summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-01-19 00:50:47 -0500
committerAde Lee <alee@redhat.com>2012-02-08 16:02:45 -0500
commit2df8f6840ad5e4c2740db36b2f5fbf2c2979cf92 (patch)
treeeac843faad75685745ee21304a8b3df3b9a73c7a
parent0e038046bfdb2cf174450dcb80e2f0b2887947e2 (diff)
downloadpki-2df8f6840ad5e4c2740db36b2f5fbf2c2979cf92.tar.gz
pki-2df8f6840ad5e4c2740db36b2f5fbf2c2979cf92.tar.xz
pki-2df8f6840ad5e4c2740db36b2f5fbf2c2979cf92.zip
Change RecoveryRequest fields
When sending a passphrase in the recovery request, we need to wrap it in a session key and store it in sessionWrappedPassphrase. We also then wrap the session key in transWrappedSessionKey. The server needs to do PBE if the sessionWrappedPassphrase is present, and symkey based encryption otherwise. Also changed the DRM test to reflect these changes, and fixed some errors.
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java18
-rw-r--r--pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMRestClient.java7
-rw-r--r--pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java105
3 files changed, 73 insertions, 57 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java b/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java
index 88533a38d..c84d8f491 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java
@@ -38,7 +38,7 @@ public class RecoveryRequestData {
private static final String KEY_ID = "keyId";
private static final String REQUEST_ID = "requestId";
private static final String TRANS_WRAPPED_SESSION_KEY = "transWrappedSessionKey";
- private static final String TRANS_WRAPPED_PASSPHRASE = "transWrappedPassphrase";
+ private static final String SESSION_WRAPPED_PASSPHRASE = "sessionWrappedPassphrase";
@XmlElement
protected String keyId;
@@ -50,7 +50,7 @@ public class RecoveryRequestData {
protected String transWrappedSessionKey;
@XmlElement
- protected String transWrappedPassphrase;
+ protected String sessionWrappedPassphrase;
public RecoveryRequestData() {
// required for JAXB (defaults)
@@ -60,7 +60,7 @@ public class RecoveryRequestData {
keyId = form.getFirst(KEY_ID);
requestId = form.getFirst(REQUEST_ID);
transWrappedSessionKey = form.getFirst(TRANS_WRAPPED_SESSION_KEY);
- transWrappedPassphrase = form.getFirst(TRANS_WRAPPED_PASSPHRASE);
+ sessionWrappedPassphrase = form.getFirst(SESSION_WRAPPED_PASSPHRASE);
}
/**
@@ -106,17 +106,17 @@ public class RecoveryRequestData {
}
/**
- * @return the transWrappedPassphrase
+ * @return the sessionWrappedPassphrase
*/
- public String getTransWrappedPassphrase() {
- return transWrappedPassphrase;
+ public String getSessionWrappedPassphrase() {
+ return sessionWrappedPassphrase;
}
/**
- * @param transWrappedPassphrase the transWrappedPassphrase to set
+ * @param sessionWrappedPassphrase the sessionWrappedPassphrase to set
*/
- public void setTransWrappedPassphrase(String transWrappedPassphrase) {
- this.transWrappedPassphrase = transWrappedPassphrase;
+ public void setSessionWrappedPassphrase(String sessionWrappedPassphrase) {
+ this.sessionWrappedPassphrase = sessionWrappedPassphrase;
}
}
diff --git a/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMRestClient.java b/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMRestClient.java
index 8447faaec..412df39a9 100644
--- a/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMRestClient.java
+++ b/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMRestClient.java
@@ -81,7 +81,7 @@ public class DRMRestClient {
RecoveryRequestData data = new RecoveryRequestData();
data.setKeyId(keyId);
if (rpwd != null) {
- data.setTransWrappedPassphrase(com.netscape.osutil.OSUtil.BtoA(rpwd));
+ data.setSessionWrappedPassphrase(com.netscape.osutil.OSUtil.BtoA(rpwd));
}
if (rkey != null) {
data.setTransWrappedSessionKey(com.netscape.osutil.OSUtil.BtoA(rkey));
@@ -102,8 +102,9 @@ public class DRMRestClient {
data.setRequestId(requestId);
if (rkey != null) {
