sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java - mina-sshd - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.sshd.certificate;

 import java.security.KeyPair;
 import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;

 import org.apache.sshd.common.BaseBuilder;
 import org.apache.sshd.common.NamedFactory;
 import org.apache.sshd.common.config.keys.KeyUtils;
 import org.apache.sshd.common.config.keys.OpenSshCertificate;
 import org.apache.sshd.common.config.keys.OpenSshCertificate.Type;
 import org.apache.sshd.common.config.keys.OpenSshCertificateImpl;
 import org.apache.sshd.common.keyprovider.KeyPairProvider;
 import org.apache.sshd.common.signature.BuiltinSignatures;
 import org.apache.sshd.common.signature.Signature;
 import org.apache.sshd.common.signature.SignatureFactory;
 import org.apache.sshd.common.util.MapEntryUtils;
 import org.apache.sshd.common.util.ValidateUtils;
 import org.apache.sshd.common.util.buffer.ByteArrayBuffer;

 /**
  * Holds all the data necessary to create a signed OpenSSH Certificate
  */
 public class OpenSshCertificateBuilder {

     // given a supported key type, map to the concrete OpenSSH Certificate type
     protected static final Map<String, String> SIGNATURE_ALGORITHM_MAP
             = MapEntryUtils.MapBuilder.<String, String> builder()
                     .put(KeyPairProvider.SSH_RSA, KeyPairProvider.SSH_RSA_CERT)
                     .put(KeyPairProvider.SSH_ED25519, KeyPairProvider.SSH_ED25519_CERT)
                     .put(KeyPairProvider.ECDSA_SHA2_NISTP256, KeyPairProvider.SSH_ECDSA_SHA2_NISTP256_CERT)
                     .put(KeyPairProvider.ECDSA_SHA2_NISTP384, KeyPairProvider.SSH_ECDSA_SHA2_NISTP384_CERT)
                     .put(KeyPairProvider.ECDSA_SHA2_NISTP521, KeyPairProvider.SSH_ECDSA_SHA2_NISTP521_CERT)
                     .build();

     protected final Type type;
     protected PublicKey publicKey;
     protected long serial;
     protected String id;
     protected Collection<String> principals;
     protected List<OpenSshCertificate.CertificateOption> criticalOptions;
     protected List<OpenSshCertificate.CertificateOption> extensions;
     // match ssh-keygen behavior where the default would be forever
     protected long validAfter = OpenSshCertificate.MIN_EPOCH;
     // match ssh-keygen behavior where the default would be forever
     protected long validBefore = OpenSshCertificate.INFINITY;
     protected byte[] nonce;

     protected OpenSshCertificateBuilder(Type type) {
         super();
         this.type = type;
     }

     public static OpenSshCertificateBuilder userCertificate() {
         return new OpenSshCertificateBuilder(Type.USER);
     }

     public static OpenSshCertificateBuilder hostCertificate() {
         return new OpenSshCertificateBuilder(Type.HOST);
     }

     public OpenSshCertificateBuilder publicKey(PublicKey publicKey) {
         this.publicKey = publicKey;
         return this;
     }

     public OpenSshCertificateBuilder serial(long serial) {
         this.serial = serial;
         return this;
     }

     public OpenSshCertificateBuilder id(String id) {
         this.id = id;
         return this;
     }

     public OpenSshCertificateBuilder principals(Collection<String> principals) {
         this.principals = principals;
         return this;
     }

     public OpenSshCertificateBuilder criticalOptions(List<OpenSshCertificate.CertificateOption> criticalOptions) {
         this.criticalOptions = criticalOptions;
         return this;
     }

     public OpenSshCertificateBuilder extensions(List<OpenSshCertificate.CertificateOption> extensions) {
         this.extensions = extensions;
         return this;
     }

     public OpenSshCertificateBuilder validAfter(long validAfter) {
         this.validAfter = validAfter;
         return this;
     }

     public OpenSshCertificateBuilder nonce(byte[] nonce) {
         this.nonce = nonce;
         return this;
     }

