Refactored to remove duplicated code and cleaned up warnings for unused imports and deprecated methods.

kse/src/main/java/org/kse/crypto/encryption/AES.java

@@ -22,7 +22,6 @@
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
@@ -42,7 +41,7 @@
  */
 public final class AES {
 
-    public static final int GCM_TAG_LEN = 128;
+    private static final int GCM_TAG_LEN = 128;
 
     private AES() {
     }

kse/src/main/java/org/kse/crypto/keypair/KeyPairUtil.java

@@ -138,18 +138,19 @@ public static KeyPair generateECKeyPair(String curveName, Provider provider) thr
             // Get a key pair generator
             KeyPairGenerator keyPairGen;
 
+            if (provider == null) {
+                provider = KSE.BC;
+            }
+
             if (EdDSACurves.ED25519.jce().equals(curveName) || EdDSACurves.ED448.jce().equals(curveName)) {
-                keyPairGen = KeyPairGenerator.getInstance(curveName, KSE.BC);
+                keyPairGen = KeyPairGenerator.getInstance(curveName, provider);
                 keyPairGen.initialize(new ECGenParameterSpec(curveName), RNG.newInstanceForLongLivedSecrets());
             } else if (CurveSet.ECGOST.getAllCurveNames().contains(curveName)) {
                 KeyPairType keyPairType = KeyPairType.getGostTypeFromCurve(curveName);
                 keyPairGen = KeyPairGenerator.getInstance(keyPairType.jce(), KSE.BC);
                 keyPairGen.initialize(new ECGenParameterSpec(curveName), RNG.newInstanceForLongLivedSecrets());
-            } else if (provider != null) {
-                keyPairGen = KeyPairGenerator.getInstance(KeyPairType.EC.jce(), provider);
-                keyPairGen.initialize(new ECGenParameterSpec(curveName), RNG.newInstanceForLongLivedSecrets());
             } else {
-                keyPairGen = KeyPairGenerator.getInstance(KeyPairType.EC.jce(), KSE.BC);
+                keyPairGen = KeyPairGenerator.getInstance(KeyPairType.EC.jce(), provider);
                 keyPairGen.initialize(new ECGenParameterSpec(curveName), RNG.newInstanceForLongLivedSecrets());
             }
 
@@ -173,13 +174,11 @@ public static KeyPair generateECKeyPair(String curveName, Provider provider) thr
     public static KeyPair generateKeyPair(KeyPairType keyPairType, Provider provider)
             throws CryptoException {
         try {
-            KeyPairGenerator keyPairGen;
-
-            if (provider != null) {
-                keyPairGen = KeyPairGenerator.getInstance(keyPairType.jce(), provider);
-            } else {
-                keyPairGen = KeyPairGenerator.getInstance(keyPairType.jce(), KSE.BC);
+            if (provider == null) {
+                provider = KSE.BC;
             }
+
+            KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance(keyPairType.jce(), provider);
             keyPairGen.initialize(new NamedParameterSpec(keyPairType.jce()), RNG.newInstanceForLongLivedSecrets());
 
             return keyPairGen.generateKeyPair();

kse/src/main/java/org/kse/crypto/signing/CmsSigner.java

@@ -29,9 +29,9 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.security.PrivateKey;
 import java.security.Provider;
-import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -45,15 +45,13 @@
 import org.bouncycastle.asn1.cms.AttributeTable;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.cert.jcajce.JcaCertStore;
-import org.bouncycastle.cms.CMSException;
 import org.bouncycastle.cms.CMSProcessableFile;
 import org.bouncycastle.cms.CMSSignedData;
 import org.bouncycastle.cms.CMSSignedDataGenerator;
 import org.bouncycastle.cms.CMSTypedData;
 import org.bouncycastle.cms.SignerInformation;
 import org.bouncycastle.cms.SignerInformationStore;
 import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
-import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
 import org.kse.KSE;
@@ -164,17 +162,16 @@ public static CMSSignedData counterSign(CMSSignedData signedData, PrivateKey pri
 
                 // addCounterSigners does not replace existing counter signers. It creates a new
                 // counter signer vector if it does not already exist, and then it adds the counter signer.
-                signer = SignerInformation.addCounterSigners(signer, counterSigners);
-
-                generator.addCertificates(new JcaCertStore(Arrays.asList(certificateChain)));
-                generator.addSigners(new SignerInformationStore(signer));
+                generator.addSigners(
+                        new SignerInformationStore(SignerInformation.addCounterSigners(signer, counterSigners)));
             }
+            generator.addCertificates(new JcaCertStore(Arrays.asList(certificateChain)));
             generator.addCertificates(signedData.getCertificates());
 