data.setTransWrappedSessionKey(com.netscape.osutil.OSUtil.BtoA(rkey));
- } else {
- data.setTransWrappedPassphrase(com.netscape.osutil.OSUtil.BtoA(rpwd));
+ }
+ if (rpwd != null) {
+ data.setSessionWrappedPassphrase(com.netscape.osutil.OSUtil.BtoA(rpwd));
}
KeyData key = keyClient.retrieveKey(data);
return key;
diff --git a/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java b/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
index f222e5413..bf15381a9 100644
--- a/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
+++ b/pki/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
@@ -226,19 +226,32 @@ public class DRMTest {
log("Getting key: " + keyId);
KeyData keyData = client.retrieveKey(keyId, recoveryRequestId, null, wrappedRecoveryKey);
- String recoveredWrappedKey = keyData.getWrappedPrivateData();
- String recoveredKey = unwrap(recoveredWrappedKey, recoveryKey);
+ String wrappedRecoveredKey = keyData.getWrappedPrivateData();
+ String recoveredKey = unwrap(wrappedRecoveredKey, recoveryKey);
if (!recoveredKey.equals(com.netscape.osutil.OSUtil.BtoA(vek.getEncoded()))) {
log("Error: recovered and archived keys do not match!");
}
// Test 9: Submit a recovery request for the symmetric key using a passphrase
- log("Submitting a recovery request for the symmetric key using session key");
+ log("Submitting a recovery request for the symmetric key using a passphrase");
String recoveryPassphrase = "Gimme me keys please";
- byte[] wrappedRecoveryPassphrase = wrapPassphrase(recoveryPassphrase, transportCert);
- KeyRequestInfo info = client.requestRecovery(keyId, wrappedRecoveryPassphrase, null);
- recoveryRequestId = getId(info.getRequestURL());
+ byte[] wrappedRecoveryPassphrase = null;
+ KeyRequestInfo info = null;
+ byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+ IVParameterSpec IV = null;
+ IV = new IVParameterSpec(iv);
+
+ try {
+ recoveryKey = kg1.generate();
+ wrappedRecoveryPassphrase = wrapPassphrase(token, recoveryPassphrase, IV, recoveryKey);
+ wrappedRecoveryKey = wrapSymmetricKey(manager, token, transportCert, recoveryKey);
+ info = client.requestRecovery(keyId, wrappedRecoveryPassphrase, wrappedRecoveryKey);
+ recoveryRequestId = getId(info.getRequestURL());
+ } catch (Exception e) {
+ log("Exception in recovering symmetric key using passphrase" + e.toString());
+ e.printStackTrace();
+ }
//Test 10: Approve recovery
log("Approving recovery request: " + recoveryRequestId);
@@ -246,9 +259,9 @@ public class DRMTest {
// Test 11: Get key
log("Getting key: " + keyId);
- keyData = client.retrieveKey(keyId, recoveryRequestId, wrappedRecoveryPassphrase, null);
- recoveredWrappedKey = keyData.getWrappedPrivateData();
- recoveredKey = unwrap(recoveredWrappedKey, recoveryKey);
+ keyData = client.retrieveKey(keyId, recoveryRequestId, wrappedRecoveryPassphrase, wrappedRecoveryKey);
+ wrappedRecoveredKey = keyData.getWrappedPrivateData();
+ recoveredKey = unwrap(wrappedRecoveredKey, recoveryPassphrase);
if (!recoveredKey.equals(com.netscape.osutil.OSUtil.BtoA(vek.getEncoded()))) {
log("Error: recovered and archived keys do not match!");
@@ -304,16 +317,16 @@ public class DRMTest {
log("Getting passphrase: " + keyId);
keyData = client.retrieveKey(keyId, recoveryRequestId, null, wrappedRecoveryKey);
- recoveredWrappedKey = keyData.getWrappedPrivateData();
- recoveredKey = unwrap(recoveredWrappedKey, recoveryKey);
+ wrappedRecoveredKey = keyData.getWrappedPrivateData();
+ recoveredKey = unwrap(wrappedRecoveredKey, recoveryKey);
- if (!unwrap(recoveredKey).equals(passphrase)) {
+ if (!recoveredKey.equals(passphrase)) {
log("Error: recovered and archived passphrases do not match!");
}
// Test 17: Submit a recovery request for the passphrase using a passphrase
log("Submitting a recovery request for the passphrase using a passphrase");
- info = client.requestRecovery(keyId, wrappedRecoveryPassphrase, null);
+ info = client.requestRecovery(keyId, wrappedRecoveryPassphrase, wrappedRecoveryKey);
