summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2012-09-30 17:40:43 -0700
committerChristina Fu <cfu@redhat.com>2012-09-30 17:40:43 -0700
commit7b3df7e287eb544a0bacba93abeea48e72e49db6 (patch)
treeb4ff8f87fbfa7b61f895aef3dc6cb0633bde1062
parent528fda5dfda4d11a269226ccb15083f65231b49a (diff)
downloadpki-7b3df7e287eb544a0bacba93abeea48e72e49db6.zip
pki-7b3df7e287eb544a0bacba93abeea48e72e49db6.tar.gz
pki-7b3df7e287eb544a0bacba93abeea48e72e49db6.tar.xz
https://fedorahosted.org/pki/ticket/252 - TMS - ECC Key Recovery
-rw-r--r--base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java10
-rw-r--r--base/tps/src/engine/RA.cpp11
-rw-r--r--base/tps/src/processor/RA_Enroll_Processor.cpp82
3 files changed, 74 insertions, 29 deletions
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index 8fa409c..8109cee 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -516,18 +516,18 @@ public class TokenKeyRecoveryService implements IService {
}
//convert and put in the public key
- String b64PKey = base64Encode(pubData);
+ String PubKey = com.netscape.cmsutil.util.Utils.SpecialEncode(pubData);
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
auditSubjectID,
ILogger.SUCCESS,
auditRecoveryID,
- b64PKey);
+ PubKey);
audit(auditMessage);
- if (b64PKey == null) {
+ if (PubKey == null) {
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded");
auditMessage = CMS.getLogMessage(
@@ -541,9 +541,9 @@ public class TokenKeyRecoveryService implements IService {
return false;
} else {
CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " +
- b64PKey);
+ PubKey);
}
- request.setExtData("public_key", b64PKey);
+ request.setExtData("public_key", PubKey);
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
auditSubjectID,
diff --git a/base/tps/src/engine/RA.cpp b/base/tps/src/engine/RA.cpp
index 2502cf2..4362250 100644
--- a/base/tps/src/engine/RA.cpp
+++ b/base/tps/src/engine/RA.cpp
@@ -1233,7 +1233,14 @@ void RA::RecoverKey(RA_Session *session, const char* cuid,
goto loser;
} else {
RA::Debug(LL_PER_PDU, "RecoverKey", "got public key =%s", tmp);
- *publicKey_s = PL_strdup(tmp);
+ char *tmp_publicKey_s = PL_strdup(tmp);
+ Buffer *decodePubKey = Util::URLDecode(tmp_publicKey_s);
+ *publicKey_s =
+ BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen());
+ if (tmp_publicKey_s)
+ PR_Free (tmp_publicKey_s);
+ if (decodePubKey)
+ PR_Free(decodePubKey);
}
tmp = NULL;
@@ -1251,7 +1258,7 @@ void RA::RecoverKey(RA_Session *session, const char* cuid,
RA::Error(LL_PER_PDU, "RecoverKey",
"did not get iv_param for recovered key in DRM response");
} else {
- RA::Debug(LL_PER_PDU, "ServerSideKeyGen", "got iv_param for recovered key =%s", tmp);
+ RA::Debug(LL_PER_PDU, "RecoverKey", "got iv_param for recovered key =%s", tmp);
*ivParam_s = PL_strdup(tmp);
}
diff --git a/base/tps/src/processor/RA_Enroll_Processor.cpp b/base/tps/src/processor/RA_Enroll_Processor.cpp
index 8747206..6922dc2 100644
--- a/base/tps/src/processor/RA_Enroll_Processor.cpp
+++ b/base/tps/src/processor/RA_Enroll_Processor.cpp
@@ -4222,6 +4222,12 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
