diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-09-12 12:04:41 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-09-12 12:04:41 +0700 |
| commit | 611e75935efc4266b9a66b25cff68c66f46a2bd2 (patch) | |
| tree | a1b1b901bde0ac62ce0c6ba820cadc1707af53c0 /crypto/src | |
| parent | Improve span-based GCM code (diff) | |
| download | BouncyCastle.NET-ed25519-611e75935efc4266b9a66b25cff68c66f46a2bd2.tar.xz | |
Add basic support for JKS keystores
Diffstat (limited to 'crypto/src')
| -rw-r--r-- | crypto/src/security/JksStore.cs | 610 |
1 files changed, 610 insertions, 0 deletions
diff --git a/crypto/src/security/JksStore.cs b/crypto/src/security/JksStore.cs new file mode 100644 index 000000000..9b4269278 --- /dev/null +++ b/crypto/src/security/JksStore.cs @@ -0,0 +1,610 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Text; + +using Org.BouncyCastle.Asn1; +using Org.BouncyCastle.Asn1.Pkcs; +using Org.BouncyCastle.Asn1.X509; +using Org.BouncyCastle.Crypto; +using Org.BouncyCastle.Crypto.IO; +using Org.BouncyCastle.Pkcs; +using Org.BouncyCastle.Utilities; +using Org.BouncyCastle.Utilities.Date; +using Org.BouncyCastle.Utilities.IO; +using Org.BouncyCastle.X509; + +namespace Org.BouncyCastle.Security +{ + public class JksStore + { + private static readonly int Magic = unchecked((int)0xFEEDFEED); + + private static readonly AlgorithmIdentifier JksObfuscationAlg = new AlgorithmIdentifier( + new DerObjectIdentifier("1.3.6.1.4.1.42.2.17.1.1"), DerNull.Instance); + + private readonly Dictionary<string, JksTrustedCertEntry> m_certificateEntries = + new Dictionary<string, JksTrustedCertEntry>(StringComparer.OrdinalIgnoreCase); + private readonly Dictionary<string, JksKeyEntry> m_keyEntries = + new Dictionary<string, JksKeyEntry>(StringComparer.OrdinalIgnoreCase); + + public JksStore() + { + } + + /// <exception cref="IOException"/> + public bool Probe(Stream stream) + { + using (var br = new BinaryReader(stream)) + try + { + return Magic == ReadInt32(br); + } + catch (EndOfStreamException) + { + return false; + } + } + + /// <exception cref="IOException"/> + public AsymmetricKeyParameter GetKey(string alias, char[] password) + { + if (alias == null) + throw new ArgumentNullException(nameof(alias)); + if (password == null) + throw new ArgumentNullException(nameof(password)); + + if (!m_keyEntries.TryGetValue(alias, out JksKeyEntry keyEntry)) + return null; + + if (!JksObfuscationAlg.Equals(keyEntry.keyData.EncryptionAlgorithm)) + throw new IOException("unknown encryption algorithm"); + + byte[] encryptedData = keyEntry.keyData.GetEncryptedData(); + + // key length is encryptedData - salt - checksum + int pkcs8Len = encryptedData.Length - 40; + + IDigest digest = DigestUtilities.GetDigest("SHA-1"); + + // key decryption + byte[] keyStream = CalculateKeyStream(digest, password, encryptedData, pkcs8Len); + byte[] pkcs8Key = new byte[pkcs8Len]; + for (int i = 0; i < pkcs8Len; ++i) + { + pkcs8Key[i] = (byte)(encryptedData[20 + i] ^ keyStream[i]); + } + Array.Clear(keyStream, 0, keyStream.Length); + + // integrity check + byte[] checksum = GetKeyChecksum(digest, password, pkcs8Key); + + if (!Arrays.ConstantTimeAreEqual(20, encryptedData, pkcs8Len + 20, checksum, 0)) + throw new IOException("cannot recover key"); + + return PrivateKeyFactory.CreateKey(pkcs8Key); + } + + private byte[] GetKeyChecksum(IDigest