             CMSSignedData counterSignedData = generator.generate(signedData.getSignedContent(), !detachedSignature);
 
             return counterSignedData;
-        } catch (CertificateEncodingException | OperatorCreationException | CMSException | IOException e) {
+        } catch (Exception e) {
             throw new CryptoException(res.getString("CmsCounterSignatureFailed.exception.message"), e);
         }
     }
@@ -187,9 +184,10 @@ public static CMSSignedData counterSign(CMSSignedData signedData, PrivateKey pri
      * @param digestType  The digest type to use for the time stamp.
      * @return <b>SignerInformation</b> with time stamp token.
      * @throws IOException If an error occurs with contacting the TS server.
+     * @throws URISyntaxException If there is an error in the URL syntax.
      */
-    public static SignerInformationStore addTimestamp(String tsaUrl, SignerInformationStore signerInfos,
-            DigestType digestType) throws IOException {
+    private static SignerInformationStore addTimestamp(String tsaUrl, SignerInformationStore signerInfos,
+            DigestType digestType) throws IOException, URISyntaxException {
 
         Collection<SignerInformation> newSignerInfos = new ArrayList<>();
 

kse/src/main/java/org/kse/crypto/signing/JarSigner.java

@@ -24,6 +24,7 @@
 import java.io.InputStream;
 import java.io.LineNumberReader;
 import java.io.StringReader;
+import java.net.URISyntaxException;
 import java.nio.file.Files;
 import java.nio.file.StandardCopyOption;
 import java.security.PrivateKey;
@@ -719,7 +720,7 @@ public AttributeTable getAttributes(@SuppressWarnings("rawtypes") Map parameters
         }
     }
 
-    private static CMSSignedData addTimestamp(String tsaUrl, CMSSignedData signedData) throws IOException {
+    private static CMSSignedData addTimestamp(String tsaUrl, CMSSignedData signedData) throws IOException, URISyntaxException {
 
         Collection<SignerInformation> signerInfos = signedData.getSignerInfos().getSigners();
 

kse/src/main/java/org/kse/crypto/signing/TimeStampingClient.java

@@ -23,6 +23,8 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.math.BigInteger;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.security.KeyManagementException;
@@ -60,8 +62,9 @@ private TimeStampingClient() {
      * @param hashAlg The algorithm used for generating a hash value of the data to be time-stamped
      * @return encoded, TSA signed data of the timeStampToken
      * @throws IOException when request to TSA server fails
+     * @throws URISyntaxException If there is an error in the URL syntax.
      */
-    public static byte[] getTimeStampToken(String tsaUrl, byte[] data, DigestType hashAlg) throws IOException {
+    public static byte[] getTimeStampToken(String tsaUrl, byte[] data, DigestType hashAlg) throws IOException, URISyntaxException {
 
         TimeStampResponse response = null;
         try {
@@ -108,8 +111,9 @@ public static byte[] getTimeStampToken(String tsaUrl, byte[] data, DigestType ha
      *
      * @return TSA response, raw bytes (RFC 3161 encoded)
      * @throws IOException when request to TSA server fails
+     * @throws URISyntaxException If there is an error in the URL syntax.
      */
-    private static byte[] queryServer(String tsaUrl, byte[] requestBytes) throws IOException {
+    private static byte[] queryServer(String tsaUrl, byte[] requestBytes) throws IOException, URISyntaxException {
 
         // Install the all-trusting trust manager
         SSLContext sc;
@@ -136,7 +140,7 @@ public void checkServerTrusted(X509Certificate[] certs, String authType) {
         HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 
         try {
-            URL url = new URL(tsaUrl);
+            URL url = new URI(tsaUrl).toURL();
             URLConnection con = url.openConnection();
             con.setDoInput(true);
             con.setDoOutput(true);

kse/src/main/java/org/kse/crypto/x509/X509ExtensionSetUpdater.java

@@ -98,7 +98,7 @@ private static void updateAKI(X509ExtensionSet extensionSet, String extensionOid
         // extract old AKI data
         byte[] extensionValue = X509Ext.unwrapExtension(extensionSet.getExtensionValue(extensionOid));
         AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(extensionValue);
-        byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifier();
+        byte[] keyIdentifier = authorityKeyIdentifier.getKeyIdentifierOctets();
         BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
 
