diff options
| author | Ade Lee <alee@redhat.com> | 2017-02-24 16:22:57 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-03-07 00:00:42 -0500 |
| commit | 18612df432d73ace0523c63ea9f82ee13a4b0b4e (patch) | |
| tree | 6c647ee3c634d68173ae42522c53ffb6e8009fba | |
| parent | 51d516bd1e488d095a8cfb35c1ff09e918296fa0 (diff) | |
| download | pki-18612df432d73ace0523c63ea9f82ee13a4b0b4e.tar.gz pki-18612df432d73ace0523c63ea9f82ee13a4b0b4e.tar.xz pki-18612df432d73ace0523c63ea9f82ee13a4b0b4e.zip | |
Refactor key recovery to centralize crypt functions
Refactor key recovery to put al crypto specific operations
in a few fucntions, which are parameterized for algorithm types.
| -rw-r--r-- | base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 92 |
1 files changed, 49 insertions, 43 deletions
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 5f815a4b6..1c94bca6e 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -435,9 +435,8 @@ public class SecurityDataProcessor { try { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.DECRYPT, wrapParams); - Cipher decryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - decryptor.initDecrypt(unwrappedSess, new IVParameterSpec(iv_in)); - unwrappedPass = decryptor.doFinal(wrappedPassPhrase); + unwrappedPass = decryptWithSymmetricKey(ct, unwrappedSess, wrappedPassPhrase, + new IVParameterSpec(iv_in), wrapParams); String passStr = new String(unwrappedPass, "UTF-8"); pass = new Password(passStr.toCharArray()); passStr = null; @@ -500,24 +499,13 @@ public class SecurityDataProcessor { CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT, wrapParams); - Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - if (encryptor != null) { - encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); - key_data = encryptor.doFinal(unwrappedSecData); - - } else { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, - serialno.toString(), "Failed to create cipher encrypting symmetric key"); - throw new IOException("Failed to create cipher encryping symmetric key"); - } + key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData, + new IVParameterSpec(iv), wrapParams); } else { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.WRAP, wrapParams); - KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv)); - key_data = wrapper.wrap(symKey); + key_data = wrapWithSymmetricKey(ct, unwrappedSess, symKey, new IVParameterSpec(iv), wrapParams); } } catch (Exception e) { @@ -531,17 +519,9 @@ public class SecurityDataProcessor { try { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT, wrapParams); - Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - if (encryptor != null) { - encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); - key_data = encryptor.doFinal(unwrappedSecData); - - } else { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, - serialno.toString(), "Failed to create cipher"); - throw new IOException("Failed to create cipher"); - } + key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData, + new IVParameterSpec(iv), wrapParams); } catch (Exception e) { auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot encrypt passphrase"); @@ -552,27 +532,15 @@ public class SecurityDataProcessor { CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored private key with session key"); try { if (allowEncDecrypt_recovery == true) { - CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); + CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key."); unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT, wrapParams); - Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - if (encryptor != null) { - encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); - key_data = encryptor.doFinal(unwrappedSecData); - - } else { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, - serialno.toString(), "Failed to create cipher encrypting asymmetric key"); - throw new IOException("Failed to create cipher encrypting asymmetric key"); - } - + key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData, + new IVParameterSpec(iv), wrapParams); } else { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.WRAP, wrapParams); - KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv)); - key_data = wrapper.wrap(privateKey); + key_data = wrapWithSymmetricKey(ct, unwrappedSess, privateKey, new IVParameterSpec(iv), wrapParams); } } catch (Exception e) { @@ -598,6 +566,44 @@ public class SecurityDataProcessor { return false; //return true ? TODO } + private byte[] decryptWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, byte[] data, IVParameterSpec iv, + WrappingParams params) throws Exception { + Cipher decryptor = ct.getCipherContext(params.getPayloadEncryptionAlgorithm()); + if (decryptor == null) + throw new IOException("Failed to create decryptor"); + decryptor.initDecrypt(wrappingKey, iv); + return decryptor.doFinal(data); + } + + private byte[] wrapWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, SymmetricKey data, + IVParameterSpec iv, WrappingParams params) throws Exception { + KeyWrapper wrapper = ct.getKeyWrapper(params.getPayloadWrapAlgorithm()); + if (wrapper == null) + throw new IOException("Failed to create key wrapper"); + wrapper.initWrap(wrappingKey, iv); + return wrapper.wrap(data); + } + + private byte[] wrapWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, PrivateKey data, + IVParameterSpec iv, WrappingParams params) throws Exception { + KeyWrapper wrapper = ct.getKeyWrapper(params.getPayloadWrapAlgorithm()); + if (wrapper == null) + throw new IOException("Failed to create key wrapper"); + wrapper.initWrap(wrappingKey, iv); + return wrapper.wrap(data); + } + + private byte[] encryptWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, byte[] data, IVParameterSpec iv, + WrappingParams params) throws Exception { + Cipher encryptor = ct.getCipherContext(params.getPayloadEncryptionAlgorithm()); + + if (encryptor == null) + throw new IOException("Failed to create cipher"); + + encryptor.initEncrypt(wrappingKey, iv); + return encryptor.doFinal(data); + } + public SymmetricKey recoverSymKey(KeyRecord keyRecord) throws EBaseException { |