digest, char[] password, byte[] pkcs8Key) + { + AddPassword(digest, password); + + return DigestUtilities.DoFinal(digest, pkcs8Key); + } + + private byte[] CalculateKeyStream(IDigest digest, char[] password, byte[] salt, int count) + { + byte[] keyStream = new byte[count]; + byte[] hash = Arrays.CopyOf(salt, 20); + + int index = 0; + while (index < count) + { + AddPassword(digest, password); + + digest.BlockUpdate(hash, 0, hash.Length); + digest.DoFinal(hash, 0); + + int length = System.Math.Min(hash.Length, keyStream.Length - index); + Array.Copy(hash, 0, keyStream, index, length); + index += length; + } + + return keyStream; + } + + public X509Certificate[] GetCertificateChain(string alias) + { + if (m_keyEntries.TryGetValue(alias, out var keyEntry)) + return CloneChain(keyEntry.chain); + + return null; + } + + public X509Certificate GetCertificate(string alias) + { + if (m_certificateEntries.TryGetValue(alias, out var certEntry)) + return certEntry.cert; + + if (m_keyEntries.TryGetValue(alias, out var keyEntry)) + return keyEntry.chain?[0]; + + return null; + } + + public DateTime? GetCreationDate(string alias) + { + if (m_certificateEntries.TryGetValue(alias, out var certEntry)) + return certEntry.date; + + if (m_keyEntries.TryGetValue(alias, out var keyEntry)) + return keyEntry.date; + + return null; + } + + /// <exception cref="IOException"/> + public void SetKeyEntry(string alias, AsymmetricKeyParameter key, char[] password, X509Certificate[] chain) + { + alias = ConvertAlias(alias); + + if (ContainsAlias(alias)) + throw new IOException("alias [" + alias + "] already in use"); + + byte[] pkcs8Key = PrivateKeyInfoFactory.CreatePrivateKeyInfo(key).GetEncoded(); + byte[] protectedKey = new byte[pkcs8Key.Length + 40]; + + SecureRandom rnd = new SecureRandom(); + rnd.NextBytes(protectedKey, 0, 20); + + IDigest digest = DigestUtilities.GetDigest("SHA-1"); + + byte[] checksum = GetKeyChecksum(digest, password, pkcs8Key); + Array.Copy(checksum, 0, protectedKey, 20 + pkcs8Key.Length, 20); + + byte[] keyStream = CalculateKeyStream(digest, password, protectedKey, pkcs8Key.Length); + for (int i = 0; i != keyStream.Length; i++) + { + protectedKey[20 + i] = (byte)(pkcs8Key[i] ^ keyStream[i]); + } + Array.Clear(keyStream, 0, keyStream.Length); + + try + { + var epki = new EncryptedPrivateKeyInfo(JksObfuscationAlg, protectedKey); + m_keyEntries.Add(alias, new JksKeyEntry(DateTime.UtcNow, epki.GetEncoded(), CloneChain(chain))); + } + catch (Exception e) + { + throw new IOException("unable to encode encrypted private key", e); + } + } + + /// <exception cref="IOException"/> + public void SetKeyEntry(string alias, byte[] key, X509Certificate[] chain) + { + alias = ConvertAlias(alias); + + if (ContainsAlias(alias)) + throw new IOException("alias [" + alias + "] already in use"); + + m_keyEntries.Add(alias, new JksKeyEntry(DateTime.UtcNow, key, CloneChain(chain))); + } + + /// <exception cref="IOException"/> + public void SetCertificateEntry(string alias, X509Certificate cert) + { + alias = ConvertAlias(alias); + + if (ContainsAlias(alias)) + throw new IOException("alias [" + alias + "] already in use"); + + m_certificateEntries.Add(alias, new JksTrustedCertEntry(DateTime.UtcNow, cert)); + } + + public void DeleteEntry(string alias) + { + if (!m_keyEntries.Remove(alias)) + { + m_certificateEntries.Remove(alias); + } + } + + public IEnumerable<string> Aliases + { + get + { + var aliases = new HashSet<string>(m_certificateEntries.Keys); + aliases.UnionWith(m_keyEntries.Keys); + // FIXME + //return CollectionUtilities.Proxy(aliases); + return aliases; + } + } + + public bool ContainsAlias(string alias) + { + return IsCertificateEntry(alias) || IsKeyEntry(alias); + } + + public int Count + { + get { return m_certificateEntries.Count + m_keyEntries.Count; } + } + + public bool IsKeyEntry(string alias) + { + return m_keyEntries.ContainsKey(alias); + } + + public bool IsCertificateEntry(string alias) + { + return m_certificateEntries.ContainsKey(alias); + } + + public string GetCertificateAlias(X509Certificate cert) + { + foreach (var entry in m_certificateEntries) + { + if (entry.Value.cert.Equals(cert)) + return entry.Key; + } + return null; + } + + /// <exception cref="IOException"/> + public void Save(Stream stream, char[] password) + { + if (stream == null) + throw new ArgumentNullException(nameof(stream)); + if (password == null) + throw new ArgumentNullException(nameof(password)); + + IDigest checksumDigest = CreateChecksumDigest(password); + BinaryWriter bw = new BinaryWriter(new DigestStream(stream, null, checksumDigest)); + + WriteInt32(bw, Magic); + WriteInt32(bw, 2); + + WriteInt32(bw, Count); + + foreach (var entry in m_keyEntries) + { + string alias = entry.Key; + JksKeyEntry keyEntry = entry.Value; + + WriteInt32(bw, 1); + WriteUtf(bw, alias); + WriteDateTime(bw, keyEntry.date); + WriteBufferWithLength(bw, keyEntry.keyData.GetEncoded()); + + X509Certificate[] chain = keyEntry.chain; + int chainLength = chain == null ? 0 : chain.Length; + WriteInt32(bw, chainLength); + for (int i = 0; i < chainLength; ++i) + { + WriteTypedCertificate(bw, chain[i]); + } + } + + foreach (var entry in m_certificateEntries) + { + string alias = entry.Key; + JksTrustedCertEntry certEntry = entry.Value; + + WriteInt32(bw, 2); + WriteUtf(bw, alias); + WriteDateTime(bw, certEntry.date); + WriteTypedCertificate(bw, certEntry.cert); + } + + byte[] checksum = DigestUtilities.DoFinal(checksumDigest); + bw.Write(checksum); + bw.Flush(); + } + + /// <exception cref="IOException"/> + public void Load(Stream stream, char[] password) + { + if (stream == null) + throw new ArgumentNullException(nameof(stream)); + + m_certificateEntries.Clear(); + m_keyEntries.Clear(); + + using (var storeStream = ValidateStream(stream, password)) + { + BinaryReader dIn = new BinaryReader(storeStream); + + int magic = ReadInt32(dIn); + int storeVersion = ReadInt32(dIn); + + if (!(magic == Magic && (storeVersion == 1 || storeVersion == 2))) + throw new IOException("Invalid keystore format"); + + int numEntries = ReadInt32(dIn); + + for (int t = 0; t < numEntries; t++) + { + int tag = ReadInt32(dIn); + + switch (tag) + { + case 1: // keys + { + string alias = ReadUtf(dIn); + DateTime date = ReadDateTime(dIn); + + // encrypted key data + byte[] keyData = ReadBufferWithLength(dIn); + + // certificate chain + int chainLength = ReadInt32(dIn); + X509Certificate[] chain = null; + if (chainLength > 0) + { + var certs = new List<X509Certificate>(System.Math.Min(10, chainLength)); + for (int certNo = 0; certNo != chainLength; certNo++) + { + certs.Add(ReadTypedCertificate(dIn, storeVersion)); + } + chain = certs.ToArray(); + } + m_keyEntries.Add(alias, new JksKeyEntry(date, keyData, chain)); + break; + } + case 2: // certificate + { + string alias = ReadUtf(dIn); + DateTime