PR feedback

goekay · goekay · commit 44dd2ab27c67 · 2026-05-22T13:48:01.000+02:00
diff --git a/src/main/java/de/rwth/idsg/steve/service/CertificateSigningServiceLocal.java b/src/main/java/de/rwth/idsg/steve/service/CertificateSigningServiceLocal.java
@@ -54,7 +54,6 @@
 
 import java.io.InputStreamReader;
 import java.math.BigInteger;
-import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.security.cert.X509Certificate;
@@ -66,6 +65,7 @@
 import java.util.List;
 
 import static de.rwth.idsg.steve.utils.CertificateUtils.certificatesToPEM;
+import static de.rwth.idsg.steve.utils.CertificateUtils.isSameKeyFamily;
 import static de.rwth.idsg.steve.utils.CertificateUtils.resolveSignatureAlgorithm;
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static jooq.steve.db.enums.CertificateSignatureAlgorithm.ECDSA;
@@ -295,6 +295,7 @@ private void loadIssuer(ResourceLoader resourceLoader,
             certificateSignatureAlgorithm
         );
 
+        issuer.validateFamily();
         issuer.validateCaCertificate();
         issuer.validateCertificateChain();
 
@@ -335,11 +336,6 @@ private CertificateIssuerMaterial selectIssuer(PKCS10CertificationRequest csr, S
         );
     }
 
-    private static boolean isSameKeyFamily(PublicKey publicKey, PrivateKey privateKey) {
-        return (publicKey instanceof RSAPublicKey && "RSA".equalsIgnoreCase(privateKey.getAlgorithm()))
-            || (publicKey instanceof ECPublicKey && ("EC".equalsIgnoreCase(privateKey.getAlgorithm()) || "ECDSA".equalsIgnoreCase(privateKey.getAlgorithm())));
-    }
-
     private List<X509Certificate> loadIssuerCertificateChain(ResourceLoader resourceLoader,
                                                             X509Certificate caCertificate,
                                                             String caChainPem) throws Exception {
diff --git a/src/main/java/de/rwth/idsg/steve/utils/CertificateIssuerMaterial.java b/src/main/java/de/rwth/idsg/steve/utils/CertificateIssuerMaterial.java
@@ -27,7 +27,10 @@
 import java.util.Arrays;
 import java.util.List;
 
+import static de.rwth.idsg.steve.utils.CertificateUtils.isECDSAFamily;
+import static de.rwth.idsg.steve.utils.CertificateUtils.isRSAFamily;
 import static de.rwth.idsg.steve.utils.CertificateUtils.resolveSignatureAlgorithm;
+import static org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;
 
 /**
  * @author Sevket Goekay <sevketgokay@gmail.com>
@@ -41,6 +44,21 @@ public record CertificateIssuerMaterial(
     String certificateSignatureAlgorithm
 ) {
 
+    public void validateFamily() {
+        switch (name) {
+            case RSA -> {
+                if (!isRSAFamily(caCertificate.getPublicKey(), caPrivateKey)) {
+                    throw new IllegalArgumentException("Configured '" + name + "' entry does not contain '" + name + "' CA certificate and/or private-key");
+                }
+            }
+            case ECDSA -> {
+                if (!isECDSAFamily(caCertificate.getPublicKey(), caPrivateKey)) {
+                    throw new IllegalArgumentException("Configured '" + name + "' entry does not contain '" + name + "' CA certificate and/or private-key");
+                }
+            }
+        }
+    }
+
     public void validateCaCertificate() throws Exception {
         if (caCertificate.getBasicConstraints() < 0) {
             throw new IllegalArgumentException("Configured CA certificate for issuer '" + name + "' is not a CA certificate (basicConstraints CA=true required)");
@@ -54,12 +72,12 @@ public void validateCaCertificate() throws Exception {
         String checkAlgorithm = resolveSignatureAlgorithm(caPrivateKey);
         byte[] dummyProbeData = "certificate-key-pair-check".getBytes(StandardCharsets.UTF_8);
 
-        Signature signer = Signature.getInstance(checkAlgorithm);
+        Signature signer = Signature.getInstance(checkAlgorithm, PROVIDER_NAME);
         signer.initSign(caPrivateKey);
         signer.update(dummyProbeData);
         byte[] signature = signer.sign();
 
-        Signature verifier = Signature.getInstance(checkAlgorithm);
+        Signature verifier = Signature.getInstance(checkAlgorithm, PROVIDER_NAME);
         verifier.initVerify(caCertificate.getPublicKey());
         verifier.update(dummyProbeData);
 
diff --git a/src/main/java/de/rwth/idsg/steve/utils/CertificateUtils.java b/src/main/java/de/rwth/idsg/steve/utils/CertificateUtils.java
@@ -42,6 +42,7 @@
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateFactory;
@@ -148,6 +149,18 @@ public static String resolveSignatureAlgorithm(PrivateKey privateKey) {
         throw new IllegalArgumentException("Unsupported signing private key algorithm: " + keyAlgorithm);
     }
 
+    public static boolean isRSAFamily(PublicKey publicKey, PrivateKey privateKey) {
+        return publicKey instanceof RSAPublicKey && "RSA".equalsIgnoreCase(privateKey.getAlgorithm());
+    }
+
+    public static boolean isECDSAFamily(PublicKey publicKey, PrivateKey privateKey) {
+        return publicKey instanceof ECPublicKey && ("EC".equalsIgnoreCase(privateKey.getAlgorithm()) || "ECDSA".equalsIgnoreCase(privateKey.getAlgorithm()));
+    }
+
+    public static boolean isSameKeyFamily(PublicKey publicKey, PrivateKey privateKey) {
+        return isRSAFamily(publicKey, privateKey) || isECDSAFamily(publicKey, privateKey);
+    }
+
     public static String certificatesToPEM(List<X509Certificate> chain) throws Exception {
         var sw = new StringWriter();
         try (var pemWriter = new JcaPEMWriter(sw)) {
