make signature of encryptContractCertPrivateKey more specific
This commit is contained in:
Christoph Zwirello
parent
cc26d2a239
commit
ebccfa5a06
|
|
@ -18,3 +18,5 @@ RISE-V2G-SECC/cpsCertChain.p12
|
||||||
RISE-V2G-SECC/moCertChain.p12
|
RISE-V2G-SECC/moCertChain.p12
|
||||||
/.metadata/
|
/.metadata/
|
||||||
/.recommenders/
|
/.recommenders/
|
||||||
|
.idea
|
||||||
|
*.iml
|
||||||
|
|
|
||||||
|
|
@ -247,7 +247,7 @@ openssl pkcs8 -topk8 -in privateKeys/moSubCA2.key -inform PEM -passin file:passp
|
||||||
# IMPORTANT: Concatenate in such a way that the chain leads from the leaf certificate to the root (excluding), this means here: first parameter of the cat command is the sub-CA certificate which signs the leaf certificate (in this case cpoSubCA2.pem). Otherwise the Java method getCertificateChain() which is called on the keystore will only return the leaf certificate!
|
# IMPORTANT: Concatenate in such a way that the chain leads from the leaf certificate to the root (excluding), this means here: first parameter of the cat command is the sub-CA certificate which signs the leaf certificate (in this case cpoSubCA2.pem). Otherwise the Java method getCertificateChain() which is called on the keystore will only return the leaf certificate!
|
||||||
cat certs/cpoSubCA2Cert.pem certs/cpoSubCA1Cert.pem > certs/intermediateCPOCACerts.pem
|
cat certs/cpoSubCA2Cert.pem certs/cpoSubCA1Cert.pem > certs/intermediateCPOCACerts.pem
|
||||||
# Put the seccCertificate, the private key associated with the seccCertificate as well as the intermediate sub-CA certificates in a PKCS12 container with the -certfile switch.
|
# Put the seccCertificate, the private key associated with the seccCertificate as well as the intermediate sub-CA certificates in a PKCS12 container with the -certfile switch.
|
||||||
openssl pkcs12 -export -inkey privateKeys/secc.key -in certs/seccCert.pem -name secc_cert -certfile certs/intermediateCPOCACerts.pem -caname mo_subca_2 -caname mo_subca_1 -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -out keystores/cpoCertChain.p12
|
openssl pkcs12 -export -inkey privateKeys/secc.key -in certs/seccCert.pem -name secc_cert -certfile certs/intermediateCPOCACerts.pem -caname mo_subca_2 -caname mo_subca_1 -aes128 -passin file:passphrase.txt -passout file:passphrase.txt -out keystores/cpoCertChain.p12
|
||||||
keytool -importkeystore -srckeystore keystores/cpoCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias secc_cert -destalias secc_cert -destkeystore keystores/seccKeystore.jks -storepass:file passphrase.txt -noprompt
|
keytool -importkeystore -srckeystore keystores/cpoCertChain.p12 -srcstoretype pkcs12 -srcstorepass:file passphrase.txt -srcalias secc_cert -destalias secc_cert -destkeystore keystores/seccKeystore.jks -storepass:file passphrase.txt -noprompt
|
||||||
#
|
#
|
||||||
# 18.2) EVCC keystore needs to initally hold the OEM provisioning certificate (contract certificate will be installed with ISO 15118 message exchange)
|
# 18.2) EVCC keystore needs to initally hold the OEM provisioning certificate (contract certificate will be installed with ISO 15118 message exchange)
|
||||||
|
|
|
||||||
|
|
@ -25,6 +25,7 @@ package com.v2gclarity.risev2g.secc.states;
|
||||||
|
|
||||||
import java.security.KeyPair;
|
import java.security.KeyPair;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
|
import java.security.interfaces.ECPrivateKey;
|
||||||
import java.security.interfaces.ECPublicKey;
|
import java.security.interfaces.ECPublicKey;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
|
||||||
|
|
@ -76,7 +77,7 @@ public class WaitForCertificateInstallationReq extends ServerState {
|
||||||
ContractSignatureEncryptedPrivateKeyType encryptedContractCertPrivateKey =
|
ContractSignatureEncryptedPrivateKeyType encryptedContractCertPrivateKey =
|
||||||
SecurityUtils.encryptContractCertPrivateKey(
|
SecurityUtils.encryptContractCertPrivateKey(
|
||||||