date = ReadDateTime(dIn); + + X509Certificate cert = ReadTypedCertificate(dIn, storeVersion); + + m_certificateEntries.Add(alias, new JksTrustedCertEntry(date, cert)); + break; + } + default: + throw new IOException("unable to discern entry type"); + } + } + + if (storeStream.Position != storeStream.Length) + throw new IOException("password incorrect or store tampered with"); + } + } + + /* + * Validate password takes the checksum of the store and will either. + * 1. If password is null, load the store into memory, return the result. + * 2. If password is not null, load the store into memory, test the checksum, and if successful return + * a new input stream instance of the store. + * 3. Fail if there is a password and an invalid checksum. + * + * @param inputStream The input stream. + * @param password the password. + * @return Either the passed in input stream or a new input stream. + */ + /// <exception cref="IOException"/> + private ErasableByteStream ValidateStream(Stream inputStream, char[] password) + { + byte[] rawStore = Streams.ReadAll(inputStream); + int checksumPos = rawStore.Length - 20; + + if (password != null) + { + byte[] checksum = CalculateChecksum(password, rawStore, 0, checksumPos); + + if (!Arrays.ConstantTimeAreEqual(20, checksum, 0, rawStore, checksumPos)) + { + Array.Clear(rawStore, 0, rawStore.Length); + throw new IOException("password incorrect or store tampered with"); + } + } + + return new ErasableByteStream(rawStore, 0, checksumPos); + } + + private static void AddPassword(IDigest digest, char[] password) + { + // Encoding.BigEndianUnicode + for (int i = 0; i < password.Length; ++i) + { + digest.Update((byte)(password[i] >> 8)); + digest.Update((byte)password[i]); + } + } + + private static byte[] CalculateChecksum(char[] password, byte[] buffer, int offset, int length) + { + IDigest checksumDigest = CreateChecksumDigest(password); + checksumDigest.BlockUpdate(buffer, offset, length); + return DigestUtilities.DoFinal(checksumDigest); + } + + private static X509Certificate[] CloneChain(X509Certificate[] chain) + { + return (X509Certificate[])chain?.Clone(); + } + + private static string ConvertAlias(string alias) + { + return alias.ToLowerInvariant(); + } + + private static IDigest CreateChecksumDigest(char[] password) + { + IDigest digest = DigestUtilities.GetDigest("SHA-1"); + AddPassword(digest, password); + + // + // This "Mighty Aphrodite" string goes all the way back to the + // first java betas in the mid 90's, why who knows? But see + // https://cryptosense.com/mighty-aphrodite-dark-secrets-of-the-java-keystore/ + // + byte[] prefix = Encoding.UTF8.GetBytes("Mighty Aphrodite"); + digest.BlockUpdate(prefix, 0, prefix.Length); + return digest; + } + + private static byte[] ReadBufferWithLength(BinaryReader br) + { + int length = ReadInt32(br); + return br.ReadBytes(length); + } + + private static DateTime ReadDateTime(BinaryReader br) + { + DateTime unixMs = DateTimeUtilities.UnixMsToDateTime(Longs.ReverseBytes(br.ReadInt64())); + DateTime utc = new DateTime(unixMs.Ticks, DateTimeKind.Utc); + return utc; + } + + private static short ReadInt16(BinaryReader br) + { + short n = br.ReadInt16(); + n = (short)(((n & 0xFF) << 8) | ((n >> 8) & 0xFF)); + return n; + } + + private static int ReadInt32(BinaryReader br) + { + return Integers.ReverseBytes(br.ReadInt32()); + } + + private static X509Certificate