(HashSet<String> elements, String a, String b)
+    {
+        if (elements.contains(a))
+        {
+            elements.add(b);
+        }
+        else if (elements.contains(b))
+        {
+            elements.add(a);
+        }
     }
 
-    private static void ensureBothIfEither(Set<String> elements, String a, String b)
+    private static void replaceFirstWithSecond(HashSet<String> elements, String a, String b)
     {
-        boolean hasA = elements.contains(a), hasB = elements.contains(b);
-        if (hasA ^ hasB)
+        if (elements.remove(a))
         {
-            elements.add(hasA ? b : a);
+            elements.add(b);
         }
     }
 }

tls/src/main/java/org/bouncycastle/jsse/provider/ProvAlgorithmConstraints.java

@@ -10,7 +10,7 @@
 import org.bouncycastle.jsse.java.security.BCCryptoPrimitive;
 
 class ProvAlgorithmConstraints
-    extends AbstractAlgorithmConstraints
+    implements BCAlgorithmConstraints
 {
     private static final Logger LOG = Logger.getLogger(ProvAlgorithmConstraints.class.getName());
 
@@ -43,8 +43,6 @@ class ProvAlgorithmConstraints
 
     ProvAlgorithmConstraints(BCAlgorithmConstraints configAlgorithmConstraints, boolean enableX509Constraints)
     {
-        super(null);
-
         this.configAlgorithmConstraints = configAlgorithmConstraints;
         this.supportedSignatureAlgorithms = null;
         this.enableX509Constraints = enableX509Constraints;
@@ -53,17 +51,15 @@ class ProvAlgorithmConstraints
     ProvAlgorithmConstraints(BCAlgorithmConstraints configAlgorithmConstraints,
         String[] supportedSignatureAlgorithms, boolean enableX509Constraints)
     {
-        super(null);
-
         this.configAlgorithmConstraints = configAlgorithmConstraints;
-        this.supportedSignatureAlgorithms = asUnmodifiableSet(supportedSignatureAlgorithms);
+        this.supportedSignatureAlgorithms = AbstractAlgorithmConstraints.asUnmodifiableSet(supportedSignatureAlgorithms);
         this.enableX509Constraints = enableX509Constraints;
     }
 
     public boolean permits(Set<BCCryptoPrimitive> primitives, String algorithm, AlgorithmParameters parameters)
     {
-        checkPrimitives(primitives);
-        checkAlgorithmName(algorithm);
+        AbstractAlgorithmConstraints.checkPrimitives(primitives);
+        AbstractAlgorithmConstraints.checkAlgorithmName(algorithm);
 
         if (null != supportedSignatureAlgorithms)
         {
@@ -105,8 +101,8 @@ public boolean permits(Set<BCCryptoPrimitive> primitives, String algorithm, Algo
 
     public boolean permits(Set<BCCryptoPrimitive> primitives, Key key)
     {
-        checkPrimitives(primitives);
-        checkKey(key);
+        AbstractAlgorithmConstraints.checkPrimitives(primitives);
+        AbstractAlgorithmConstraints.checkKey(key);
 
         if (null != configAlgorithmConstraints && !configAlgorithmConstraints.permits(primitives, key))
         {
@@ -129,9 +125,9 @@ public boolean permits(Set<BCCryptoPrimitive> primitives, Key key)
 
     public boolean permits(Set<BCCryptoPrimitive> primitives, String algorithm, Key key, AlgorithmParameters parameters)
     {
-        checkPrimitives(primitives);
-        checkAlgorithmName(algorithm);
-        checkKey(key);
+        AbstractAlgorithmConstraints.checkPrimitives(primitives);
+        AbstractAlgorithmConstraints.checkAlgorithmName(algorithm);
+        AbstractAlgorithmConstraints.checkKey(key);
 
         if (null != supportedSignatureAlgorithms)
         {
@@ -175,6 +171,6 @@ private String getAlgorithm(String algorithmBC)
 
     private boolean isSupportedSignatureAlgorithm(String algorithmBC)
     {
-        return containsIgnoreCase(supportedSignatureAlgorithms, algorithmBC);
+        return AbstractAlgorithmConstraints.containsIgnoreCase(supportedSignatureAlgorithms, algorithmBC);
     }
 }