TMS secure recovery part of - Bug 737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token

author: Christina Fu <cfu@redhat.com> 2012-09-28 12:45:43 -0700
committer: Christina Fu <cfu@redhat.com> 2012-09-28 12:45:43 -0700
commit: 0ead6680bdac648a984d00978a89f2eb993c9b60 (patch)
tree: e5ff358b266d4356ed791876a56c501264e1fe48
parent: 29eb32d618dc1b551b0cc17037767a6c79cc846d (diff)
download: pki-0ead6680bdac648a984d00978a89f2eb993c9b60.tar.gz
pki-0ead6680bdac648a984d00978a89f2eb993c9b60.tar.xz
pki-0ead6680bdac648a984d00978a89f2eb993c9b60.zip
1 files changed, 139 insertions, 61 deletions
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index 043602a8a..e43ba1f15 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -55,6 +55,7 @@ import org.mozilla.jss.asn1.*;
 import org.mozilla.jss.crypto.PBEAlgorithm;
 import org.mozilla.jss.pkix.primitive.*;
 import org.mozilla.jss.pkcs11.*;
+import org.mozilla.jss.crypto.PrivateKey;
 
 
 /**
@@ -94,6 +95,7 @@ public class TokenKeyRecoveryService implements IService {
 	"LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
 
+
     /**
      * Constructs request processor.
      */
@@ -212,6 +214,18 @@ public class TokenKeyRecoveryService implements IService {
         String iv_s ="";
 
         CMS.debug("KRA services token key recovery request");
+        CryptoManager cm = null;
+        IConfigStore config = null;
+        String tokName = "";
+        Boolean allowEncDecrypt_recovery = false;
+
+        try {
+            config = CMS.getConfigStore();
+            allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false);
+        } catch (Exception e) {
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
+        }
+
 
         byte[] wrapped_des_key;
 
@@ -227,12 +241,12 @@ public class TokenKeyRecoveryService implements IService {
         if (id != null) {
             auditRecoveryID = id.trim();
         }
-       SessionContext sContext = SessionContext.getContext();
-       String agentId="";
-       if (sContext != null) {
+        SessionContext sContext = SessionContext.getContext();
+        String agentId="";
+        if (sContext != null) {
             agentId =
                 (String) sContext.get(SessionContext.USER_ID);
-       }
+        }
 
         Hashtable params = mKRA.getVolatileRequest(
                  request.getRequestId());
@@ -420,66 +434,78 @@ public class TokenKeyRecoveryService implements IService {
 		    }
 		}
 
-		// Unwrap the archived private key
-		byte privateKeyData[] = null;
-		privateKeyData = recoverKey(params, keyRecord);
-		if (privateKeyData == null) {
-		    request.setExtData(IRequest.RESULT, Integer.valueOf(4));
-		    CMS.debug("TokenKeyRecoveryService: failed getting private key");
-            auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
-                        auditSubjectID,
-                        ILogger.FAILURE,
-                        auditRecoveryID,
-                        agentId);
+        byte wrapped[];
+        if (allowEncDecrypt_recovery == true) {
+            // Unwrap the archived private key
+            byte privateKeyData[] = null;
+            privateKeyData = recoverKey(params, keyRecord);
+            if (privateKeyData == null) {
+                request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+                CMS.debug("TokenKeyRecoveryService: failed getting private key");
+                auditMessage = CMS.getLogMessage(
+                    LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                    auditSubjectID,
+                    ILogger.FAILURE,
+                    auditRecoveryID,
+                    agentId);
 
-            audit(auditMessage);
-		    return false;
-		}
-		CMS.debug("TokenKeyRecoveryService: got private key...about to verify");
+                audit(auditMessage);
+                return false;
+            }
+            CMS.debug("TokenKeyRecoveryService: got private key...about to verify");
 
-         iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
-                request.setExtData("iv_s", iv_s);
+            iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
+            request.setExtData("iv_s", iv_s);
 
-         CMS.debug("request.setExtData: iv_s: " + iv_s);
+            CMS.debug("request.setExtData: iv_s: " + iv_s);
 
-        /* LunaSA returns data with padding which we need to remove */
-        ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData);
-        DerValue dv = new DerValue(dis);
-        byte p[] = dv.toByteArray();
-        int l = p.length;
-        CMS.debug("length different data length=" + l +
+            /* LunaSA returns data with padding which we need to remove */
+            ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData);
+            DerValue dv = new DerValue(dis);
+            byte p[] = dv.toByteArray();
+            int l = p.length;
+            CMS.debug("length different data length=" + l +
                 " real length=" + privateKeyData.length );
-        if (l != privateKeyData.length) {
-          privateKeyData = p;
-        }
+            if (l != privateKeyData.length) {
+              privateKeyData = p;
+            }
 
-		if (verifyKeyPair(pubData, privateKeyData) == false) {
-		    mKRA.log(ILogger.LL_FAILURE,
-			     CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
-            auditMessage = CMS.getLogMessage(
+            if (verifyKeyPair(pubData, privateKeyData) == false) {
+                mKRA.log(ILogger.LL_FAILURE,
+                    CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+                auditMessage = CMS.getLogMessage(
                         LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
                         agentId);
 
-            audit(auditMessage);
-		    throw new EKRAException(
-					    CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
-		} else {
-		    CMS.debug("TokenKeyRecoveryService: private key verified with public key");
-		}
+                audit(auditMessage);
+                throw new EKRAException(
+                    CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+            } else {
+                CMS.debug("TokenKeyRecoveryService: private key verified with public key");
+            }
 