     /**
      * If null, uses {@link OpenSshCertificate#MIN_EPOCH}
      *
      * @param  validAfter {@link Instant} to use for validBefore
      * @return            Self reference
      */
     public OpenSshCertificateBuilder validAfter(Instant validAfter) {
         if (validAfter == null) {
             return validAfter(OpenSshCertificate.MIN_EPOCH);
         } else if (Instant.EPOCH.compareTo(validAfter) <= 0) {
             return validAfter(validAfter.getEpochSecond());
         }
         throw new IllegalArgumentException("Valid-after cannot be < epoch");
     }

     public OpenSshCertificateBuilder validBefore(long validBefore) {
         this.validBefore = validBefore;
         return this;
     }

     /**
      * If null, uses {@link OpenSshCertificate#INFINITY}
      *
      * @param  validBefore {@link Instant} to use for validBefore
      * @return             Self reference
      */
     public OpenSshCertificateBuilder validBefore(Instant validBefore) {
         if (validBefore == null) {
             return validBefore(OpenSshCertificate.INFINITY);
         } else if (Instant.EPOCH.compareTo(validBefore) <= 0) {
             return validBefore(validBefore.getEpochSecond());
         }
         throw new IllegalArgumentException("Valid-before cannot be < epoch");
     }

     protected void validate() {
         // nonce should be 16 or 32 bytes according to
         // https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L151-L153
         if (nonce != null && (nonce.length != 16 && nonce.length != 32)) {
             throw new IllegalStateException("'nonce' must be 16 or 32 bytes");
         }
         if (type == null) {
             throw new IllegalStateException("'type' is required");
         }
         if (id == null) {
             throw new IllegalStateException("'id' is required");
         }
         if (publicKey == null) {
             throw new IllegalStateException("'publicKey' is required");
         }
     }

     /**
      * Creates a certificate signed with the given CA key. For RSA keys "rsa-sha2-512" is used for the signature.
      *
      * @param  caKeypair CA key used to sign
      * @return           the signed certificate
      * @throws Exception if an error occurred
      */
     public OpenSshCertificate sign(KeyPair caKeypair) throws Exception {
         return sign(caKeypair, null);
     }

     /**
      * Creates a certificate signed with the given CA key using the specified signature algorithm. If a signature
      * algorithm is given, it must be appropriate for the CA key type, otherwise an exception is thrown. If
      * {@code signatureAlgorithm == null}, an appropriate signature algorithm is chosen automatically, for RSA keys
      * "rsa-sha2-512" is used then.
      *
      * @param  caKeypair          CA key used to sign
      * @param  signatureAlgorithm to use; if {@code null} automatically chosen based on the CA key type
      * @return                    the signed certificate
      * @throws Exception          if an error occurred
      */
     public OpenSshCertificate sign(KeyPair caKeypair, String signatureAlgorithm) throws Exception {
         validate();

         final String publicKeyType = KeyUtils.getKeyType(publicKey);
         final String certType = SIGNATURE_ALGORITHM_MAP.get(publicKeyType);

         // only certain kind of keys can be OpenSSH Certificates
         if (certType == null) {
             throw new UnsupportedOperationException(
                     "unsupported public key type '" + publicKeyType + "' for OpenSSH Certificate");
         }

         final OpenSshCertificateImpl cert = new OpenSshCertificateImpl();
         cert.setKeyType(certType);
         cert.setType(type);
         cert.setCertPubKey(publicKey);
         cert.setSerial(serial);
         cert.setId(id);
         if (principals != null && !principals.isEmpty()) {
             cert.setPrincipals(new ArrayList<>(principals));
         }
         if (criticalOptions != null && !criticalOptions.isEmpty()) {
             cert.setCriticalOptions(new ArrayList<>(criticalOptions));
         }
         if (extensions != null && !extensions.isEmpty()) {
             cert.setExtensions(new ArrayList<>(extensions));
         }
         cert.setValidAfter(validAfter);
         cert.setValidBefore(validBefore);

         cert.setCaPubKey(caKeypair.getPublic());

         if (nonce != null) {
             cert.setNonce(nonce);
         } else {
             SecureRandom rand = new SecureRandom();
             byte[] tempNonce = new byte[32];
             rand.nextBytes(tempNonce);
             cert.setNonce(tempNonce);
         }