ReadTypedCertificate(BinaryReader br, int storeVersion) + { + if (storeVersion == 2) + { + string certFormat = ReadUtf(br); + if ("X.509" != certFormat) + throw new IOException("Unsupported certificate format: " + certFormat); + } + + byte[] certData = ReadBufferWithLength(br); + try + { + return new X509Certificate(certData); + } + finally + { + Array.Clear(certData, 0, certData.Length); + } + } + + private static string ReadUtf(BinaryReader br) + { + short length = ReadInt16(br); + byte[] utfBytes = br.ReadBytes(length); + + /* + * FIXME JKS actually uses a "modified UTF-8" format. For the moment we will just support single-byte + * encodings that aren't null bytes. + */ + for (int i = 0; i < utfBytes.Length; ++i) + { + byte utfByte = utfBytes[i]; + if (utfByte == 0 || (utfByte & 0x80) != 0) + throw new NotSupportedException("Currently missing support for modified UTF-8 encoding in JKS"); + } + + return Encoding.UTF8.GetString(utfBytes); + } + + private static void WriteBufferWithLength(BinaryWriter bw, byte[] buffer) + { + WriteInt32(bw, buffer.Length); + bw.Write(buffer); + } + + private static void WriteDateTime(BinaryWriter bw, DateTime dateTime) + { + bw.Write(Longs.ReverseBytes(DateTimeUtilities.DateTimeToUnixMs(dateTime.ToUniversalTime()))); + } + + private static void WriteInt16(BinaryWriter bw, short n) + { + n = (short)(((n & 0xFF) << 8) | ((n >> 8) & 0xFF)); + bw.Write(n); + } + + private static void WriteInt32(BinaryWriter bw, int n) + { + bw.Write(Integers.ReverseBytes(n)); + } + + private static void WriteTypedCertificate(BinaryWriter bw, X509Certificate cert) + { + WriteUtf(bw, "X.509"); + WriteBufferWithLength(bw, cert.GetEncoded()); + } + + private static void WriteUtf(BinaryWriter bw, string s) + { + byte[] utfBytes = Encoding.UTF8.GetBytes(s); + + /* + * FIXME JKS actually uses a "modified UTF-8" format. For the moment we will just support single-byte + * encodings that aren't null bytes. + */ + for (int i = 0; i < utfBytes.Length; ++i) + { + byte utfByte = utfBytes[i]; + if (utfByte == 0 || (utfByte & 0x80) != 0) + throw new NotSupportedException("Currently missing support for modified UTF-8 encoding in JKS"); + } + + WriteInt16(bw, Convert.ToInt16(utfBytes.Length)); + bw.Write(utfBytes); + } + + /** + * JksTrustedCertEntry is a internal container for the certificate entry. + */ + private sealed class JksTrustedCertEntry + { + internal readonly DateTime date; + internal readonly X509Certificate cert; + + internal JksTrustedCertEntry(DateTime date, X509Certificate cert) + { + this.date = date; + this.cert = cert; + } + } + + private sealed class JksKeyEntry + { + internal readonly DateTime date; + internal readonly EncryptedPrivateKeyInfo keyData; + internal readonly X509Certificate[] chain; + + internal JksKeyEntry(DateTime date, byte[] keyData, X509Certificate[] chain) + { + this.date = date; + this.keyData = EncryptedPrivateKeyInfo.GetInstance(Asn1Sequence.GetInstance(keyData)); + this.chain = chain; + } + } + + private sealed class ErasableByteStream + : MemoryStream + { + internal ErasableByteStream(byte[] buffer, int index, int count) + : base(buffer, index, count, false, true) + { + } + + protected override void Dispose(bool disposing) + { + if (disposing) + { + Position = 0L; + + byte[] rawStore = GetBuffer(); + Array.Clear(rawStore, 0, rawStore.Length); + } + base.Dispose(disposing); + } + } + } +} |