simplify resolveSignatureAlgorithm

we dont have to retain RSA PKCS#1 support. the spec expresses
"For signing by the certificate authority RSA-PSS, or ECDSA SHOULD be used."

Author: goekay

src/main/java/de/rwth/idsg/steve/config/SteveProperties.java

@@ -103,12 +103,6 @@ public static class LocalCsrSigning {
                     private IssuerConfig rsa = new IssuerConfig();
                     private IssuerConfig ecdsa = new IssuerConfig();
 
-                    public enum SignatureAlgorithmPolicy {
-                        AUTO,
-                        RSA_PSS,
-                        RSA_PKCS1
-                    }
-
                     public boolean isValid() {
                         return certificateValidityYears != null && (IssuerConfig.isValid(rsa) || IssuerConfig.isValid(ecdsa));
                     }
@@ -125,13 +119,6 @@ public static class IssuerConfig {
                          */
                         private String caChainPem;
 
-                        /**
-                         * Signature algorithm policy for locally signed charge point certificates:
-                         * - auto: RSA => RSA-PSS (SHA256withRSAandMGF1), EC => ECDSA (SHA256withECDSA)
-                         * - rsa-pkcs1: RSA => PKCS#1 v1.5 (SHA256WithRSA), EC => ECDSA (SHA256withECDSA)
-                         */
-                        private SignatureAlgorithmPolicy signatureAlgorithmPolicy = SignatureAlgorithmPolicy.AUTO;
-
                         public static boolean isValid(IssuerConfig issuer) {
                             return issuer != null
                                 && !StringUtils.isBlank(issuer.caCertificatePem)

src/main/java/de/rwth/idsg/steve/service/CertificateSigningServiceLocal.java

@@ -285,7 +285,7 @@ private void loadIssuer(ResourceLoader resourceLoader,
         var caCertificate = resolveResource(resourceLoader, issuerConfig.getCaCertificatePem(), CertificateUtils::parseCertificate);
         var caPrivateKey = resolveResource(resourceLoader, issuerConfig.getCaKeyPem(), CertificateUtils::parsePrivateKeyViaBouncyCastle);
         var issuerCertificateChain = loadIssuerCertificateChain(resourceLoader, caCertificate, issuerConfig.getCaChainPem());
-        var certificateSignatureAlgorithm = resolveSignatureAlgorithm(caPrivateKey, issuerConfig.getSignatureAlgorithmPolicy());
+        var certificateSignatureAlgorithm = resolveSignatureAlgorithm(caPrivateKey);
 
         var issuer = new CertificateIssuerMaterial(
             name,

src/main/java/de/rwth/idsg/steve/utils/CertificateIssuerMaterial.java

@@ -18,7 +18,6 @@
  */
 package de.rwth.idsg.steve.utils;
 
-import de.rwth.idsg.steve.config.SteveProperties;
 import jooq.steve.db.enums.CertificateSignatureAlgorithm;
 
 import java.nio.charset.StandardCharsets;
@@ -52,7 +51,7 @@ public void validateCaCertificate() throws Exception {
             throw new IllegalArgumentException("Configured CA certificate for issuer '" + name + "' must allow keyCertSign in keyUsage");
         }
 
-        String checkAlgorithm = resolveSignatureAlgorithm(caPrivateKey, SteveProperties.Ocpp.Security.CsrSigning.LocalCsrSigning.SignatureAlgorithmPolicy.RSA_PKCS1);
+        String checkAlgorithm = resolveSignatureAlgorithm(caPrivateKey);
         byte[] dummyProbeData = "certificate-key-pair-check".getBytes(StandardCharsets.UTF_8);
 
         Signature signer = Signature.getInstance(checkAlgorithm);

src/main/java/de/rwth/idsg/steve/utils/CertificateUtils.java

@@ -18,7 +18,6 @@
  */
 package de.rwth.idsg.steve.utils;
 
-import de.rwth.idsg.steve.config.SteveProperties.Ocpp.Security.CsrSigning.LocalCsrSigning.SignatureAlgorithmPolicy;
 import jooq.steve.db.enums.CertificateSignatureAlgorithm;
 import lombok.AccessLevel;
 import lombok.NoArgsConstructor;
@@ -138,25 +137,14 @@ public static PrivateKey parsePrivateKeyViaBouncyCastle(String privateKeyPem) th
         }
     }
 
-    public static String resolveSignatureAlgorithm(PrivateKey privateKey,
-                                                   SignatureAlgorithmPolicy signatureAlgorithmPolicy) {
-        var policy = (signatureAlgorithmPolicy == null)
-            ? SignatureAlgorithmPolicy.AUTO
-            : signatureAlgorithmPolicy;
-
+    public static String resolveSignatureAlgorithm(PrivateKey privateKey) {
         String keyAlgorithm = privateKey.getAlgorithm();
         if ("RSA".equalsIgnoreCase(keyAlgorithm)) {
-            return switch (policy) {
-                case AUTO, RSA_PSS -> "SHA256withRSAandMGF1";
-                case RSA_PKCS1 -> "SHA256WithRSA";
-            };
+            return "SHA256withRSAandMGF1";
         }
         if ("EC".equalsIgnoreCase(keyAlgorithm) || "ECDSA".equalsIgnoreCase(keyAlgorithm)) {
             return "SHA256withECDSA";
         }
-        if ("DSA".equalsIgnoreCase(keyAlgorithm)) {
-            return "SHA256withDSA";
-        }
         throw new IllegalArgumentException("Unsupported signing private key algorithm: " + keyAlgorithm);
     }
 

src/main/resources/application.yml

@@ -75,9 +75,7 @@ steve:
             ca-certificate-pem:
             ca-key-pem:
             ca-chain-pem:
-            signature-algorithm-policy: auto
           ecdsa:
             ca-certificate-pem:
             ca-key-pem:
             ca-chain-pem:
-            signature-algorithm-policy: auto

src/test/resources/application-test-tls.yml

@@ -27,8 +27,6 @@ steve:
           rsa:
             ca-certificate-pem: src/test/resources/certificates/csr-signing-rsa-ca-cert.pem
             ca-key-pem: src/test/resources/certificates/csr-signing-rsa-ca-key.pem
-            signature-algorithm-policy: auto
           ecdsa:
             ca-certificate-pem: src/test/resources/certificates/csr-signing-ecdsa-ca-cert.pem
             ca-key-pem: src/test/resources/certificates/csr-signing-ecdsa-ca-key.pem
-            signature-algorithm-policy: auto