         String algo = KeyUtils.getKeyType(caKeypair.getPublic());
         NamedFactory<? extends Signature> factory;
         if (signatureAlgorithm != null) {
             ValidateUtils.checkTrue(KeyUtils.getAllEquivalentKeyTypes(algo).contains(signatureAlgorithm),
                     "Invalid CA signature algorithm %s for CA key type %s", signatureAlgorithm, algo);
             algo = signatureAlgorithm;
             factory = BuiltinSignatures.fromFactoryName(algo);
         } else {
             factory = SignatureFactory.resolveSignatureFactory(algo, BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE);
         }
         Signature signer = factory == null ? null : factory.create();
         ValidateUtils.checkNotNull(signer, "No signer could be located for signature algorithm=%s", algo);

         final ByteArrayBuffer toBeSignedBuf = new ByteArrayBuffer();
         toBeSignedBuf.putRawPublicKey(cert);

         final byte[] toSign = toBeSignedBuf.getCompactData();
         signer.initSigner(null, caKeypair.getPrivate());
         signer.update(null, toSign);

         final ByteArrayBuffer tmpBuffer = new ByteArrayBuffer();
         tmpBuffer.putString(factory.getName());
         tmpBuffer.putBytes(signer.sign(null));

         cert.setMessage(toSign);
         cert.setSignature(tmpBuffer.getCompactData());

         return cert;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.sshd.certificate;

	import java.security.KeyPair;
	import java.security.PublicKey;
	import java.security.SecureRandom;
	import java.time.Instant;
	import java.util.ArrayList;
	import java.util.Collection;
	import java.util.List;
	import java.util.Map;

	import org.apache.sshd.common.BaseBuilder;
	import org.apache.sshd.common.NamedFactory;
	import org.apache.sshd.common.config.keys.KeyUtils;
	import org.apache.sshd.common.config.keys.OpenSshCertificate;
	import org.apache.sshd.common.config.keys.OpenSshCertificate.Type;
	import org.apache.sshd.common.config.keys.OpenSshCertificateImpl;
	import org.apache.sshd.common.keyprovider.KeyPairProvider;
	import org.apache.sshd.common.signature.BuiltinSignatures;
	import org.apache.sshd.common.signature.Signature;
	import org.apache.sshd.common.signature.SignatureFactory;
	import org.apache.sshd.common.util.MapEntryUtils;
	import org.apache.sshd.common.util.ValidateUtils;
	import org.apache.sshd.common.util.buffer.ByteArrayBuffer;

	/**
	* Holds all the data necessary to create a signed OpenSSH Certificate
	*/
	public class OpenSshCertificateBuilder {

	// given a supported key type, map to the concrete OpenSSH Certificate type
	protected static final Map<String, String> SIGNATURE_ALGORITHM_MAP
	= MapEntryUtils.MapBuilder.<String, String> builder()
	.put(KeyPairProvider.SSH_RSA, KeyPairProvider.SSH_RSA_CERT)
	.put(KeyPairProvider.SSH_ED25519, KeyPairProvider.SSH_ED25519_CERT)
	.put(KeyPairProvider.ECDSA_SHA2_NISTP256, KeyPairProvider.SSH_ECDSA_SHA2_NISTP256_CERT)
	.put(KeyPairProvider.ECDSA_SHA2_NISTP384, KeyPairProvider.SSH_ECDSA_SHA2_NISTP384_CERT)
	.put(KeyPairProvider.ECDSA_SHA2_NISTP521, KeyPairProvider.SSH_ECDSA_SHA2_NISTP521_CERT)
	.build();

