WIP

jsign-crypto/src/main/java/net/jsign/AbstractKeyStoreType.java

@@ -0,0 +1,85 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.Provider;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.util.Objects;
+import java.util.function.Function;
+
+abstract class AbstractKeyStoreType implements KeyStoreType {
+
+    public KeyStore getKeystore(KeyStoreBuilder params, Provider provider) throws KeyStoreException {
+        KeyStore ks;
+        try {
+            if (provider != null) {
+                ks = KeyStore.getInstance(name(), provider);
+            } else {
+                ks = KeyStore.getInstance(name());
+            }
+        } catch (KeyStoreException e) {
+            throw new KeyStoreException("keystore type '" + name() + "' is not supported" + (provider != null ? " with security provider " + provider.getName() : ""), e);
+        }
+
+        try {
+            boolean fileBased = this instanceof FileBasedKeyStoreType;
+            try (FileInputStream in = fileBased ? new FileInputStream(params.createFile(params.keystore())) : null) {
+                ks.load(in, params.storepass() != null ? params.storepass().toCharArray() : null);
+            }
+        } catch (Exception e) {
+            throw new KeyStoreException("Unable to load the keystore " + params.keystore(), e);
+        }
+
+        return ks;
+    }
+
+    Function<String, Certificate[]> getCertificateStore(KeyStoreBuilder params) {
+        return alias -> {
+            if (alias == null || alias.isEmpty()) {
+                return null;
+            }
+
+            try {
+                return CertificateUtils.loadCertificateChain(params.certfile());
+            } catch (IOException | CertificateException e) {
+                throw new RuntimeException("Failed to load the certificate from " + params.certfile(), e);
+            }
+        };
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (!(o instanceof KeyStoreType)) {
+            return false;
+        }
+        KeyStoreType that = (KeyStoreType) o;
+        return Objects.equals(name(), that.name());
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(name());
+    }
+}

jsign-crypto/src/main/java/net/jsign/AmazonKeyStoreType.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.io.IOException;
+import java.net.UnknownServiceException;
+import java.security.Provider;
+
+import org.kohsuke.MetaInfServices;
+
+import net.jsign.jca.AmazonCredentials;
+import net.jsign.jca.AmazonSigningService;
+import net.jsign.jca.SigningServiceJcaProvider;
+
+@MetaInfServices(KeyStoreType.class)
+public class AmazonKeyStoreType extends AbstractKeyStoreType {
+
+    @Override
+    public String name() {
+        return "AWS";
+    }
+
+    @Override
+    public void validate(KeyStoreBuilder params) {
+        if (params.keystore() == null) {
+            throw new IllegalArgumentException("keystore " + params.parameterName() + " must specify the AWS region");
+        }
+        if (params.certfile() == null) {
+            throw new IllegalArgumentException("certfile " + params.parameterName() + " must be set");
+        }
+    }
+
+    @Override
+    public Provider getProvider(KeyStoreBuilder params) {
+        AmazonCredentials credentials;
+        if (params.storepass() != null) {
+            credentials = AmazonCredentials.parse(params.storepass());
+        } else {
+            try {
+                credentials = AmazonCredentials.getDefault();
+            } catch (UnknownServiceException e) {
+                throw new IllegalArgumentException("storepass " + params.parameterName()
+                        + " must specify the AWS credentials: <accessKey>|<secretKey>[|<sessionToken>]"
+                        + ", when not running from an EC2 instance (" + e.getMessage() + ")", e);
+            } catch (IOException e) {
+                throw new RuntimeException("An error occurred while fetching temporary credentials from IMDSv2 service", e);
+            }
+        }
+
+        return new SigningServiceJcaProvider(new AmazonSigningService(params.keystore(), credentials, getCertificateStore(params)));
+    }
+}

jsign-crypto/src/main/java/net/jsign/AzureKeyVaultKeyStoreType.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.security.Provider;
+
+import org.kohsuke.MetaInfServices;
+
+import net.jsign.jca.AzureKeyVaultSigningService;
+import net.jsign.jca.SigningServiceJcaProvider;
+
+@MetaInfServices(KeyStoreType.class)
+public class AzureKeyVaultKeyStoreType extends AbstractKeyStoreType {
+
+    @Override
+    public String name() {
+        return "AZUREKEYVAULT";
+    }
+
+    @Override
+    public void validate(KeyStoreBuilder params) {
+        if (params.keystore() == null) {
+            throw new IllegalArgumentException("keystore " + params.parameterName() + " must specify the Azure vault name");
+        }
+        if (params.storepass() == null) {
+            throw new IllegalArgumentException("storepass " + params.parameterName() + " must specify the Azure API access token");
+        }
+    }
+
+    @Override
+    public Provider getProvider(KeyStoreBuilder params) {
+        return new SigningServiceJcaProvider(new AzureKeyVaultSigningService(params.keystore(), params.storepass()));
+    }
+}

