diff --git a/IDE/Android/app/src/main/java/com/example/wolfssl/MainActivity.java b/IDE/Android/app/src/main/java/com/example/wolfssl/MainActivity.java index 41403f4..ddf16dc 100644 --- a/IDE/Android/app/src/main/java/com/example/wolfssl/MainActivity.java +++ b/IDE/Android/app/src/main/java/com/example/wolfssl/MainActivity.java @@ -80,7 +80,7 @@ protected void onCreate(Bundle savedInstanceState) { public void testFindProvider(TextView tv) throws NoSuchProviderException, NoSuchAlgorithmException { - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); if (p == null) { diff --git a/README_JCE.md b/README_JCE.md index 3dc0ecb..503c2e6 100644 --- a/README_JCE.md +++ b/README_JCE.md @@ -36,6 +36,40 @@ file for JCE provider customization: | --- | --- | --- | --- | | wolfjce.wks.iterationCount | 210,000 | Numeric | PBKDF2 iteration count (10,000 minimum) | | wolfjce.wks.maxCertChainLength | 100 | Integer | Max cert chain length | +| wolfjce.mapJKStoWKS | UNSET | true | Register fake JKS KeyStore service mapped to WKS | +| wolfjce.mapPKCS12toWKS | UNSET | true | Register fake PKCS12 KeyStore service mapped to WKS | + +**wolfjce.mapJKStoWKS** - this Security property should be used with caution. +When enabled, this will register a "JKS" KeyStore type in wolfJCE, which means +calling applications using `KeyStore.getInstance("JKS")` will get a KeyStore +implementation from wolfJCE. BUT, this KeyStore type will actually be a +WolfSSLKeyStore (WKS) type internally. Loading actual JKS files will fail. +This can be helpful when FIPS compliance is required, but existing code gets +a JKS KeyStore instance - and this assumes the caller has the flexibility to +actually load a real WKS KeyStore file into this KeyStore object. If this +property is being set at runtime programatically, the wolfJCE provider services +will need to be refreshed / reloaded, by doing: + +``` +WolfCryptProvider prov = (WolfCryptProvider)Security.getProvider("wolfJCE"); +prov.refreshServices(); +``` + +**wolfjce.mapPKCS12toWKS** - this Security property should be used with caution. +When enabled, this will register a "PKCS12" KeyStore type in wolfJCE, which +means calling applications using `KeyStore.getInstance("PKCS12")` will get a +KeyStore implementation from wolfJCE. BUT, this KeyStore type will actually be a +WolfSSLKeyStore (WKS) type internally. Loading actual PKCS12 files will fail. +This can be helpful when FIPS compliance is required, but existing code gets +a PKCS12 KeyStore instance - and this assumes the caller has the flexibility to +actually load a real WKS KeyStore file into this KeyStore object. If this +property is being set at runtime programatically, the wolfJCE provider services +will need to be refreshed / reloaded, by doing: + +``` +WolfCryptProvider prov = (WolfCryptProvider)Security.getProvider("wolfJCE"); +prov.refreshServices(); +``` #### System Property Support diff --git a/examples/certs/client.p12 b/examples/certs/client.p12 new file mode 100644 index 0000000..5110fd9 Binary files /dev/null and b/examples/certs/client.p12 differ diff --git a/examples/certs/update-jks-wks.sh b/examples/certs/update-jks-wks.sh index 959d083..785f704 100755 --- a/examples/certs/update-jks-wks.sh +++ b/examples/certs/update-jks-wks.sh @@ -50,19 +50,19 @@ CERT_LOCATION=$1 export LD_LIBRARY_PATH=../../lib:$LD_LIBRARY_PATH export DYLD_LIBRARY_PATH=../../lib:$DYLD_LIBRARY_PATH -# ARGS: +# ARGS: add_cert() { - keytool -import -keystore "$1" -file "$CERT_LOCATION/$2" -alias "$3" -noprompt -trustcacerts -deststoretype JKS -storepass "$4" &> /dev/null + keytool -import -keystore "$1" -file "$CERT_LOCATION/$3" -alias "$4" -noprompt -trustcacerts -deststoretype "$2" -storepass "$5" &> /dev/null if [ $? -ne 0 ]; then printf "fail" exit 1 fi } -# ARGS: +# ARGS: add_cert_key() { - openssl pkcs12 -export -in "$CERT_LOCATION/$2" -inkey "$CERT_LOCATION/$3" -out tmp.p12 -passin pass:"$5" -passout pass:"$5" -name "$4" &> /dev/null - keytool -importkeystore -deststorepass "$5" -destkeystore "$1" -deststoretype JKS -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass "$5" -alias "$4" &> /dev/null + openssl pkcs12 -export -in "$CERT_LOCATION/$3" -inkey "$CERT_LOCATION/$4" -out tmp.p12 -passin pass:"$6" -passout pass:"$6" -name "$5" &> /dev/null + keytool -importkeystore -deststorepass "$6" -destkeystore "$1" -deststoretype "$2" -srckeystore tmp.p12 -srcstoretype PKCS12 -srcstorepass "$6" -alias "$5" &> /dev/null if [ $? -ne 0 ]; then printf "fail" exit 1 @@ -85,26 +85,32 @@ jks_to_wks() { # Client cert: both RSA 2048-bit and ECC printf "\tCreating client.jks ..." rm client.jks &> /dev/null -add_cert_key "client.jks" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword" -add_cert_key "client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" +add_cert_key "client.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword" +add_cert_key "client.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" +printf "done\n" + +printf "\tCreating client.p12 ..." +rm client.p12 &> /dev/null +add_cert_key "client.p12" "PKCS12" "/client-cert.pem" "/client-key.pem" "client" "wolfsslpassword" +add_cert_key "client.p12" "PKCS12" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" printf "done\n" # Client cert: RSA, 1024-bit only printf "\tCreating client-rsa-1024.jks ..." rm client-rsa-1024.jks &> /dev/null -add_cert_key "client-rsa-1024.jks" "/1024/client-cert.pem" "/1024/client-key.pem" "client-rsa-1024" "wolfsslpassword" +add_cert_key "client-rsa-1024.jks" "JKS" "/1024/client-cert.pem" "/1024/client-key.pem" "client-rsa-1024" "wolfsslpassword" printf "done\n" # Client cert: RSA 2048-bit only printf "\tCreating client-rsa.jks ..." rm client-rsa.jks &> /dev/null -add_cert_key "client-rsa.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword" +add_cert_key "client-rsa.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword" printf "done\n" # Client cert: ECC only printf "\tCreating client-ecc.jks ..." rm client-ecc.jks &> /dev/null -add_cert_key "client-ecc.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" +add_cert_key "client-ecc.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" printf "done\n" #################### SERVER KEYSTORES #################### @@ -112,26 +118,26 @@ printf "done\n" # Server cert: both RSA 2048-bit and ECC printf "\tCreating server.jks ..." rm server.jks &> /dev/null -add_cert_key "server.jks" "/server-cert.pem" "/server-key.pem" "server" "wolfsslpassword" -add_cert_key "server.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword" +add_cert_key "server.jks" "JKS" "/server-cert.pem" "/server-key.pem" "server" "wolfsslpassword" +add_cert_key "server.jks" "JKS" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword" printf "done\n" # Server cert: RSA, 1024-bit only printf "\tCreating server-rsa-1024.jks ..." rm server-rsa-1024.jks &> /dev/null -add_cert_key "server-rsa-1024.jks" "/1024/server-cert.pem" "/1024/server-key.pem" "server-1024" "wolfsslpassword" +add_cert_key "server-rsa-1024.jks" "JKS" "/1024/server-cert.pem" "/1024/server-key.pem" "server-1024" "wolfsslpassword" printf "done\n" # Server cert: RSA, 2048-bit only printf "\tCreating server-rsa.jks ..." rm server-rsa.jks &> /dev/null -add_cert_key "server-rsa.jks" "/server-cert.pem" "/server-key.pem" "server-rsa" "wolfsslpassword" +add_cert_key "server-rsa.jks" "JKS" "/server-cert.pem" "/server-key.pem" "server-rsa" "wolfsslpassword" printf "done\n" # Server cert: ECC only printf "\tCreating server-ecc.jks ..." rm server-ecc.jks &> /dev/null -add_cert_key "server-ecc.jks" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword" +add_cert_key "server-ecc.jks" "JKS" "/server-ecc.pem" "/ecc-key.pem" "server-ecc" "wolfsslpassword" printf "done\n" #################### CA CERT KEYSTORES ################### @@ -139,12 +145,12 @@ printf "done\n" # Contains all CA certs (RSA and ECC), verifies both client and server certs printf "\tCreating cacerts.jks ..." rm cacerts.jks &> /dev/null -add_cert_key "cacerts.jks" "/ca-cert.pem" "/ca-key.pem" "cacert" "wolfsslpassword" -add_cert_key "cacerts.