	protected final Type type;
	protected PublicKey publicKey;
	protected long serial;
	protected String id;
	protected Collection<String> principals;
	protected List<OpenSshCertificate.CertificateOption> criticalOptions;
	protected List<OpenSshCertificate.CertificateOption> extensions;
	// match ssh-keygen behavior where the default would be forever
	protected long validAfter = OpenSshCertificate.MIN_EPOCH;
	// match ssh-keygen behavior where the default would be forever
	protected long validBefore = OpenSshCertificate.INFINITY;
	protected byte[] nonce;

	protected OpenSshCertificateBuilder(Type type) {
	super();
	this.type = type;
	}

	public static OpenSshCertificateBuilder userCertificate() {
	return new OpenSshCertificateBuilder(Type.USER);
	}

	public static OpenSshCertificateBuilder hostCertificate() {
	return new OpenSshCertificateBuilder(Type.HOST);
	}

	public OpenSshCertificateBuilder publicKey(PublicKey publicKey) {
	this.publicKey = publicKey;
	return this;
	}

	public OpenSshCertificateBuilder serial(long serial) {
	this.serial = serial;
	return this;
	}

	public OpenSshCertificateBuilder id(String id) {
	this.id = id;
	return this;
	}

	public OpenSshCertificateBuilder principals(Collection<String> principals) {
	this.principals = principals;
	return this;
	}

	public OpenSshCertificateBuilder criticalOptions(List<OpenSshCertificate.CertificateOption> criticalOptions) {
	this.criticalOptions = criticalOptions;
	return this;
	}

	public OpenSshCertificateBuilder extensions(List<OpenSshCertificate.CertificateOption> extensions) {
	this.extensions = extensions;
	return this;
	}

	public OpenSshCertificateBuilder validAfter(long validAfter) {
	this.validAfter = validAfter;
	return this;
	}

	public OpenSshCertificateBuilder nonce(byte[] nonce) {
	this.nonce = nonce;
	return this;
	}

	/**
	* If null, uses {@link OpenSshCertificate#MIN_EPOCH}
	*
	* @param validAfter {@link Instant} to use for validBefore
	* @return Self reference
	*/
	public OpenSshCertificateBuilder validAfter(Instant validAfter) {
	if (validAfter == null) {
	return validAfter(OpenSshCertificate.MIN_EPOCH);
	} else if (Instant.EPOCH.compareTo(validAfter) <= 0) {
	return validAfter(validAfter.getEpochSecond());
	}
	throw new IllegalArgumentException("Valid-after cannot be < epoch");
	}

	public OpenSshCertificateBuilder validBefore(long validBefore) {
	this.validBefore = validBefore;
	return this;
	}

	/**
	* If null, uses {@link OpenSshCertificate#INFINITY}
	*
	* @param validBefore {@link Instant} to use for validBefore
	* @return Self reference
	*/
	public OpenSshCertificateBuilder validBefore(Instant validBefore) {
	if (validBefore == null) {
	return validBefore(OpenSshCertificate.INFINITY);
	} else if (Instant.EPOCH.compareTo(validBefore) <= 0) {
	return validBefore(validBefore.getEpochSecond());
	}
	throw new IllegalArgumentException("Valid-before cannot be < epoch");
	}

	protected void validate() {
	// nonce should be 16 or 32 bytes according to
	// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys#L151-L153
	if (nonce != null && (nonce.length != 16 && nonce.length != 32)) {
	throw new IllegalStateException("'nonce' must be 16 or 32 bytes");
	}
	if (type == null) {
	throw new IllegalStateException("'type' is required");
	}
	if (id == null) {
	throw new IllegalStateException("'id' is required");
	}
	if (publicKey == null) {
	throw new IllegalStateException("'publicKey' is required");
	}
	}