         // generate new values

kse/src/main/java/org/kse/gui/KeyStoreTableModel.java

@@ -516,7 +516,7 @@ private String getCertificateAKI(String alias, KseKeyStore keyStore) throws Cryp
         try {
             byte[] akiValue = x509Cert.getExtensionValue(Extension.authorityKeyIdentifier.getId());
             byte[] octets = DEROctetString.getInstance(akiValue).getOctets();
-            byte[] akiBytes = AuthorityKeyIdentifier.getInstance(octets).getKeyIdentifier();
+            byte[] akiBytes = AuthorityKeyIdentifier.getInstance(octets).getKeyIdentifierOctets();
             return HexUtil.getHexString(akiBytes);
         } catch (Exception e) {
             return "-";

kse/src/main/java/org/kse/gui/KseFrame.java

@@ -3210,7 +3210,6 @@ public void updateControls(boolean keyStoreContentsChanged) {
         generateSecretKeyAction.setEnabled(type.supportsKeyEntries());
         importTrustedCertificateAction.setEnabled(true);
         importKeyPairAction.setEnabled(true);
-        storePassphraseAction.setEnabled(true);
         storePassphraseAction.setEnabled(type.supportsKeyEntries());
         propertiesAction.setEnabled(true);
         exportCsvAction.setEnabled(true);

kse/src/main/java/org/kse/gui/actions/ChangeTypeAction.java

@@ -180,7 +180,7 @@ private boolean copyKeyPairEntry(KeyStoreType newKeyStoreType, KeyStoreState cur
 
             String namedCurve = EccUtil.getNamedCurve(currentKeyStore.getKey(alias, password.toCharArray()));
 
-            // EC or curve not supported?
+            // EC curve not supported?
             if (!newKeyStoreType.supportsNamedCurve(namedCurve)) {
 
                 // show warning and abort change or just skip depending on user choice

kse/src/main/java/org/kse/gui/actions/CheckUpdateAction.java

@@ -23,6 +23,7 @@
 import java.awt.Toolkit;
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.text.MessageFormat;
 import java.time.LocalDate;
 import java.time.Period;
@@ -84,8 +85,9 @@ protected void doAction() {
      * Perform update check if enabled and if the last check was outside the configured time interval
      *
      * @throws IOException if fetching the version file from the website failed
+     * @throws URISyntaxException If there is an error in the URL syntax.
      */
-    public void doAutoUpdateCheck() throws IOException {
+    public void doAutoUpdateCheck() throws IOException, URISyntaxException {
         // abort auto update check if not enabled
         if (!preferences.getAutoUpdateCheckSettings().isEnabled()) {
             return;

kse/src/main/java/org/kse/gui/actions/ExamineClipboardAction.java

@@ -19,7 +19,10 @@
  */
 package org.kse.gui.actions;
 
+import static org.kse.crypto.filetype.CryptoFileUtil.decodeIfBase64sanitizeIfPem;
+
 import java.awt.Toolkit;
+import java.awt.Window;
 import java.awt.datatransfer.Clipboard;
 import java.awt.datatransfer.DataFlavor;
 import java.awt.datatransfer.Transferable;
@@ -28,14 +31,18 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.HttpURLConnection;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.text.MessageFormat;
-import java.util.*;
+import java.util.List;
+import java.util.Optional;
+import java.util.ResourceBundle;
 
 import javax.swing.ImageIcon;
 import javax.swing.JOptionPane;
@@ -71,8 +78,6 @@
 import com.nimbusds.jwt.JWT;
 import com.nimbusds.jwt.JWTParser;
 
-import static org.kse.crypto.filetype.CryptoFileUtil.decodeIfBase64sanitizeIfPem;
-
 /**
  * Action to examine a certificate.
  */
@@ -135,16 +140,16 @@ private void show(String data) {
         }
 
         try {
-            URL url = new URL(data);
+            URL url = new URI(data).toURL();
             String path = url.getPath();
             if (path.endsWith(".cer") || path.endsWith(".crt") || path.endsWith(".pem") || path.endsWith(".der")) {
-                downloadCert(url);
+                downloadCert(url, frame, kseFrame);
                 return;
             } else if (url.getPath().endsWith(".crl")) {
-                downloadCrl(url);
+                downloadCrl(url, frame);
                 return;
             }
-        } catch (IOException | CryptoException e) {
+        } catch (IOException | URISyntaxException | CryptoException e) {
             // ignore
         }
 
@@ -203,7 +208,7 @@ private void show(String data) {
 
 
 
