diff options
author | Christina Fu <cfu@redhat.com> | 2012-09-28 12:45:43 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2012-09-28 12:45:43 -0700 |
commit | 0ead6680bdac648a984d00978a89f2eb993c9b60 (patch) | |
tree | e5ff358b266d4356ed791876a56c501264e1fe48 | |
parent | 29eb32d618dc1b551b0cc17037767a6c79cc846d (diff) | |
download | pki-0ead6680bdac648a984d00978a89f2eb993c9b60.tar.gz pki-0ead6680bdac648a984d00978a89f2eb993c9b60.tar.xz pki-0ead6680bdac648a984d00978a89f2eb993c9b60.zip |
TMS secure recovery part of - Bug 737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token
-rw-r--r-- | base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 200 |
1 files changed, 139 insertions, 61 deletions
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 043602a8a..e43ba1f15 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -55,6 +55,7 @@ import org.mozilla.jss.asn1.*; import org.mozilla.jss.crypto.PBEAlgorithm; import org.mozilla.jss.pkix.primitive.*; import org.mozilla.jss.pkcs11.*; +import org.mozilla.jss.crypto.PrivateKey; /** @@ -94,6 +95,7 @@ public class TokenKeyRecoveryService implements IService { "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + /** * Constructs request processor. */ @@ -212,6 +214,18 @@ public class TokenKeyRecoveryService implements IService { String iv_s =""; CMS.debug("KRA services token key recovery request"); + CryptoManager cm = null; + IConfigStore config = null; + String tokName = ""; + Boolean allowEncDecrypt_recovery = false; + + try { + config = CMS.getConfigStore(); + allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false); + } catch (Exception e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + byte[] wrapped_des_key; @@ -227,12 +241,12 @@ public class TokenKeyRecoveryService implements IService { if (id != null) { auditRecoveryID = id.trim(); } - SessionContext sContext = SessionContext.getContext(); - String agentId=""; - if (sContext != null) { + SessionContext sContext = SessionContext.getContext(); + String agentId=""; + if (sContext != null) { agentId = (String) sContext.get(SessionContext.USER_ID); - } + } Hashtable params = mKRA.getVolatileRequest( request.getRequestId()); @@ -420,66 +434,78 @@ public class TokenKeyRecoveryService implements IService { } } - // Unwrap the archived private key - byte privateKeyData[] = null; - privateKeyData = recoverKey(params, keyRecord); - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + byte wrapped[]; + if (allowEncDecrypt_recovery == true) { + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); - audit(auditMessage); - return false; - } - CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); + audit(auditMessage); + return false; + } + CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); - CMS.debug("request.setExtData: iv_s: " + iv_s); + CMS.debug("request.setExtData: iv_s: " + iv_s); - /* LunaSA returns data with padding which we need to remove */ - ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); - DerValue dv = new DerValue(dis); - byte p[] = dv.toByteArray(); - int l = p.length; - CMS.debug("length different data length=" + l + + /* LunaSA returns data with padding which we need to remove */ + ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); + DerValue dv = new DerValue(dis); + byte p[] = dv.toByteArray(); + int l = p.length; + CMS.debug("length different data length=" + l + " real length=" + privateKeyData.length ); - if (l != privateKeyData.length) { - privateKeyData = p; - } + if (l != privateKeyData.length) { + privateKeyData = p; + } - if (verifyKeyPair(pubData, privateKeyData) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } else { - CMS.debug("TokenKeyRecoveryService: private key verified with public key"); - } + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { + CMS.debug("TokenKeyRecoveryService: private key verified with public key"); + } - //encrypt and put in private key - cipher.initEncrypt(sk, algParam); - byte wrapped[] = cipher.doFinal(privateKeyData); + //encrypt and put in private key + cipher.initEncrypt(sk, algParam); + wrapped = cipher.doFinal(privateKeyData); + } else { //allowEncDecrypt_recovery == false + PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery); + KeyWrapper wrapper = token.getKeyWrapper( + KeyWrapAlgorithm.DES3_CBC_PAD); + + wrapper.initWrap(sk, algParam); + wrapped = wrapper.wrap(privKey); + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + } - String wrappedPrivKeyString = + String wrappedPrivKeyString = com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, @@ -488,14 +514,14 @@ public class TokenKeyRecoveryService implements IService { agentId); audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); - request.setExtData("wrappedUserPrivate", - wrappedPrivKeyString); - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered"); - } + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); + request.setExtData("wrappedUserPrivate", + wrappedPrivKeyString); + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered"); + } //convert and put in the public key String b64PKey = base64Encode(pubData); @@ -587,28 +613,80 @@ public class TokenKeyRecoveryService implements IService { /** * Recovers key. + * - with allowEncDecrypt_archival == false + */ + public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean allowEncDecrypt_archival) + throws EBaseException { + CMS.debug( "TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being false"); + if (allowEncDecrypt_archival) { + CMS.debug( "TokenKeyRecoveryService: recoverKey() - allowEncDecrypt_archival needs to be false for this call"); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverKey, allowEncDecrypt_archival needs to be false for this call")); + } + + try { + /* wrapped retrieve session key and private key */ + DerValue val = new DerValue(keyRecord.getPrivateKeyData()); + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + byte publicKeyData[] = keyRecord.getPublicKeyData(); + PublicKey pubkey = null; + try { + pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); + } catch (Exception e) { + CMS.debug("TokenKeyRecoverService: after parsePublicKey:"+e.toString()); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "pubic key parsing failure")); + } + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + PrivateKey privKey = + mStorageUnit.unwrap( + session, + keyRecord.getAlgorithm(), + iv, + pri, + (PublicKey) pubkey); + if (privKey == null) { + CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery failure"); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key recovery/unwrapping failure")); + } + return privKey; + + } catch (Exception e) { + CMS.debug("TokenKeyRecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString()); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "Exception:"+e.toString())); + } + } + + /** + * Recovers key. + * - with allowEncDecrypt_archival == true */ public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) throws EBaseException { - /* + CMS.debug( "TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being true"); + /* Credential creds[] = (Credential[]) request.get(ATTR_AGENT_CREDENTIALS); mStorageUnit.login(creds); - */ + */ CMS.debug( "KRA decrypts internal private"); byte privateKeyData[] = mStorageUnit.decryptInternalPrivate( keyRecord.getPrivateKeyData()); - /* + /* mStorageUnit.logout(); - */ + */ if (privateKeyData == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } + /** * Signed Audit Log *y |