Add config options to allow storage wrappings to be set

Wrapping params can now be specified in CS.cfg as per design.
The default will be AES.  If the parameters are not set, then the
old mechanism (DES) will be used instead.

A migration script will be created in a separate commit.

Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d

4 files changed, 70 insertions, 11 deletions

diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
index abb5f11a2..004fd8aa0 100644
--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
@@ -61,7 +61,7 @@ public interface IEncryptionUnit extends IToken {
             SymmetricKey.Usage usage, WrappingParams params) throws Exception;
 
 
-    public WrappingParams getWrappingParams() throws EBaseException;
+    public WrappingParams getWrappingParams() throws Exception;
 
     public WrappingParams getOldWrappingParams();
 }
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index 5d310dba6..a6e915d33 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -269,6 +269,26 @@ kra.recoveryAgentGroup=Data Recovery Manager Agents
 kra.reqdbInc=20
 kra.entropy.bitsperkeypair=0
 kra.entropy.blockwarnms=0
+kra.storageUnit.wrapping.0.sessionKeyLength=168
+kra.storageUnit.wrapping.0.sessionKeyWrapAlgorithm=RSA
+kra.storageUnit.wrapping.0.payloadEncryptionPadding=PKCS5Padding
+kra.storageUnit.wrapping.0.sessionKeyKeyGenAlgorithm=DESede
+kra.storageUnit.wrapping.0.payloadEncryptionAlgorithm=DESede
+kra.storageUnit.wrapping.0.payloadEncryptionMode=CBC
+kra.storageUnit.wrapping.0.payloadEncryptionIV=AQEBAQEBAQE=
+kra.storageUnit.wrapping.0.payloadWrapAlgorithm=DES3/CBC/Pad
+kra.storageUnit.wrapping.0.payloadWrapIV=AQEBAQEBAQE=
+kra.storageUnit.wrapping.0.sessionKeyType=DESede
+kra.storageUnit.wrapping.1.sessionKeyLength=256
+kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm=RSA
+kra.storageUnit.wrapping.1.payloadEncryptionPadding=PKCS5Padding
+kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES
+kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES
+kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC
+kra.storageUnit.wrapping.1.payloadEncryptionIV=AQEBAQEBAQEBAQEBAQEBAQ==
+kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding
+kra.storageUnit.wrapping.1.sessionKeyType=AES
+kra.storageUnit.wrapping.choice=1
 kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_NAME]
 kra.transportUnit.nickName=transportCert cert-[PKI_INSTANCE_NAME]
 log._000=##
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 6d101089d..04f63a977 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -66,11 +66,11 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
 
     public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert);
 
-    public abstract WrappingParams getWrappingParams() throws EBaseException;
+    public abstract WrappingParams getWrappingParams() throws Exception;
 
     public WrappingParams getOldWrappingParams() {
         return new WrappingParams(
-                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0,
+                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
                 KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
                 KeyWrapAlgorithm.DES3_CBC_PAD, IV, IV);
     }
diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
index 8b4c801fb..0402ab70f 100644
--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
@@ -30,13 +30,15 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.Vector;
 
+import org.apache.commons.codec.binary.Base64;
 import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
 import org.mozilla.jss.crypto.BadPaddingException;
 import org.mozilla.jss.crypto.Cipher;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.EncryptionAlgorithm;
+import org.mozilla.jss.crypto.IVParameterSpec;
 import org.mozilla.jss.crypto.IllegalBlockSizeException;
-import org.mozilla.jss.crypto.KeyGenAlgorithm;
 import org.mozilla.jss.crypto.KeyGenerator;
 import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.KeyWrapper;
@@ -62,6 +64,7 @@ import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.security.Credential;
 import com.netscape.certsrv.security.IStorageKeyUnit;
 import com.netscape.certsrv.security.WrappingParams;
+import com.netscape.cms.servlet.key.KeyRecordParser;
 import com.netscape.cmsutil.crypto.CryptoUtil;
 import com.netscape.cmsutil.util.Utils;
 
@@ -105,7 +108,7 @@ public class StorageKeyUnit extends EncryptionUnit implements
     public static final String PROP_KEYDB = "keydb";
     public static final String PROP_CERTDB = "certdb";
     public static final String PROP_MN = "mn";
-    public static final String PROP_OLD_WRAPPING = "useOldWrapping";
+    public static final String PROP_WRAPPING_CHOICE = "wrapping.choice";
 
     /**
      * Constructs this token.
@@ -130,15 +133,51 @@ public class StorageKeyUnit extends EncryptionUnit implements
         throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION"));
     }
 
-    public WrappingParams getWrappingParams() throws EBaseException {
-        if (mConfig.getBoolean(PROP_OLD_WRAPPING, false)) {
+    public WrappingParams getWrappingParams() throws Exception {
+        String choice = null;
+        try {
+            choice = mConfig.getString(PROP_WRAPPING_CHOICE);
+        } catch (EBaseException e) {
+            // choice parameter does not exist
+            // this is probably an old server
+            // return the old params
             return this.getOldWrappingParams();
         }
 
-        return new WrappingParams(
-                SymmetricKey.AES, KeyGenAlgorithm.AES, 256,
-                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_256_CBC_PAD,
-                KeyWrapAlgorithm.AES_KEY_WRAP_PAD, IV2, null);
+        IConfigStore config = mConfig.getSubStore("wrapping." + choice);
+        if (config == null) {
+            throw new EBaseException("Invalid config: Wrapping parameters not defined");
+        }
+
+        WrappingParams params = new WrappingParams();
+        params.setSkType(config.getString(KeyRecordParser.OUT_SK_TYPE));
+        params.setSkLength(config.getInteger(KeyRecordParser.OUT_SK_LENGTH, 0));
+        params.setSkWrapAlgorithm(config.getString(KeyRecordParser.OUT_SK_WRAP_ALGORITHM));
+        params.setSkKeyGenAlgorithm(config.getString(KeyRecordParser.OUT_SK_KEYGEN_ALGORITHM));
+        params.setPayloadWrapAlgorithm(config.getString(KeyRecordParser.OUT_PL_WRAP_ALGORITHM));
+
+        if (config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_OID, null) != null) {
+            String oidString = config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_OID);
+            params.setPayloadEncryptionAlgorithm(EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oidString)));
+        } else {
+            params.setPayloadEncryptionAlgorithm(
+                config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_ALGORITHM),
+                config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_MODE),
+                config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_PADDING),
+                config.getInteger(KeyRecordParser.OUT_SK_LENGTH));
+        }
+
+        if (config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_IV, null) != null) {
+            byte[] iv = Base64.decodeBase64(config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_IV));
+            params.setPayloadEncryptionIV(new IVParameterSpec(iv));
+        }
+
+        if (config.getString(KeyRecordParser.OUT_PL_WRAP_IV, null) != null) {
+            byte[] iv = Base64.decodeBase64(config.getString(KeyRecordParser.OUT_PL_WRAP_IV));
+            params.setPayloadWrappingIV(new IVParameterSpec(iv));
+        }
+
+        return params;
     }
 
     /**