-		//encrypt and put in private key
-		cipher.initEncrypt(sk, algParam);
-		byte wrapped[] = cipher.doFinal(privateKeyData);
+            //encrypt and put in private key
+            cipher.initEncrypt(sk, algParam);
+            wrapped = cipher.doFinal(privateKeyData);
+        } else { //allowEncDecrypt_recovery == false
+            PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery);
+            KeyWrapper wrapper = token.getKeyWrapper(
+                    KeyWrapAlgorithm.DES3_CBC_PAD);
+
+            wrapper.initWrap(sk, algParam);
+            wrapped = wrapper.wrap(privKey);
+            iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
+            request.setExtData("iv_s", iv_s);
+        }
 
-		String wrappedPrivKeyString =
+        String wrappedPrivKeyString =
                     com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped);
-		if (wrappedPrivKeyString == null) {
-		    request.setExtData(IRequest.RESULT, Integer.valueOf(4));
-		    CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
+        if (wrappedPrivKeyString == null) {
+            request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+            CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
             auditMessage = CMS.getLogMessage(
                         LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
@@ -488,14 +514,14 @@ public class TokenKeyRecoveryService implements IService {
                         agentId);
 
             audit(auditMessage);
-		    return false;
-		} else {
-		    CMS.debug("TokenKeyRecoveryService: got private key data wrapped");
-		    request.setExtData("wrappedUserPrivate",
-				wrappedPrivKeyString);
-		    request.setExtData(IRequest.RESULT, Integer.valueOf(1));
-		    CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered");
-		}
+            return false;
+        } else {
+            CMS.debug("TokenKeyRecoveryService: got private key data wrapped");
+            request.setExtData("wrappedUserPrivate",
+                wrappedPrivKeyString);
+            request.setExtData(IRequest.RESULT, Integer.valueOf(1));
+            CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered");
+        }
 
 		//convert and put in the public key
 		String b64PKey = base64Encode(pubData);
@@ -587,28 +613,80 @@ public class TokenKeyRecoveryService implements IService {
 	
     /**
      * Recovers key.
+     *     - with allowEncDecrypt_archival == false
+     */
+    public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean allowEncDecrypt_archival) 
+        throws EBaseException {
+        CMS.debug( "TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being false");
+        if (allowEncDecrypt_archival) {
+            CMS.debug( "TokenKeyRecoveryService: recoverKey() - allowEncDecrypt_archival needs to be false for this call");
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverKey, allowEncDecrypt_archival needs to be false for this call"));
+        }
+
+        try {
+            /* wrapped retrieve session key and private key */
+            DerValue val = new DerValue(keyRecord.getPrivateKeyData());
+            DerInputStream in = val.data;
+            DerValue dSession = in.getDerValue();
+            byte session[] = dSession.getOctetString();
+            DerValue dPri = in.getDerValue();
+            byte pri[] = dPri.getOctetString();
+
+            byte publicKeyData[] = keyRecord.getPublicKeyData();
+            PublicKey pubkey = null;
+            try {
+                pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData));
+            } catch (Exception e) {
+                CMS.debug("TokenKeyRecoverService: after parsePublicKey:"+e.toString());
+                throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "pubic key parsing failure"));
+            }
+            byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1};
+            PrivateKey privKey =
+            mStorageUnit.unwrap(
+                session,
+                keyRecord.getAlgorithm(),
+                iv,
+                pri,
+                (PublicKey) pubkey);
+            if (privKey == null) {
+                CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery failure");
+                throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key recovery/unwrapping failure"));
+            }
+            return privKey;
+
+        } catch (Exception e) {
+            CMS.debug("TokenKeyRecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString());
+            throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "Exception:"+e.toString()));
+        }
+    }
+
+    /**
+     * Recovers key.
+     *     - with allowEncDecrypt_archival == true
      */
     public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) 
         throws EBaseException {
-	/*
+        CMS.debug( "TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being true");
+    /*
         Credential creds[] = (Credential[])
             request.get(ATTR_AGENT_CREDENTIALS);
 
         mStorageUnit.login(creds);
-	*/
+    */
         CMS.debug( "KRA decrypts internal private");
         byte privateKeyData[] = 
             mStorageUnit.decryptInternalPrivate(
                 keyRecord.getPrivateKeyData());
-	/*
+    /*
         mStorageUnit.logout();
-	*/
+    */
         if (privateKeyData == null) {
             mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
             throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key"));
         }
         return privateKeyData;
     }
+
     /**
      * Signed Audit Log
      *y
author	Christina Fu <cfu@redhat.com>	2012-09-28 12:45:43 -0700
committer	Christina Fu <cfu@redhat.com>	2012-09-28 12:45:43 -0700
commit	0ead6680bdac648a984d00978a89f2eb993c9b60 (patch)
tree	e5ff358b266d4356ed791876a56c501264e1fe48
parent	29eb32d618dc1b551b0cc17037767a6c79cc846d (diff)
download	pki-0ead6680bdac648a984d00978a89f2eb993c9b60.tar.gz pki-0ead6680bdac648a984d00978a89f2eb993c9b60.tar.xz pki-0ead6680bdac648a984d00978a89f2eb993c9b60.zip