	/**
	* Creates a certificate signed with the given CA key. For RSA keys "rsa-sha2-512" is used for the signature.
	*
	* @param caKeypair CA key used to sign
	* @return the signed certificate
	* @throws Exception if an error occurred
	*/
	public OpenSshCertificate sign(KeyPair caKeypair) throws Exception {
	return sign(caKeypair, null);
	}

	/**
	* Creates a certificate signed with the given CA key using the specified signature algorithm. If a signature
	* algorithm is given, it must be appropriate for the CA key type, otherwise an exception is thrown. If
	* {@code signatureAlgorithm == null}, an appropriate signature algorithm is chosen automatically, for RSA keys
	* "rsa-sha2-512" is used then.
	*
	* @param caKeypair CA key used to sign
	* @param signatureAlgorithm to use; if {@code null} automatically chosen based on the CA key type
	* @return the signed certificate
	* @throws Exception if an error occurred
	*/
	public OpenSshCertificate sign(KeyPair caKeypair, String signatureAlgorithm) throws Exception {
	validate();

	final String publicKeyType = KeyUtils.getKeyType(publicKey);
	final String certType = SIGNATURE_ALGORITHM_MAP.get(publicKeyType);

	// only certain kind of keys can be OpenSSH Certificates
	if (certType == null) {
	throw new UnsupportedOperationException(
	"unsupported public key type '" + publicKeyType + "' for OpenSSH Certificate");
	}

	final OpenSshCertificateImpl cert = new OpenSshCertificateImpl();
	cert.setKeyType(certType);
	cert.setType(type);
	cert.setCertPubKey(publicKey);
	cert.setSerial(serial);
	cert.setId(id);
	if (principals != null && !principals.isEmpty()) {
	cert.setPrincipals(new ArrayList<>(principals));
	}
	if (criticalOptions != null && !criticalOptions.isEmpty()) {
	cert.setCriticalOptions(new ArrayList<>(criticalOptions));
	}
	if (extensions != null && !extensions.isEmpty()) {
	cert.setExtensions(new ArrayList<>(extensions));
	}
	cert.setValidAfter(validAfter);
	cert.setValidBefore(validBefore);

	cert.setCaPubKey(caKeypair.getPublic());

	if (nonce != null) {
	cert.setNonce(nonce);
	} else {
	SecureRandom rand = new SecureRandom();
	byte[] tempNonce = new byte[32];
	rand.nextBytes(tempNonce);
	cert.setNonce(tempNonce);
	}

	String algo = KeyUtils.getKeyType(caKeypair.getPublic());
	NamedFactory<? extends Signature> factory;
	if (signatureAlgorithm != null) {
	ValidateUtils.checkTrue(KeyUtils.getAllEquivalentKeyTypes(algo).contains(signatureAlgorithm),
	"Invalid CA signature algorithm %s for CA key type %s", signatureAlgorithm, algo);
	algo = signatureAlgorithm;
	factory = BuiltinSignatures.fromFactoryName(algo);
	} else {
	factory = SignatureFactory.resolveSignatureFactory(algo, BaseBuilder.DEFAULT_SIGNATURE_PREFERENCE);
	}
	Signature signer = factory == null ? null : factory.create();
	ValidateUtils.checkNotNull(signer, "No signer could be located for signature algorithm=%s", algo);

	final ByteArrayBuffer toBeSignedBuf = new ByteArrayBuffer();
	toBeSignedBuf.putRawPublicKey(cert);

	final byte[] toSign = toBeSignedBuf.getCompactData();
	signer.initSigner(null, caKeypair.getPrivate());
	signer.update(null, toSign);

	final ByteArrayBuffer tmpBuffer = new ByteArrayBuffer();
	tmpBuffer.putString(factory.getName());
	tmpBuffer.putBytes(signer.sign(null));

	cert.setMessage(toSign);
	cert.setSignature(tmpBuffer.getCompactData());

	return cert;
	}
	}