diff --git a/java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java b/java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java index b3d032e..3e1eaf9 100644 --- a/java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java +++ b/java-spiffe-core/src/main/java/io/spiffe/internal/CertificateUtils.java @@ -10,10 +10,6 @@ import java.security.InvalidKeyException; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.SecureRandom; -import java.security.Signature; -import java.security.SignatureException; import java.security.cert.CertPathValidator; import java.security.cert.CertPathValidatorException; import java.security.cert.Certificate; @@ -44,10 +40,6 @@ import static org.apache.commons.lang3.StringUtils.startsWith; */ public class CertificateUtils { - // Algorithms for verifying private and public keys - private static final String SHA_512_WITH_ECDSA = "SHA512withECDSA"; - private static final String SHA_512_WITH_RSA = "SHA512withRSA"; - private static final String SPIFFE_PREFIX = "spiffe://"; private static final int SAN_VALUE_INDEX = 1; private static final String PUBLIC_KEY_INFRASTRUCTURE_ALGORITHM = "PKIX"; @@ -154,24 +146,6 @@ public class CertificateUtils { return spiffeId.getTrustDomain(); } - /** - * Validates that the private key and the public key in the x509Certificate match by - * creating a signature with the private key and verifying with the public key. - * - * @throws InvalidKeyException if the keys don't match - */ - public static void validatePrivateKey(final PrivateKey privateKey, final X509Certificate x509Certificate) throws InvalidKeyException { - AsymmetricKeyAlgorithm algorithm = AsymmetricKeyAlgorithm.parse(privateKey.getAlgorithm()); - - switch (algorithm) { - case RSA: - verifyKeys(privateKey, x509Certificate.getPublicKey(), SHA_512_WITH_RSA); - break; - case EC: - verifyKeys(privateKey, x509Certificate.getPublicKey(), SHA_512_WITH_ECDSA); - } - } - public static boolean isCA(final X509Certificate cert) { return cert.getBasicConstraints() != -1; } @@ -202,23 +176,6 @@ public class CertificateUtils { return keySpec; } - private static void verifyKeys(final PrivateKey privateKey, final PublicKey publicKey, final String algorithm) throws InvalidKeyException { - final byte[] challenge = new SecureRandom().generateSeed(100); - try { - Signature sig = Signature.getInstance(algorithm); - sig.initSign(privateKey); - sig.update(challenge); - byte[] signature = sig.sign(); - sig.initVerify(publicKey); - sig.update(challenge); - if (!sig.verify(signature)) { - throw new InvalidKeyException("Private Key does not match Certificate Public Key"); - } - } catch (NoSuchAlgorithmException | SignatureException e) { - throw new InvalidKeyException("Private and Public Keys could not be verified", e); - } - } - private static List getSpiffeIds(final X509Certificate certificate) throws CertificateParsingException { if (certificate.getSubjectAlternativeNames() == null) { return Collections.emptyList(); diff --git a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java index 9c6a401..a60e61d 100644 --- a/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java +++ b/java-spiffe-core/src/main/java/io/spiffe/svid/x509svid/X509Svid.java @@ -145,7 +145,6 @@ public class X509Svid { val privateKey = generatePrivateKey(privateKeyBytes, keyFileFormat, x509Certificates); val spiffeId = getSpiffeId(x509Certificates); - validatePrivateKey(privateKey, x509Certificates); validateLeafCertificate(x509Certificates.get(0)); // there are intermediate CA certificates @@ -225,13 +224,4 @@ public class X509Svid { throw new X509SvidException("Leaf certificate must not have 'cRLSign' as key usage"); } } - - private static void validatePrivateKey(final PrivateKey privateKey, final List x509Certificates) - throws X509SvidException { - try { - CertificateUtils.validatePrivateKey(privateKey, x509Certificates.get(0)); - } catch (InvalidKeyException e) { - throw new X509SvidException("Private Key does not match Certificate Public Key", e); - } - } } diff --git a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidTest.java b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidTest.java index 894c073..70534d8 100644 --- a/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidTest.java +++ b/java-spiffe-core/src/test/java/io/spiffe/svid/x509svid/X509SvidTest.java @@ -24,10 +24,9 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.fail; -public class X509SvidTest { +class X509SvidTest { static String keyRSA = "testdata/x509svid/key-pkcs8-rsa.pem"; - static String keyRSAOther = "testdata/x509svid/key-rsa-other.pem"; static String certSingle = "testdata/x509svid/good-leaf-only.pem"; static String leafNoDigitalSignature = "testdata/x509svid/wrong-leaf-no-digital-signature.pem"; static String leafCRLSign = "testdata/x509svid/wrong-leaf-crl-sign.pem"; @@ -39,7 +38,6 @@ public class X509SvidTest { static String keyECDSA = "testdata/x509svid/key-pkcs8-ecdsa.pem"; static String certMultiple = "testdata/x509svid/good-leaf-and-intermediate.pem"; static String corrupted = "testdata/x509svid/corrupted"; - static String keyECDSAOther = "testdata/x509svid/key-ecdsa-other.pem"; static String keyDER = "testdata/x509svid/keyEC.der"; static String certDER = "testdata/x509svid/cert.der"; @@ -99,23 +97,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("7. Certificate does not match private key: RSA keys") - .certsPath(certSingle) - .keyPath(keyRSAOther) - .expectedError("Private Key does not match Certificate Public Key") - .build() - ), - Arguments.of(TestCase - .builder() - .name("8. Certificate does not match private key: EC keys") - .certsPath(certMultiple) - .keyPath(keyECDSAOther) - .expectedError("Private Key does not match Certificate Public Key") - .build() - ), - Arguments.of(TestCase - .builder() - .name("9. Certificate without SPIFFE ID") + .name("7. Certificate without SPIFFE ID") .certsPath(leafEmptyID) .keyPath(keyRSA) .expectedError("Certificate does not contain SPIFFE ID in the URI SAN") @@ -123,7 +105,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("10. Leaf certificate with CA flag set to true") + .name("8. Leaf certificate with CA flag set to true") .certsPath(leafCAtrue) .keyPath(keyRSA) .expectedError("Leaf certificate must not have CA flag set to true") @@ -131,7 +113,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("11. Leaf certificate without digitalSignature as key usage") + .name("9. Leaf certificate without digitalSignature as key usage") .certsPath(leafNoDigitalSignature) .keyPath(keyRSA) .expectedError("Leaf certificate must have 'digitalSignature' as key usage") @@ -139,7 +121,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("12. Leaf certificate with certSign as key usage") + .name("10. Leaf certificate with certSign as key usage") .certsPath(leafCertSign) .keyPath(keyRSA) .expectedError("Leaf certificate must not have 'keyCertSign' as key usage") @@ -147,7 +129,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("13. Leaf certificate with cRLSign as key usage") + .name("11. Leaf certificate with cRLSign as key usage") .certsPath(leafCRLSign) .keyPath(keyRSA) .expectedError("Leaf certificate must not have 'cRLSign' as key usage") @@ -155,7 +137,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("14. Signing certificate without CA flag") + .name("12. Signing certificate without CA flag") .certsPath(signNoCA) .keyPath(keyRSA) .expectedError("Signing certificate must have CA flag set to true") @@ -163,7 +145,7 @@ public class X509SvidTest { ), Arguments.of(TestCase .builder() - .name("15. Signing certificate without CA flag") + .name("13. Signing certificate without CA flag") .certsPath(signNoKeyCertSign) .keyPath(keyRSA) .expectedError("Signing certificate must have 'keyCertSign' as key usage")