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword" -add_cert_key "cacerts.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" -add_cert_key "cacerts.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword" -add_cert_key "cacerts.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword" -add_cert_key "cacerts.jks" "/1024/ca-cert.pem" "/1024/ca-key.pem" "ca-1024" "wolfsslpassword" +add_cert_key "cacerts.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "cacert" "wolfsslpassword" +add_cert_key "cacerts.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword" +add_cert_key "cacerts.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" +add_cert_key "cacerts.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword" +add_cert_key "cacerts.jks" "JKS" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword" +add_cert_key "cacerts.jks" "JKS" "/1024/ca-cert.pem" "/1024/ca-key.pem" "ca-1024" "wolfsslpassword" printf "done\n" # Contains CA certs used to verify client certs: @@ -152,8 +158,8 @@ printf "done\n" # client-ecc-cert.pem verifies itself (self signed) printf "\tCreating ca-client.jks ..." rm ca-client.jks &> /dev/null -add_cert_key "ca-client.jks" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword" -add_cert_key "ca-client.jks" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" +add_cert_key "ca-client.jks" "JKS" "/client-cert.pem" "/client-key.pem" "client-rsa" "wolfsslpassword" +add_cert_key "ca-client.jks" "JKS" "/client-ecc-cert.pem" "/ecc-client-key.pem" "client-ecc" "wolfsslpassword" printf "done\n" # Contains CA certs used to verify server certs: @@ -161,24 +167,22 @@ printf "done\n" # ca-ecc-cert.pem verifies server-ecc.pem printf "\tCreating ca-server.jks ..." rm ca-server.jks &> /dev/null -add_cert_key "ca-server.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword" -add_cert_key "ca-server.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword" +add_cert_key "ca-server.jks" "JKS" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword" +add_cert_key "ca-server.jks" "JKS" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword" printf "done\n" # Contains CA cert used to verify RSA 2048-bit server cert: # ca-cert.pem verifies server-cert.pem printf "\tCreating ca-server-rsa-2048.jks ..." rm ca-server-rsa-2048.jks &> /dev/null -#add_cert_key "ca-server-rsa-2048.jks" "/ca-cert.pem" "/ca-key.pem" "ca-rsa" "wolfsslpassword" -add_cert "ca-server-rsa-2048.jks" "/ca-cert.pem" "ca-rsa" "wolfsslpassword" +add_cert "ca-server-rsa-2048.jks" "JKS" "/ca-cert.pem" "ca-rsa" "wolfsslpassword" printf "done\n" # Contains CA cert used to verify ECC P-256 server cert: # ca-ecc-cert.pem verifies server-ecc.pem printf "\tCreating ca-server-ecc-256.jks ..." rm ca-server-ecc-256.jks &> /dev/null -#add_cert_key "ca-server-ecc-256.jks" "/ca-ecc-cert.pem" "/ca-ecc-key.pem" "ca-ecc" "wolfsslpassword" -add_cert "ca-server-ecc-256.jks" "/ca-ecc-cert.pem" "ca-ecc" "wolfsslpassword" +add_cert "ca-server-ecc-256.jks" "JKS" "/ca-ecc-cert.pem" "ca-ecc" "wolfsslpassword" printf "done\n" ################### CONVERT JKS TO WKS ################### diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java index 7dca8e1..c2e53c8 100644 --- a/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java +++ b/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java @@ -22,6 +22,7 @@ package com.wolfssl.provider.jce; import java.security.Provider; +import java.security.Security; import com.wolfssl.wolfcrypt.FeatureDetect; import com.wolfssl.wolfcrypt.Fips; @@ -37,6 +38,27 @@ public final class WolfCryptProvider extends Provider { */ public WolfCryptProvider() { super("wolfJCE", 1.7, "wolfCrypt JCE Provider"); + registerServices(); + } + + /** + * Refresh the services provided by this JCE provider. + * + * This is required when one of the Security properties has been changed + * that affect the services offered by this provider. For example: + * wolfjce.mapJKStoWKS + * wolfjce.mapPKCS12toWKS + */ + public void refreshServices() { + registerServices(); + } + + /** + * Register services provided by wolfJCE, called by class constructor. + */ + private void registerServices() { + String mapJksToWks = null; + String mapPkcs12ToWks = null; /* MessageDigest */ if (FeatureDetect.Md5Enabled()) { @@ -222,6 +244,32 @@ public WolfCryptProvider() { put("KeyStore.WKS", "com.wolfssl.provider.jce.WolfSSLKeyStore"); + /* Fake mapping of JKS to WKS type. Use with caution! This is + * usually used when FIPS compliance is needed but code cannot be + * changed that creates a JKS KeyStore object type. Any files loaded + * into this fake JKS KeyStore MUST be of actual type WKS or failures + * will happen. Remove service first here in case of refresh. */ + remove("KeyStore.JKS"); + mapJksToWks = Security.getProperty("wolfjce.mapJKStoWKS"); + if (mapJksToWks != null && !mapJksToWks.isEmpty() && + mapJksToWks.equalsIgnoreCase("true")) { + put("KeyStore.JKS", + "com.wolfssl.provider.jce.WolfSSLKeyStore"); + } + + /* Fake mapping of PKCS12 to WKS type. Use with caution! This is + * usually used when FIPS compliance is needed but code cannot be + * changed that creates a JKS KeyStore object type. Any files loaded + * into this fake JKS KeyStore MUST be of actual type WKS or failures + * will happen. Remove service first here in case of refresh. */ + remove("KeyStore.PKCS12"); + mapPkcs12ToWks = Security.getProperty("wolfjce.mapPKCS12toWKS"); + if (mapPkcs12ToWks != null && !mapPkcs12ToWks.isEmpty() && + mapPkcs12ToWks.equalsIgnoreCase("true")) { + put("KeyStore.PKCS12", + "com.wolfssl.provider.jce.WolfSSLKeyStore"); + } + /* If using a FIPS version of wolfCrypt, allow private key to be * exported for use. Only applicable to FIPS 140-3 */ if (Fips.enabled) { diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyAgreementTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyAgreementTest.java index 8b83351..9799a3a 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyAgreementTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyAgreementTest.java @@ -140,7 +140,7 @@ public static void testProviderInstallationAtRuntime() { System.out.println("JCE WolfCryptKeyAgreementTest Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMacTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMacTest.java index 765591c..cfb23a7 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMacTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMacTest.java @@ -92,7 +92,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptMac Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestMd5Test.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestMd5Test.java index be870f4..e54fa98 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestMd5Test.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestMd5Test.java @@ -64,7 +64,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptMessageDigestMd5Test"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha256Test.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha256Test.java index 90b9a3d..b7f0e8e 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha256Test.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha256Test.java @@ -64,7 +64,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptMessageDigestSha256 Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha384Test.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha384Test.java index 232bfdc..1472bbc 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha384Test.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha384Test.java @@ -64,7 +64,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptMessageDigestSha384 Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha512Test.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha512Test.java index a48be4b..7088e79 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha512Test.