recoveryRequestId = getId(info.getRequestURL());
//Test 18: Approve recovery
@@ -322,22 +335,17 @@ public class DRMTest {
// Test 19: Get key
log("Getting passphrase: " + keyId);
- keyData = client.retrieveKey(keyId, recoveryRequestId, wrappedRecoveryPassphrase, null);
- recoveredWrappedKey = keyData.getWrappedPrivateData();
- recoveredKey = unwrap(recoveredWrappedKey, recoveryKey);
+ keyData = client.retrieveKey(keyId, recoveryRequestId, wrappedRecoveryPassphrase, wrappedRecoveryKey);
+ wrappedRecoveredKey = keyData.getWrappedPrivateData();
+ recoveredKey = unwrap(wrappedRecoveredKey, recoveryPassphrase);
- if (!unwrap(recoveredKey).equals(passphrase)) {
+ if (!recoveredKey.equals(passphrase)) {
log("Error: recovered and archived passphrases do not match!");
}
}
- private static String unwrap(String recoveredKey) {
- // TODO Auto-generated method stub
- return null;
- }
-
- private static byte[] wrapPassphrase(String recoveryPassphrase, String transportCert) {
+ private static String unwrap(String wrappedRecoveredKey, String recoveryPassphrase) {
// TODO Auto-generated method stub
return null;
}
@@ -347,7 +355,7 @@ public class DRMTest {
System.out.println(string);
}
- private static String unwrap(String recoveredWrappedKey, SymmetricKey recoveryKey) {
+ private static String unwrap(String wrappedRecoveredKey, SymmetricKey recoveryKey) {
// TODO Auto-generated method stub
return null;
}
@@ -361,7 +369,6 @@ public class DRMTest {
NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException,
CertificateEncodingException, IOException, IllegalStateException, IllegalBlockSizeException,
BadPaddingException {
- EncryptionAlgorithm encryptionAlgorithm = null;
byte[] key_data = null;
byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
IVParameterSpec IV = null;
@@ -371,29 +378,11 @@ public class DRMTest {
SymmetricKey sk = kg1.generate();
if (passphrase != null) {
- Cipher cipher = null;
- encryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
- cipher = token.getCipherContext(encryptionAlgorithm);
- log("cipher " + cipher);
-
- if (cipher != null) {
- cipher.initEncrypt(sk, IV);
- key_data = cipher.doFinal(passphrase.getBytes());
- log("Pass phrase mode key_data: " + key_data);
-
- // Try to decrypt
- cipher.initDecrypt(sk, IV);
- byte[] decrypted = cipher.doFinal(key_data);
- String s = new String(decrypted);
- log("Re decrypted pass phrase " + s);
-
- } else {
- throw new IOException("Failed to create cipher");
- }
+ key_data = wrapPassphrase(token, passphrase, IV, sk);
} else {
// wrap payload using session key
KeyWrapper wrapper1 = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
- wrapper1.initWrap(sk, new IVParameterSpec(iv));
+ wrapper1.initWrap(sk, IV);
key_data = wrapper1.wrap(vek);
}
@@ -416,6 +405,32 @@ public class DRMTest {
return encoded;
}
+ private static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk)
+ throws NoSuchAlgorithmException, TokenException, InvalidKeyException,
+ InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, IOException {
+ byte[] key_data = null;
+ Cipher cipher = null;
+ EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
+ cipher = token.getCipherContext(encryptionAlgorithm);
+ log("cipher " + cipher);
+
+ if (cipher != null) {
+ cipher.initEncrypt(sk, IV);
+ key_data = cipher.doFinal(passphrase.getBytes());
+ log("Pass phrase mode key_data: " + key_data);
+
+ // Try to decrypt
+ cipher.initDecrypt(sk, IV);
+ byte[] decrypted = cipher.doFinal(key_data);
+ String s = new String(decrypted);
+ log("Re decrypted pass phrase " + s);
+
+ } else {
+ throw new IOException("Failed to create cipher");
+ }
+ return key_data;
+ }
+
private static byte[] wrapSymmetricKey(CryptoManager manager, CryptoToken token, String transportCert,
SymmetricKey sk) throws CertificateEncodingException, TokenException, NoSuchAlgorithmException,
InvalidKeyException, InvalidAlgorithmParameterException {