int isGenerateandRecover = 0;
const char *FN="RA_Enroll_Processor::ProcessRecovery";
+ bool isECC = false;
+ BYTE algorithm;
+ CERTSubjectPublicKeyInfo* spkix = NULL;
+ SECKEYECParams *eccParams = NULL;
+ SECKEYPublicKey *pk_p = NULL;
+
RA::Debug("RA_Enroll_Processor::ProcessRecovery","entering...");
// get key version for audit logs
if (channel != NULL) {
@@ -4242,6 +4248,16 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
goto loser;
}
+ PR_snprintf((char *)configname, 256, "op.enroll.%s.keyGen.encryption.alg", tokenType);
+ //Default RSA_CRT=2
+ algorithm = (BYTE) RA::GetConfigStore()->GetConfigAsInt(configname, 2);
+ isECC = RA::isAlgorithmECC(algorithm);
+ if (isECC) {
+ RA::Debug("RA_Enroll_Processor::ProcessRecovery", "algorithm is ECC");
+ } else {
+ RA::Debug("RA_Enroll_Processor::ProcessRecovery", "algorithm is not ECC");
+ }
+
//We will have to rifle through the configuration to see if there any recovery operations with
//scheme "GenerateNewKeyandRecoverLast" which allows for recovering the old key AND generating a new
// one for the encryption type only. If this scheme is present, the number of certs for bump by
@@ -4426,14 +4442,13 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
RA::Debug("RA_Enroll_Processor::ProcessRecovery", "begin recovery code");
- SECKEYPublicKey *pk_p = NULL;
SECItem si_mod;
Buffer *modulus=NULL;
SECItem *si_kid = NULL;
Buffer *keyid=NULL;
SECItem si_exp;
Buffer *exponent=NULL;
- CERTSubjectPublicKeyInfo* spkix = NULL;
+ CERTSubjectPublicKeyInfo* spki = NULL;
//Now we have to get the original config params for the encryption cert and keys
@@ -4608,7 +4623,7 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
goto rloser;
*/
} else
- RA::Debug(LL_PER_PDU, "DoEnrollment", "o_priv = %s", o_priv);
+ RA::Debug(LL_PER_PDU, "DoEnrollment", "o_priv not NULL");
if (ivParam == NULL) {
RA::Debug(LL_PER_CONNECTION,"RA_Enroll_Processor::ProcessRecovery",
@@ -4628,7 +4643,6 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
*/
SECStatus rv;
SECItem der;
- CERTSubjectPublicKeyInfo* spki;
der.type = (SECItemType) 0; /* initialize it, since convertAsciiToItem does not set it */
rv = ATOB_ConvertAsciiToItem (&der, o_pub);
@@ -4643,7 +4657,6 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
RA::Debug(LL_PER_PDU, "ProcessRecovery", "item len=%d, item type=%d",der.len, der.type);
spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der);
- SECITEM_FreeItem(&der, PR_FALSE);
if (spki != NULL) {
RA::Debug("RA_Enroll_Processor::ProcessRecovery", "after converting public key spki is not NULL");
@@ -4656,6 +4669,7 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
RA::Debug("RA_Enroll_Processor::ProcessRecovery", "after converting public key, spki is NULL");
}
+ SECITEM_FreeItem(&der, PR_FALSE);
SECKEY_DestroySubjectPublicKeyInfo(spki);
if( pk_p == NULL ) {
@@ -4682,11 +4696,12 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
keyVersion != NULL? keyVersion : "",
"key recovered successfully");
+ if (!isECC) {
+ /* fill in keyid, modulus, and exponent */
- /* fill in keyid, modulus, and exponent */
-
- si_mod = pk_p->u.rsa.modulus;
- modulus = new Buffer((BYTE*) si_mod.data, si_mod.len);
+ si_mod = pk_p->u.rsa.modulus;
+ modulus = new Buffer((BYTE*) si_mod.data, si_mod.len);
+ }
spkix = SECKEY_CreateSubjectPublicKeyInfo(pk_p);
@@ -4702,11 +4717,14 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
SECKEY_DestroySubjectPublicKeyInfo(spkix);
keyid = new Buffer((BYTE*) si_kid->data, si_kid->len);
- si_exp = pk_p->u.rsa.publicExponent;
- exponent = new Buffer((BYTE*) si_exp.data, si_exp.len);
- RA::Debug(LL_PER_PDU, "RA_Enroll_Processor::Process",
- " keyid, modulus and exponent are retrieved");
+ if (!isECC) {
+ si_exp = pk_p->u.rsa.publicExponent;
+ exponent = new Buffer((BYTE*) si_exp.data, si_exp.len);
+
+ RA::Debug(LL_PER_PDU, "RA_Enroll_Processor::Process",
+ " keyid, modulus and exponent are retrieved");
+ }
ktypes[actualCertIndex] = PL_strdup(keyTypeValue);
// We now store the token id of the original token
@@ -4836,8 +4854,8 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
pkcs11objx->AddObjectSpec(objSpec);
}
{
- Buffer b = channel->CreatePKCS11CertAttrsBuffer(
- KEY_TYPE_ENCRYPTION , certAttrId, label, keyid);
+ Buffer b = channel->CreatePKCS11CertAttrsBuffer(
+ KEY_TYPE_ENCRYPTION , certAttrId, label, keyid);
ObjectSpec *objSpec =
ObjectSpec::ParseFromTokenData(
(certAttrId[0] << 24) +
@@ -4847,9 +4865,18 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
}
{
- Buffer b = channel->CreatePKCS11PriKeyAttrsBuffer(KEY_TYPE_ENCRYPTION,
- privateKeyAttrId, label, keyid, modulus, OP_PREFIX,
- tokenType, keyTypePrefix);
+ Buffer b;
+ if (!isECC) {
+ b = channel->CreatePKCS11PriKeyAttrsBuffer(KEY_TYPE_ENCRYPTION,
+ privateKeyAttrId, label, keyid, modulus, OP_PREFIX,
+ tokenType, keyTypePrefix);
+ } else { //isECC
+ eccParams = &pk_p->u.ec.DEREncodedParams;
+ b = channel->CreatePKCS11ECCPriKeyAttrsBuffer(KEY_TYPE_ENCRYPTION,
+ privateKeyAttrId, label, keyid, eccParams, OP_PREFIX,
+ tokenType, keyTypePrefix);
+ }
+
ObjectSpec *objSpec =
ObjectSpec::ParseFromTokenData(
(privateKeyAttrId[0] << 24) +
@@ -4859,9 +4886,17 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
}
{
- Buffer b = channel->CreatePKCS11PubKeyAttrsBuffer(KEY_TYPE_ENCRYPTION,
- publicKeyAttrId, label, keyid,
- exponent, modulus, OP_PREFIX, tokenType, keyTypePrefix);
+ Buffer b;
+ if (!isECC) {
+ b = channel->CreatePKCS11PubKeyAttrsBuffer(KEY_TYPE_ENCRYPTION,
+ publicKeyAttrId, label, keyid,
+ exponent, modulus, OP_PREFIX, tokenType, keyTypePrefix);
+ } else {
+ b = channel->CreatePKCS11ECCPubKeyAttrsBuffer(KEY_TYPE_ENCRYPTION,
+ publicKeyAttrId, label, keyid,&pk_p->u.ec, eccParams,
+ OP_PREFIX, tokenType, keyTypePrefix);
+ }
+
ObjectSpec *objSpec =
ObjectSpec::ParseFromTokenData(
(publicKeyAttrId[0] << 24) +
@@ -4986,8 +5021,11 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se
if( result != NULL ) {
ldap_msgfree( result );
}
+ if (pk_p != NULL) {
+ RA::Debug(LL_PER_CONNECTION,FN,"ProcessRecovery about to call SECKEY_DestroyPublicKey on pk_p");
+ SECKEY_DestroyPublicKey(pk_p);
+ }
-
RA::Debug("RA_Enroll_Processor::ProcessRecovery","leaving whole function...");
return r;
}