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestSha512Test.java @@ -64,7 +64,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptMessageDigestSha512 Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestShaTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestShaTest.java index 4b015a3..98af96d 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestShaTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptMessageDigestShaTest.java @@ -65,7 +65,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptMessageDigestSha Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSecretKeyFactoryTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSecretKeyFactoryTest.java index f1d22ff..7e6a0a2 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSecretKeyFactoryTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSecretKeyFactoryTest.java @@ -95,7 +95,7 @@ public static void testProviderInstallationAtRuntime() /* Install wolfJCE provider at runtime. Not registering as top priority * provider so we can still likely get SunJCE or platform provider * when not specifying wolfJCE explicitly. */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider(provider); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSignatureTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSignatureTest.java index eea083a..21be32e 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSignatureTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptSignatureTest.java @@ -93,7 +93,7 @@ public static void testProviderInstallationAtRuntime() System.out.println("JCE WolfCryptSignature Class"); /* install wolfJCE provider at runtime */ - Security.addProvider(new WolfCryptProvider()); + Security.insertProviderAt(new WolfCryptProvider(), 1); Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java index c70fc40..41673a8 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfSSLKeyStoreTest.java @@ -136,6 +136,12 @@ public class WolfSSLKeyStoreTest { private static Certificate[] eccServerChain = null; /* ECC chain */ private static Certificate[] invalidChain = null; + /* Example .jks KeyStore file paths */ + private static String clientJKS = null; /* client.jks */ + + /* Examnple .p12 KeyStore file paths */ + private static String clientP12 = null; /* client.p12 */ + /* Example .wks KeyStore file paths */ private static String clientWKS = null; /* client.wks */ private static String clientRsa1024WKS = null; /* client-rsa-1024.wks */ @@ -381,6 +387,14 @@ public static void testSetupAndProviderInstallation() intEccInt2CertDer = certPre.concat("examples/certs/intermediate/ca-int2-ecc-cert.der"); + /* Set paths to example JKS KeyStore files */ + clientJKS = + certPre.concat("examples/certs/client.jks"); + + /* Set paths to example PKCS12 KeyStore files */ + clientP12 = + certPre.concat("examples/certs/client.p12"); + /* Set paths to example WKS KeyStore files */ clientWKS = certPre.concat("examples/certs/client.wks"); @@ -1426,6 +1440,139 @@ public void testLoadWKSFromFile() assertEquals(1, store.size()); } + //CHRIS + @Test + public void testLoadWKSasJKSFromFile() + throws KeyStoreException, IOException, FileNotFoundException, + NoSuchProviderException, NoSuchAlgorithmException, + CertificateException, InvalidKeySpecException, + UnrecoverableKeyException { + + WolfCryptProvider prov = null; + KeyStore store = null; + + /* Use client.wks (clientWKS) to test. Any WKS KeyStore could be used, + * this was just picked since was first used/tested in test above. */ + + /* If Security property "wolfjce.mapJKStoWKS=true" has been set, + * WolfSSLKeyStore should be able to load a WKS file when using a + * "JKS" KeyStore type. */ + String origProperty = Security.getProperty("wolfjce.mapJKStoWKS"); + + /* The wolfJCE service list needs to be refreshed after changing + * Security properties that will adjust the services we register */ + Security.setProperty("wolfjce.mapJKStoWKS", "true"); + prov = (WolfCryptProvider)Security.getProvider("wolfJCE"); + prov.refreshServices(); + + /* Load WKS as JKS, should work w/o exception */ + store = KeyStore.getInstance("JKS"); + assertNotNull(store); + assertNotNull(store.getProvider()); + assertTrue(store.getProvider().contains("wolfJCE")); + store.load(new FileInputStream(clientWKS), storePass.toCharArray()); + assertEquals(2, store.size()); + + /* Load JKS as JKS when this is set should fail, since using WKS + * implementation underneath fake JKS mapping */ + try { + store.load(new FileInputStream(clientJKS), storePass.toCharArray()); + fail("Loaded JKS as JKS, but shouldn't with fake mapping set"); + } catch (IOException e) { + /* expected */ + } + + /* Set mapping to false, loading a WKS as JKS should throw exception */ + Security.setProperty("wolfjce.mapJKStoWKS", "false"); + prov = (WolfCryptProvider)Security.getProvider("wolfJCE"); + prov.refreshServices(); + store = KeyStore.getInstance("JKS"); + assertTrue(!store.getProvider().contains("wolfJCE")); + try { + store.load(new FileInputStream(clientWKS), storePass.toCharArray()); + fail("Loaded WKS as JKS, but shouldn't have been able to"); + } catch (IOException e) { + /* expected */ + } + + /* Loading JKS as JKS should work when mapping not set */ + store.load(new FileInputStream(clientJKS), storePass.toCharArray()); + + /* Restore Security property */ + if (origProperty == null) { + Security.setProperty("wolfjce.mapJKStoWKS", ""); + } + else { + Security.setProperty("wolfjce.mapJKStoWKS", origProperty); + } + } + + @Test + public void testLoadWKSasPKCS12FromFile() + throws KeyStoreException, IOException, FileNotFoundException, + NoSuchProviderException, NoSuchAlgorithmException, + CertificateException, InvalidKeySpecException, + UnrecoverableKeyException { + + WolfCryptProvider prov = null; + KeyStore store = null; + + /* Use client.wks (clientWKS) to test. Any WKS KeyStore could be used, + * this was just picked since was first used/tested in test above. */ + + /* If Security property "wolfjce.mapPKCS12toWKS=true" has been set, + * WolfSSLKeyStore should be able to load a WKS file when using a + * "PKCS12" KeyStore type. */ + String origProperty = Security.getProperty("wolfjce.mapPKCS12toWKS"); + + /* The wolfJCE service list needs to be refreshed after changing + * Security properties that will adjust the services we register */ + Security.setProperty("wolfjce.mapPKCS12toWKS", "true"); + prov = (WolfCryptProvider)Security.getProvider("wolfJCE"); + prov.refreshServices(); + + /* Load WKS as PKCS12, should work w/o exception */ + store = KeyStore.getInstance("PKCS12"); + assertNotNull(store); + assertNotNull(store.getProvider()); + assertTrue(store.getProvider().contains("wolfJCE")); + store.load(new FileInputStream(clientWKS), storePass.toCharArray()); + assertEquals(2, store.size()); + + /* Load PKCS12 as PKCS12 when this is set should fail, since using WKS + * implementation underneath fake PKCS12 mapping */ + try { + store.load(new FileInputStream(clientP12), storePass.toCharArray()); + fail("Loaded PKCS12 as PKCS12, but shouldn't with fake mapping set"); + } catch (IOException e) { + /* expected */ + } + + /* Set mapping to false, loading WKS as PKCS12 should throw exception */ + Security.setProperty("wolfjce.mapPKCS12toWKS", "false"); + prov = (WolfCryptProvider)Security.getProvider("wolfJCE"); + prov.refreshServices(); + store = KeyStore.getInstance("PKCS12"); + assertTrue(!store.getProvider().contains("wolfJCE")); + try { + store.load(new FileInputStream(clientWKS), storePass.toCharArray()); + fail("Loaded WKS as PKCS12, but shouldn't have been able to"); + } catch (IOException e) { + /* expected */ + } + + /* Loading PKCS12 as PKCS12 should work when mapping not set */ + store.load(new FileInputStream(clientP12), storePass.toCharArray()); + + /* Restore Security property */ + if (origProperty == null) { + Security.setProperty("wolfjce.mapPKCS12toWKS", ""); + } + else { + Security.setProperty("wolfjce.mapPKCS12toWKS", origProperty); + } + } + @Test public void testLoadSystemCAKeyStore() throws KeyStoreException, IOException, FileNotFoundException,