jsign-crypto/src/main/java/net/jsign/AzureTrustedSigningKeyStoreType.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.security.Provider;
+
+import org.kohsuke.MetaInfServices;
+
+import net.jsign.jca.AzureTrustedSigningService;
+import net.jsign.jca.SigningServiceJcaProvider;
+
+@MetaInfServices(KeyStoreType.class)
+public class AzureTrustedSigningKeyStoreType extends AbstractKeyStoreType {
+
+    @Override
+    public String name() {
+        return "TRUSTEDSIGNING";
+    }
+
+    @Override
+    public void validate(KeyStoreBuilder params) {
+        if (params.keystore() == null) {
+            throw new IllegalArgumentException("keystore " + params.parameterName() + " must specify the Azure endpoint (<region>.codesigning.azure.net)");
+        }
+        if (params.storepass() == null) {
+            throw new IllegalArgumentException("storepass " + params.parameterName() + " must specify the Azure API access token");
+        }
+    }
+
+    @Override
+    public Provider getProvider(KeyStoreBuilder params) {
+        return new SigningServiceJcaProvider(new AzureTrustedSigningService(params.keystore(), params.storepass()));
+    }
+}

jsign-crypto/src/main/java/net/jsign/DigiCertOneKeyStoreType.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.security.Provider;
+
+import org.kohsuke.MetaInfServices;
+
+import net.jsign.jca.DigiCertOneSigningService;
+import net.jsign.jca.SigningServiceJcaProvider;
+
+@MetaInfServices(KeyStoreType.class)
+public class DigiCertOneKeyStoreType extends AbstractKeyStoreType {
+
+    @Override
+    public String name() {
+        return "DIGICERTONE";
+    }
+
+    @Override
+    public void validate(KeyStoreBuilder params) {
+        if (params.storepass() == null || params.storepass().split("\\|").length != 3) {
+            throw new IllegalArgumentException("storepass " + params.parameterName() + " must specify the DigiCert ONE API key and the client certificate: <apikey>|<keystore>|<password>");
+        }
+    }
+
+    @Override
+    public Provider getProvider(KeyStoreBuilder params) {
+        String[] elements = params.storepass().split("\\|");
+        return new SigningServiceJcaProvider(new DigiCertOneSigningService(params.keystore(), elements[0], params.createFile(elements[1]), elements[2]));
+    }
+}

jsign-crypto/src/main/java/net/jsign/ESignerKeyStoreType.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.io.IOException;
+import java.security.Provider;
+
+import org.kohsuke.MetaInfServices;
+
+import net.jsign.jca.ESignerSigningService;
+import net.jsign.jca.SigningServiceJcaProvider;
+
+@MetaInfServices(KeyStoreType.class)
+public class ESignerKeyStoreType extends AbstractKeyStoreType {
+
+    @Override
+    public String name() {
+        return "ESIGNER";
+    }
+
+    @Override
+    public void validate(KeyStoreBuilder params) {
+        if (params.storepass() == null || !params.storepass().contains("|")) {
+            throw new IllegalArgumentException("storepass " + params.parameterName() + " must specify the SSL.com username and password: <username>|<password>");
+        }
+    }
+
+    @Override
+    public Provider getProvider(KeyStoreBuilder params) {
+        String[] elements = params.storepass().split("\\|", 2);
+        String endpoint = params.keystore() != null ? params.keystore() : "https://cs.ssl.com";
+        try {
+            return new SigningServiceJcaProvider(new ESignerSigningService(endpoint, elements[0], elements[1]));
+        } catch (IOException e) {
+            throw new IllegalStateException("Authentication failed with SSL.com", e);
+        }
+    }
+}
+

jsign-crypto/src/main/java/net/jsign/ETokenKeyStoreType.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2024 Emmanuel Bourg
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.jsign;
+
+import java.security.Provider;
+
+import org.kohsuke.MetaInfServices;
+
+@MetaInfServices(KeyStoreType.class)
+public class ETokenKeyStoreType extends AbstractKeyStoreType {
+
+    @Override
+    public String name() {
+        return "ETOKEN";
+    }
+
+    @Override
+    public Provider getProvider(KeyStoreBuilder params) {
+        return SafeNetEToken.getProvider();
+    }
+}