-    private boolean isRedirect(int status) {
+    private static boolean isRedirect(int status) {
         // normally, 3xx is redirect
         if (status != HttpURLConnection.HTTP_OK) {
             return status == HttpURLConnection.HTTP_MOVED_TEMP || status == HttpURLConnection.HTTP_MOVED_PERM ||
@@ -212,43 +217,59 @@ private boolean isRedirect(int status) {
         return false;
     }
 
-    private void downloadCrl(URL url) throws IOException, CryptoException {
+    private static byte[] download(URL url) throws IOException, URISyntaxException {
         HttpURLConnection urlConn = (HttpURLConnection) url.openConnection();
         int status = urlConn.getResponseCode();
         if (isRedirect(status)) {
             String newUrl = urlConn.getHeaderField("Location");
-            url = new URL(newUrl);
+            url = new URI(newUrl).toURL();
             urlConn = (HttpURLConnection) url.openConnection();
         }
         try (InputStream is = urlConn.getInputStream()) {
-            X509CRL crl = X509CertUtil.loadCRL(is.readAllBytes());
-            if (crl != null) {
-                DViewCrl dViewCrl = new DViewCrl(frame,
-                                                 MessageFormat.format(resExt.getString("DViewExtensions.ViewCrl.Title"),
-                                                                      url.toString()), crl);
-                dViewCrl.setLocationRelativeTo(frame);
-                dViewCrl.setVisible(true);
-            }
+            return is.readAllBytes();
         }
     }
 
-    private void downloadCert(URL url) throws IOException, CryptoException {
-        HttpURLConnection urlConn = (HttpURLConnection) url.openConnection();
-        int status = urlConn.getResponseCode();
-        if (isRedirect(status)) {
-            String newUrl = urlConn.getHeaderField("Location");
-            url = new URL(newUrl);
-            urlConn = (HttpURLConnection) url.openConnection();
+    /**
+     * Downloads and displays the CRL.
+     *
+     * @param url The URL of the CRL to download and display.
+     * @param window The Window to use for modality and location.
+     * @throws IOException If an I/O error occurred.
+     * @throws URISyntaxException If the CRL URL is malformed.
+     * @throws CryptoException If the CRL cannot be loaded.
+     */
+    public static void downloadCrl(URL url, Window window) throws IOException, URISyntaxException, CryptoException {
+        X509CRL crl = X509CertUtil.loadCRL(download(url));
+        if (crl != null) {
+            DViewCrl dViewCrl = new DViewCrl(window,
+                    MessageFormat.format(resExt.getString("DViewExtensions.ViewCrl.Title"),
+                            url.toString()), crl);
+            dViewCrl.setLocationRelativeTo(window);
+            dViewCrl.setVisible(true);
         }
-        try (InputStream is = urlConn.getInputStream()) {
-            X509Certificate[] certs = X509CertUtil.loadCertificates(is.readAllBytes());
-            if (certs != null && certs.length > 0) {
-                DViewCertificate dViewCertificate = new DViewCertificate(frame,
-                        MessageFormat.format(resExt.getString("DViewExtensions.ViewCert.Title"), url.toString()), certs,
-                        this.kseFrame, DViewCertificate.IMPORT_EXPORT);
-                dViewCertificate.setLocationRelativeTo(frame);
-                dViewCertificate.setVisible(true);
-            }
+    }
+
+    /**
+     * Downloads and displays the certificate.
+     *
+     * @param url The URL of the certificate to download and display.
+     * @param window The Window to use for modality and location.
+     * @param kseFrame The KseFrame to use for import if present.
+     * @throws IOException If an I/O error occurred.
+     * @throws URISyntaxException If the certificate URL is malformed.
+     * @throws CryptoException If the certificate cannot be loaded.
+     */
+    public static void downloadCert(URL url, Window window, KseFrame kseFrame)
+            throws IOException, URISyntaxException, CryptoException {
+        X509Certificate[] certs = X509CertUtil.loadCertificates(download(url));
+        if (certs != null && certs.length > 0) {
+            int importExport = kseFrame == null ? DViewCertificate.NONE : DViewCertificate.IMPORT_EXPORT;
+            DViewCertificate dViewCertificate = new DViewCertificate(window,
+                    MessageFormat.format(resExt.getString("DViewExtensions.ViewCert.Title"), url.toString()), certs,
+                    kseFrame, importExport);
+            dViewCertificate.setLocationRelativeTo(window);
+            dViewCertificate.setVisible(true);
         }
     }