(ECPublicKey) SecurityUtils.getCertificate(certificateInstallationReq.getOEMProvisioningCert()).getPublicKey(),
|
(ECPublicKey) SecurityUtils.getCertificate(certificateInstallationReq.getOEMProvisioningCert()).getPublicKey(),
|
||||||
ecKeyPair,
|
(ECPrivateKey) ecKeyPair.getPrivate(),
|
||||||
getCommSessionContext().getBackendInterface().getContractCertificatePrivateKey());
|
getCommSessionContext().getBackendInterface().getContractCertificatePrivateKey());
|
||||||
|
|
||||||
certificateInstallationRes.setContractSignatureCertChain(saContractCertificateChain);
|
certificateInstallationRes.setContractSignatureCertChain(saContractCertificateChain);
|
||||||
|
|
|
||||||
|
|
@ -24,6 +24,7 @@
|
||||||
package com.v2gclarity.risev2g.secc.states;
|
package com.v2gclarity.risev2g.secc.states;
|
||||||
|
|
||||||
import java.security.KeyPair;
|
import java.security.KeyPair;
|
||||||
|
import java.security.interfaces.ECPrivateKey;
|
||||||
import java.security.interfaces.ECPublicKey;
|
import java.security.interfaces.ECPublicKey;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
|
||||||
|
|
@ -72,7 +73,7 @@ public class WaitForCertificateUpdateReq extends ServerState {
|
||||||
ContractSignatureEncryptedPrivateKeyType encryptedContractCertPrivateKey =
|
ContractSignatureEncryptedPrivateKeyType encryptedContractCertPrivateKey =
|
||||||
SecurityUtils.encryptContractCertPrivateKey(
|
SecurityUtils.encryptContractCertPrivateKey(
|
||||||
(ECPublicKey) SecurityUtils.getCertificate(certificateUpdateReq.getContractSignatureCertChain().getCertificate()).getPublicKey(),
|
(ECPublicKey) SecurityUtils.getCertificate(certificateUpdateReq.getContractSignatureCertChain().getCertificate()).getPublicKey(),
|
||||||
ecdhKeyPair,
|
(ECPrivateKey) ecdhKeyPair.getPrivate(),
|
||||||
getCommSessionContext().getBackendInterface().getContractCertificatePrivateKey());
|
getCommSessionContext().getBackendInterface().getContractCertificatePrivateKey());
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
||||||
|
|
@ -1381,16 +1381,16 @@ public final class SecurityUtils {
|
||||||
* @param certificateECPublicKey The public key of either the OEM provisioning certificate (in case of
|
* @param certificateECPublicKey The public key of either the OEM provisioning certificate (in case of
|
||||||
* CertificateInstallation) or the to be updated contract certificate
|
* CertificateInstallation) or the to be updated contract certificate
|
||||||
* (in case of CertificateUpdate)
|
* (in case of CertificateUpdate)
|
||||||
* @param ecKeyPair The EC keypair
|
* @param dhPrivateKey The DH private key
|
||||||
* @param contractCertPrivateKey The private key of the contract certificate
|
* @param contractCertPrivateKey The private key of the contract certificate
|
||||||
* @return The encrypted private key of the to be installed contract certificate
|
* @return The encrypted private key of the to be installed contract certificate
|
||||||
*/
|
*/
|
||||||
public static ContractSignatureEncryptedPrivateKeyType encryptContractCertPrivateKey(
|
public static ContractSignatureEncryptedPrivateKeyType encryptContractCertPrivateKey(
|
||||||
ECPublicKey certificateECPublicKey,
|
ECPublicKey certificateECPublicKey,
|
||||||
KeyPair ecKeyPair,
|
ECPrivateKey dhPrivateKey,
|
||||||
ECPrivateKey contractCertPrivateKey) {
|
ECPrivateKey contractCertPrivateKey) {
|
||||||
// Generate the shared secret by using the public key of either OEMProvCert or ContractCert
|
// Generate the shared secret by using the public key of either OEMProvCert or ContractCert
|
||||||
byte[] sharedSecret = generateSharedSecret((ECPrivateKey) ecKeyPair.getPrivate(), certificateECPublicKey);
|
byte[] sharedSecret = generateSharedSecret(dhPrivateKey, certificateECPublicKey);
|
||||||
|
|
||||||
if (sharedSecret == null) {
|
if (sharedSecret == null) {
|
||||||
getLogger().error("Shared secret could not be generated");
|
getLogger().error("Shared secret could not be generated");
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue