diff options
| author | Ade Lee <alee@redhat.com> | 2017-03-08 23:46:30 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-03-14 17:10:28 -0400 |
| commit | 7e42ef2f63a73931610252db3e30b8a7357e4425 (patch) | |
| tree | 719b1af07a52931038993c12633c8963165dff6f | |
| parent | 5fb045fe888000d447cf56079b0404410adea70a (diff) | |
| download | pki-7e42ef2f63a73931610252db3e30b8a7357e4425.tar.gz pki-7e42ef2f63a73931610252db3e30b8a7357e4425.tar.xz pki-7e42ef2f63a73931610252db3e30b8a7357e4425.zip | |
Refactor crypto code
Move some of the crypto functions in EncryptionUnit to CryptoUtil.
Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
13 files changed, 244 insertions, 376 deletions
diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java index 7c20e5cf4..a2d204347 100644 --- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java +++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java @@ -1,26 +1,19 @@ package com.netscape.certsrv.util; -import java.io.CharConversionException; import java.io.File; -import java.io.IOException; import java.security.GeneralSecurityException; -import java.security.InvalidAlgorithmParameterException; -import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateEncodingException; import org.mozilla.jss.CertDatabaseException; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.KeyDatabaseException; -import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.crypto.AlreadyInitializedException; -import org.mozilla.jss.crypto.BadPaddingException; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.IllegalBlockSizeException; import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.TokenException; import org.mozilla.jss.util.IncorrectPasswordException; @@ -110,7 +103,7 @@ public class NSSCryptoProvider extends CryptoProvider { if (token == null) { throw new NotInitializedException(); } - return CryptoUtil.generateKey(token, getKeyGenAlgorithm(keyAlgorithm), keySize); + return CryptoUtil.generateKey(token, getKeyGenAlgorithm(keyAlgorithm), keySize, null, false); } @Override @@ -142,7 +135,7 @@ public class NSSCryptoProvider extends CryptoProvider { if (token == null) { throw new NotInitializedException(); } - return CryptoUtil.unwrapUsingSymmetricKey(token, new IVParameterSpec(nonceData), wrappedRecoveredKey, + return CryptoUtil.decryptUsingSymmetricKey(token, new IVParameterSpec(nonceData), wrappedRecoveredKey, recoveryKey, getEncryptionAlgorithm(encryptionAlgorithm)); } @@ -211,10 +204,7 @@ public class NSSCryptoProvider extends CryptoProvider { @Override public byte[] createPKIArchiveOptions(String transportCert, SymmetricKey secret, String passphrase, - String keyAlgorithm, int symKeySize, byte[] nonceData) throws InvalidKeyException, - CertificateEncodingException, CharConversionException, NoSuchAlgorithmException, - InvalidAlgorithmParameterException, IllegalStateException, TokenException, IOException, - IllegalBlockSizeException, BadPaddingException, InvalidBERException { + String keyAlgorithm, int symKeySize, byte[] nonceData) throws Exception { return CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, secret, passphrase, getKeyGenAlgorithm(keyAlgorithm), symKeySize, new IVParameterSpec(nonceData)); @@ -222,8 +212,13 @@ public class NSSCryptoProvider extends CryptoProvider { @Override public byte[] wrapWithSessionKey(SymmetricKey secret, SymmetricKey sessionKey, byte[] iv) - throws InvalidKeyException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, TokenException { - return CryptoUtil.wrapSymmetricKey(token, secret, sessionKey, new IVParameterSpec(iv)); + throws Exception { + return CryptoUtil.wrapUsingSymmetricKey( + token, + sessionKey, + secret, + new IVParameterSpec(iv), + KeyWrapAlgorithm.DES3_CBC_PAD); } } diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 8d5bd1f8a..0a05a395a 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -59,7 +59,6 @@ import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyPairAlgorithm; import org.mozilla.jss.crypto.KeyPairGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.SignatureAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; @@ -551,9 +550,12 @@ public class CRMFPopClient { public byte[] wrapPrivateKey(CryptoToken token, SymmetricKey sessionKey, byte[] iv, KeyPair keyPair) throws Exception { // wrap private key using session - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(sessionKey, new IVParameterSpec(iv)); - return wrapper.wrap((org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate()); + return CryptoUtil.wrapUsingSymmetricKey( + token, + sessionKey, + (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(), + new IVParameterSpec(iv), + KeyWrapAlgorithm.DES3_CBC_PAD); } public byte[] wrapSessionKey(CryptoToken token, X509Certificate transportCert, SymmetricKey sessionKey) throws Exception { @@ -561,9 +563,7 @@ public class CRMFPopClient { // wrap session key using KRA transport cert // currently, a transport cert has to be an RSA cert, // regardless of the key you are wrapping - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - wrapper.initWrap(transportCert.getPublicKey(), null); - return wrapper.wrap(sessionKey); + return CryptoUtil.wrapUsingPublicKey(token, transportCert.getPublicKey(), sessionKey, KeyWrapAlgorithm.RSA); } public CertRequest createCertRequest( diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java index 03a0729e7..6c835b439 100644 --- a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java +++ b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java @@ -3,7 +3,6 @@ package com.netscape.cms.servlet.test; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.BufferedWriter; -import java.io.CharConversionException; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; @@ -11,10 +10,6 @@ import java.io.FileWriter; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; -import java.security.InvalidAlgorithmParameterException; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateEncodingException; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; @@ -23,16 +18,11 @@ import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; import org.apache.commons.cli.PosixParser; import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.crypto.AlreadyInitializedException; -import org.mozilla.jss.crypto.BadPaddingException; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.IllegalBlockSizeException; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; -import org.mozilla.jss.crypto.TokenException; import org.mozilla.jss.util.Password; import com.netscape.cmsutil.crypto.CryptoUtil; @@ -101,10 +91,7 @@ public class GeneratePKIArchiveOptions { out.close(); } - public static void main(String args[]) throws InvalidKeyException, CertificateEncodingException, - CharConversionException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, - IllegalStateException, TokenException, IOException, IllegalBlockSizeException, BadPaddingException, - InvalidBERException, NotExtractableException { + public static void main(String args[]) throws Exception { String token_pwd = null; String db_dir = "./"; String out_file = "./options.out"; @@ -199,7 +186,7 @@ public class GeneratePKIArchiveOptions { // Data to be archived SymmetricKey vek = null; if (!passphraseMode) { - vek = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0); + vek = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, false); // store vek in file write_file(Utils.base64encode(vek.getKeyData()), key_file); } diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 8c7613ebb..9500d9018 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -19,7 +19,6 @@ package com.netscape.kra; import java.security.PublicKey; -import org.mozilla.jss.crypto.Cipher; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; @@ -98,27 +97,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { // Crypto specific methods below here ... ////////////////////////////////////////////////////////////////////////////////////////////////////////////// - protected SymmetricKey generate_session_key(CryptoToken token, boolean temporary, WrappingParams params, - SymmetricKey.Usage[] usages) throws Exception { - org.mozilla.jss.crypto.KeyGenerator kg = token.getKeyGenerator(params.getSkKeyGenAlgorithm()); - if (usages != null) - kg.setKeyUsages(usages); - kg.temporaryKeys(temporary); - if (params.getSkLength() > 0) - kg.initialize(params.getSkLength()); - SymmetricKey sk = kg.generate(); - CMS.debug("EncryptionUnit:generate_session_key() session key generated on slot: " + token.getName()); - return sk; - } - - protected byte[] wrap_session_key(CryptoToken token, PublicKey wrappingKey, SymmetricKey sessionKey, - WrappingParams params) throws Exception { - KeyWrapper rsaWrap = token.getKeyWrapper(params.getSkWrapAlgorithm()); - rsaWrap.initWrap(wrappingKey, null); - byte session[] = rsaWrap.wrap(sessionKey); - return session; - } - protected SymmetricKey unwrap_session_key(CryptoToken token, byte[] wrappedSessionKey, SymmetricKey.Usage usage, PrivateKey wrappingKey, WrappingParams params) { try { @@ -139,13 +117,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } } - protected byte[] wrap_symmetric_key(CryptoToken token, SymmetricKey sessionKey, SymmetricKey data, - WrappingParams params) throws Exception { - KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - wrapper.initWrap(sessionKey, params.getPayloadWrappingIV()); - return wrapper.wrap(data); - } - protected SymmetricKey unwrap_symmetric_key(CryptoToken token, SymmetricKey.Type algorithm, int strength, SymmetricKey.Usage usage, SymmetricKey sessionKey, byte[] wrappedData, WrappingParams params) throws Exception { @@ -155,13 +126,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return symKey; } - protected byte[] wrap_private_key(CryptoToken token, SymmetricKey sessionKey, PrivateKey data, - WrappingParams params) throws Exception { - KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - wrapper.initWrap(sessionKey, params.getPayloadWrappingIV()); - return wrapper.wrap(data); - } - protected PrivateKey unwrap_private_key(CryptoToken token, PublicKey pubKey, boolean temporary, SymmetricKey sessionKey, byte[] wrappedData, WrappingParams params) throws Exception { @@ -188,20 +152,4 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } return pk; } - - protected byte[] encrypt_private_key(CryptoToken token, SymmetricKey sessionKey, byte[] data, WrappingParams params) - throws Exception { - Cipher cipher = token.getCipherContext(params.getPayloadEncryptionAlgorithm()); - cipher.initEncrypt(sessionKey, params.getPayloadEncryptionIV()); - byte pri[] = cipher.doFinal(data); - return pri; - } - - protected byte[] decrypt_private_key(CryptoToken token, SymmetricKey sessionKey, - byte[] encryptedData, WrappingParams params) throws Exception { - Cipher cipher = token.getCipherContext(params.getPayloadEncryptionAlgorithm()); - cipher.initDecrypt(sessionKey, params.getPayloadEncryptionIV()); - return cipher.doFinal(encryptedData); - } - } diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index da227a113..d6b456b66 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -31,7 +31,6 @@ import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; import org.mozilla.jss.asn1.ASN1Util; -import org.mozilla.jss.crypto.Cipher; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; @@ -39,7 +38,6 @@ import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyPairAlgorithm; import org.mozilla.jss.crypto.KeyPairGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.PQGParamGenException; import org.mozilla.jss.crypto.PQGParams; import org.mozilla.jss.crypto.PrivateKey; @@ -326,23 +324,6 @@ public class NetkeyKeygenService implements IService { } } - // this encrypts bytes with a symmetric key - public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) { - try { - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: " + e.toString()); - return null; - } - - } - /** * Services an archival request from netkey. * <P> @@ -540,14 +521,16 @@ public class NetkeyKeygenService implements IService { // 3 wrapping should be done in HSM // wrap private key with DES - KeyWrapper symWrap = - keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName()); - CMS.debug("NetkeyKeygenService: got key wrapper"); - CMS.debug("NetkeyKeygenService: key transport key is on slot: " + sk.getOwningToken().getName()); - symWrap.initWrap(sk, algParam); - byte wrapped[] = symWrap.wrap((PrivateKey) privKey); + + byte[] wrapped = CryptoUtil.wrapUsingSymmetricKey( + keygenToken, + sk, + (PrivateKey) privKey, + algParam, + KeyWrapAlgorithm.DES3_CBC_PAD); + /* CMS.debug("NetkeyKeygenService: wrap called"); CMS.debug(wrapped); diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 74a3bb75c..f9dc110c6 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -1,11 +1,7 @@ package com.netscape.kra; import java.io.ByteArrayOutputStream; -import java.io.CharConversionException; -import java.io.IOException; import java.math.BigInteger; -import java.security.InvalidAlgorithmParameterException; -import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.spec.AlgorithmParameterSpec; @@ -16,20 +12,16 @@ import java.util.Random; import javax.crypto.spec.RC2ParameterSpec; import org.dogtagpki.server.kra.rest.KeyRequestService; -import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.OCTET_STRING; -import org.mozilla.jss.crypto.Cipher; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.PBEAlgorithm; import org.mozilla.jss.crypto.PBEKeyGenParams; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.TokenException; import org.mozilla.jss.pkcs12.PasswordConverter; import org.mozilla.jss.pkcs7.ContentInfo; import org.mozilla.jss.pkcs7.EncryptedContentInfo; @@ -53,6 +45,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmscore.dbs.KeyRecord; +import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; import netscape.security.util.DerValue; @@ -456,8 +449,14 @@ public class SecurityDataProcessor { try { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.DECRYPT, wrapParams); - unwrappedPass = decryptWithSymmetricKey(ct, unwrappedSess, wrappedPassPhrase, - new IVParameterSpec(iv_in), wrapParams); + + unwrappedPass = CryptoUtil.decryptUsingSymmetricKey( + ct, + wrapParams.getPayloadEncryptionIV(), + wrappedPassPhrase, + unwrappedSess, + wrapParams.getPayloadEncryptionAlgorithm()); + String passStr = new String(unwrappedPass, "UTF-8"); pass = new Password(passStr.toCharArray()); passStr = null; @@ -520,12 +519,21 @@ public class SecurityDataProcessor { CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true."); unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT, wrapParams); - key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData, wrapParams); - + key_data = CryptoUtil.encryptUsingSymmetricKey( + ct, + unwrappedSess, + unwrappedSecData, + wrapParams.getPayloadEncryptionAlgorithm(), + wrapParams.getPayloadEncryptionIV()); } else { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.WRAP, wrapParams); - key_data = wrapWithSymmetricKey(ct, unwrappedSess, symKey, new IVParameterSpec(iv), wrapParams); + key_data = CryptoUtil.wrapUsingSymmetricKey( + ct, + unwrappedSess, + symKey, + wrapParams.getPayloadWrappingIV(), + wrapParams.getPayloadWrapAlgorithm()); } } catch (Exception e) { @@ -540,7 +548,12 @@ public class SecurityDataProcessor { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT, wrapParams); - key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData, wrapParams); + key_data = CryptoUtil.encryptUsingSymmetricKey( + ct, + unwrappedSess, + unwrappedSecData, + wrapParams.getPayloadEncryptionAlgorithm(), + wrapParams.getPayloadEncryptionIV()); } catch (Exception e) { auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot encrypt passphrase"); @@ -554,11 +567,23 @@ public class SecurityDataProcessor { CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key."); unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT, wrapParams); - key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData, wrapParams); + + key_data = CryptoUtil.encryptUsingSymmetricKey( + ct, + unwrappedSess, + unwrappedSecData, + wrapParams.getPayloadEncryptionAlgorithm(), + wrapParams.getPayloadEncryptionIV()); + } else { unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.WRAP, wrapParams); - key_data = wrapWithSymmetricKey(ct, unwrappedSess, privateKey, wrapParams); + key_data = CryptoUtil.wrapUsingSymmetricKey( + ct, + unwrappedSess, + privateKey, + wrapParams.getPayloadWrappingIV(), + wrapParams.getPayloadWrapAlgorithm()); } } catch (Exception e) { @@ -600,44 +625,6 @@ public class SecurityDataProcessor { return iv; } - private byte[] decryptWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, byte[] data, IVParameterSpec iv, - WrappingParams params) throws Exception { - Cipher decryptor = ct.getCipherContext(params.getPayloadEncryptionAlgorithm()); - if (decryptor == null) - throw new IOException("Failed to create decryptor"); - decryptor.initDecrypt(wrappingKey, iv); - return decryptor.doFinal(data); - } - - private byte[] wrapWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, SymmetricKey data, - IVParameterSpec iv, WrappingParams params) throws Exception { - KeyWrapper wrapper = ct.getKeyWrapper(params.getPayloadWrapAlgorithm()); - if (wrapper == null) - throw new IOException("Failed to create key wrapper"); - wrapper.initWrap(wrappingKey, iv); - return wrapper.wrap(data); - } - - private byte[] wrapWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, PrivateKey data, - WrappingParams params) throws Exception { - KeyWrapper wrapper = ct.getKeyWrapper(params.getPayloadWrapAlgorithm()); - if (wrapper == null) - throw new IOException("Failed to create key wrapper"); - wrapper.initWrap(wrappingKey, params.getPayloadWrappingIV()); - return wrapper.wrap(data); - } - - private byte[] encryptWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, byte[] data, WrappingParams params) - throws Exception { - Cipher encryptor = ct.getCipherContext(params.getPayloadEncryptionAlgorithm()); - - if (encryptor == null) - throw new IOException("Failed to create cipher"); - - encryptor.initEncrypt(wrappingKey, params.getPayloadEncryptionIV()); - return encryptor.doFinal(data); - } - public SymmetricKey recoverSymKey(KeyRecord keyRecord) throws EBaseException { @@ -674,9 +661,7 @@ public class SecurityDataProcessor { int iterationCount, KeyGenerator.CharToByteConverter charToByteConverter, SymmetricKey symKey, PrivateKey privateKey, CryptoToken token) - throws CryptoManager.NotInitializedException, NoSuchAlgorithmException, - InvalidKeyException, InvalidAlgorithmParameterException, TokenException, - CharConversionException { + throws Exception { if (keyGenAlg == null) { throw new NoSuchAlgorithmException("Key generation algorithm is NULL"); @@ -702,14 +687,13 @@ public class SecurityDataProcessor { kg.generatePBE_IV()); } - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(key, params); byte[] encrypted = null; if (symKey != null) { - encrypted = wrapper.wrap(symKey); + encrypted = CryptoUtil.wrapUsingSymmetricKey(token, key, symKey, (IVParameterSpec) params, + KeyWrapAlgorithm.DES3_CBC_PAD); } else if (privateKey != null) { - encrypted = wrapper.wrap(privateKey); + encrypted = CryptoUtil.wrapUsingSymmetricKey(token, key, privateKey, (IVParameterSpec) params, + KeyWrapAlgorithm.DES3_CBC_PAD); } if (encrypted == null) { //TODO - think about the exception to be thrown diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java index 02ceb11d5..f7638c7fb 100644 --- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -466,30 +466,16 @@ public class StorageKeyUnit extends EncryptionUnit implements try { // move public & private to config/storage.dat // delete private key - KeyWrapper wrapper = token.getKeyWrapper( + return CryptoUtil.wrapUsingSymmetricKey( + token, + sk, + pri, + IV, KeyWrapAlgorithm.DES3_CBC_PAD); - - // next to randomly generate a symmetric - // password - - wrapper.initWrap(sk, IV); - return wrapper.wrap(pri); - } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); - } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); - } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); - } catch (InvalidAlgorithmParameterException e) { + } catch (Exception e) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + - e.toString())); + e.toString()), e); } } @@ -1031,13 +1017,27 @@ public class StorageKeyUnit extends EncryptionUnit implements WrappingParams params = getWrappingParams(); // (1) generate session key - SymmetricKey sk = generate_session_key(internalToken, false, params, null); + SymmetricKey sk = CryptoUtil.generateKey( + internalToken, + params.getSkKeyGenAlgorithm(), + params.getSkLength(), + null, + false); // (2) wrap private key with session key - byte[] pri = encrypt_private_key(internalToken, sk, priKey, params); + byte[] pri = CryptoUtil.encryptUsingSymmetricKey( + internalToken, + sk, + priKey, + params.getPayloadEncryptionAlgorithm(), + params.getPayloadEncryptionIV()); // (3) wrap session with storage public - byte[] session = wrap_session_key(internalToken, getPublicKey(), sk, params); + byte[] session = CryptoUtil.wrapUsingPublicKey( + internalToken, + getPublicKey(), + sk, + params.getSkWrapAlgorithm()); // use MY own structure for now: // SEQUENCE { @@ -1080,7 +1080,12 @@ public class StorageKeyUnit extends EncryptionUnit implements usages[1] = SymmetricKey.Usage.UNWRAP; // (1) generate session key - SymmetricKey sk = generate_session_key(token, true, params, usages); + SymmetricKey sk = CryptoUtil.generateKey( + token, + params.getSkKeyGenAlgorithm(), + params.getSkLength(), + usages, + true); // (2) wrap private key with session key // KeyWrapper wrapper = internalToken.getKeyWrapper( @@ -1088,14 +1093,28 @@ public class StorageKeyUnit extends EncryptionUnit implements byte pri[] = null; if (priKey != null) { - pri = wrap_private_key(token, sk, priKey, params); + pri = CryptoUtil.wrapUsingSymmetricKey( + token, + sk, + priKey, + params.getPayloadWrappingIV(), + params.getPayloadWrapAlgorithm()); } else if (symmKey != null) { - pri = wrap_symmetric_key(token, sk, symmKey, params); + pri = CryptoUtil.wrapUsingSymmetricKey( + token, + sk, + symmKey, + params.getPayloadWrappingIV(), + params.getPayloadWrapAlgorithm()); } CMS.debug("EncryptionUnit:wrap() privKey wrapped"); - byte[] session = wrap_session_key(token, getPublicKey(), sk, params); + byte[] session = CryptoUtil.wrapUsingPublicKey( + token, + getPublicKey(), + sk, + params.getSkWrapAlgorithm()); CMS.debug("EncryptionUnit:wrap() session key wrapped"); // use MY own structure for now: @@ -1136,7 +1155,12 @@ public class StorageKeyUnit extends EncryptionUnit implements SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params); // (2) decrypt the private key - return decrypt_private_key(token, sk, pri, params); + return CryptoUtil.decryptUsingSymmetricKey( + token, + params.getPayloadEncryptionIV(), + pri, + sk, + params.getPayloadEncryptionAlgorithm()); } public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize, diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index 17475d922..94301b662 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -17,10 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; -import java.io.CharConversionException; import java.math.BigInteger; -import java.security.InvalidAlgorithmParameterException; -import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -28,9 +25,7 @@ import java.util.List; import org.apache.commons.lang.StringUtils; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; @@ -46,6 +41,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.cms.servlet.key.KeyRequestDAO; import com.netscape.cmscore.dbs.KeyRecord; +import com.netscape.cmsutil.crypto.CryptoUtil; /** * This implementation implements SecurityData archival operations. @@ -154,21 +150,13 @@ public class SymKeyGenService implements IService { SymmetricKey sk = null; try { - KeyGenerator kg = token.getKeyGenerator(kgAlg); - kg.setKeyUsages(keyUsages); - kg.temporaryKeys(true); - if (kgAlg == KeyGenAlgorithm.AES || kgAlg == KeyGenAlgorithm.RC4 - || kgAlg == KeyGenAlgorithm.RC2) { - kg.initialize(keySize); - } - sk = kg.generate(); + sk = CryptoUtil.generateKey(token, kgAlg, keySize, keyUsages, true); CMS.debug("SymKeyGenService:wrap() session key generated on slot: " + token.getName()); - } catch (TokenException | IllegalStateException | CharConversionException | NoSuchAlgorithmException - | InvalidAlgorithmParameterException e) { + } catch (Exception e) { CMS.debugStackTrace(); auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to generate symmetric key"); - throw new EBaseException("Errors in generating symmetric key: " + e); + throw new EBaseException("Errors in generating symmetric key: " + e, e); } byte[] publicKey = null; diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index c08369271..6494c36ef 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -27,13 +27,11 @@ import java.security.PublicKey; import java.security.SecureRandom; import java.util.Hashtable; -import org.mozilla.jss.crypto.Cipher; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.PrivateKey.Type; import org.mozilla.jss.crypto.SymmetricKey; @@ -54,6 +52,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmscore.dbs.KeyRecord; +import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; import netscape.security.util.BigInt; @@ -170,23 +169,6 @@ public class TokenKeyRecoveryService implements IService { } } - // this encrypts bytes with a symmetric key - public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) { - try { - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("initEncrypt() threw exception: " + e.toString()); - return null; - } - - } - /** * Processes a recovery request. The method reads * the key record from the database, and tries to recover the @@ -364,8 +346,6 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: got token slot:" + token.getName()); IVParameterSpec algParam = new IVParameterSpec(iv); - Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - KeyRecord keyRecord = null; CMS.debug("KRA reading key record"); try { @@ -512,8 +492,12 @@ public class TokenKeyRecoveryService implements IService { } //encrypt and put in private key - cipher.initEncrypt(sk, algParam); - wrapped = cipher.doFinal(privateKeyData); + wrapped = CryptoUtil.encryptUsingSymmetricKey( + token, + sk, + privateKeyData, + EncryptionAlgorithm.DES3_CBC_PAD, + algParam); } else { //allowEncDecrypt_recovery == false PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery); if (privKey == null) { @@ -531,11 +515,14 @@ public class TokenKeyRecoveryService implements IService { } CMS.debug("TokenKeyRecoveryService: about to wrap..."); - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(sk, algParam); - wrapped = wrapper.wrap(privKey); + wrapped = CryptoUtil.wrapUsingSymmetricKey( + token, + sk, + privKey, + algParam, + KeyWrapAlgorithm.DES3_CBC_PAD); + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); request.setExtData("iv_s", iv_s); } diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java index d71853b81..03f0a900c 100644 --- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -35,6 +35,7 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.certsrv.security.WrappingParams; +import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; /** @@ -295,7 +296,12 @@ public class TransportKeyUnit extends EncryptionUnit implements wrappingKey, params); - return decrypt_private_key(token, sk, encValue, params); + return CryptoUtil.decryptUsingSymmetricKey( + token, + params.getPayloadEncryptionIV(), + encValue, + sk, + params.getPayloadEncryptionAlgorithm()); } /** diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java index a2d18f166..9119d7779 100644 --- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java +++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java @@ -1,9 +1,7 @@ package org.dogtagpki.server.tks.rest; import java.io.CharConversionException; -import java.io.IOException; import java.net.URI; -import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.Principal; @@ -25,7 +23,6 @@ import org.jboss.resteasy.plugins.providers.atom.Link; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.crypto.CryptoToken; -import org.mozilla.jss.crypto.InvalidKeyFormatException; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.SymmetricKey; @@ -347,12 +344,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou return createOKResponse(keyData); - } catch (InvalidKeyException | IllegalStateException | NoSuchAlgorithmException - | InvalidAlgorithmParameterException | EBaseException - | NotInitializedException | TokenException | IOException | InvalidKeyFormatException e) { + } catch (Exception e) { e.printStackTrace(); CMS.debug("Error in generating and exporting shared secret: " + e); - throw new PKIException("Error in generating and exporting shared secret: " + e); + throw new PKIException("Error in generating and exporting shared secret: " + e, e); } } @@ -418,12 +413,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou return createOKResponse(keyData); - } catch (InvalidKeyException | IllegalStateException | NoSuchAlgorithmException - | InvalidAlgorithmParameterException | EBaseException - | NotInitializedException | TokenException | IOException | InvalidKeyFormatException e) { + } catch (Exception e) { e.printStackTrace(); CMS.debug("Error in replacing shared secret: " + e); - throw new PKIException("Error in replacing shared secret: " + e); + throw new PKIException("Error in replacing shared secret: " + e, e); } } @@ -504,12 +497,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou return createOKResponse(keyData); - } catch (InvalidKeyException | IllegalStateException | NoSuchAlgorithmException - | InvalidAlgorithmParameterException | EBaseException - | NotInitializedException | TokenException | IOException | InvalidKeyFormatException e) { + } catch (Exception e) { e.printStackTrace(); CMS.debug("Error in obtaining shared secret: " + e); - throw new PKIException("Error in obtaining shared secret: " + e); + throw new PKIException("Error in obtaining shared secret: " + e, e); } } diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 57119ce2c..f98dcc80b 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -19,7 +19,6 @@ package com.netscape.cmsutil.crypto; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; -import java.io.CharConversionException; import java.io.FilterOutputStream; import java.io.IOException; import java.io.PrintStream; @@ -1614,25 +1613,18 @@ public class CryptoUtil { } } - /** - * Generates a symmetric key. - */ - public static SymmetricKey generateKey(CryptoToken token, - KeyGenAlgorithm alg, int keySize) - throws TokenException, NoSuchAlgorithmException, - IllegalStateException, InvalidAlgorithmParameterException { - try { - KeyGenerator kg = token.getKeyGenerator(alg); - if (alg == KeyGenAlgorithm.AES || alg == KeyGenAlgorithm.RC4 - || alg == KeyGenAlgorithm.RC2) { - kg.initialize(keySize); - } - - return kg.generate(); - } catch (CharConversionException e) { - throw new RuntimeException( - "CharConversionException while generating symmetric key"); + public static SymmetricKey generateKey(CryptoToken token, KeyGenAlgorithm alg, int keySize, + SymmetricKey.Usage[] usages, boolean temporary) throws Exception { + KeyGenerator kg = token.getKeyGenerator(alg); + if (usages != null) + kg.setKeyUsages(usages); + kg.temporaryKeys(temporary); + if (alg == KeyGenAlgorithm.AES || alg == KeyGenAlgorithm.RC4 + || alg == KeyGenAlgorithm.RC2) { + kg.initialize(keySize); } + + return kg.generate(); } /** @@ -1908,18 +1900,6 @@ public class CryptoUtil { return decodedData; } - public static byte[] unwrapUsingSymmetricKey(CryptoToken token, IVParameterSpec IV, byte[] wrappedRecoveredKey, - SymmetricKey recoveryKey, EncryptionAlgorithm alg) throws NoSuchAlgorithmException, TokenException, - BadPaddingException, - IllegalBlockSizeException, InvalidKeyException, InvalidAlgorithmParameterException { - - Cipher decryptor = token.getCipherContext(alg); - decryptor.initDecrypt(recoveryKey, IV); - byte[] unwrappedData = decryptor.doFinal(wrappedRecoveredKey); - - return unwrappedData; - } - public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, EncryptionAlgorithm alg) throws NoSuchAlgorithmException, TokenException, InvalidKeyException, @@ -1940,56 +1920,25 @@ public class CryptoUtil { } public static byte[] wrapSymmetricKey(CryptoManager manager, CryptoToken token, String transportCert, - SymmetricKey sk) throws CertificateEncodingException, TokenException, NoSuchAlgorithmException, - InvalidKeyException, InvalidAlgorithmParameterException { + SymmetricKey sk) throws Exception { byte transport[] = Utils.base64decode(transportCert); X509Certificate tcert = manager.importCACertPackage(transport); - KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - rsaWrap.initWrap(tcert.getPublicKey(), null); - byte session_data[] = rsaWrap.wrap(sk); - return session_data; - } - - /** - * Wrap a symmetric Key with a SymmetricKey - * - * @param token - * @param secret - * @param wrapper - * @return - * @throws TokenException - * @throws NoSuchAlgorithmException - * @throws InvalidAlgorithmParameterException - * @throws InvalidKeyException - */ - public static byte[] wrapSymmetricKey(CryptoToken token, SymmetricKey secret, SymmetricKey wrapper, - IVParameterSpec IV) throws NoSuchAlgorithmException, TokenException, InvalidKeyException, - InvalidAlgorithmParameterException { - KeyWrapper wrapper1 = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper1.initWrap(wrapper, IV); - byte[] keyData = wrapper1.wrap(secret); - - return keyData; + return wrapUsingPublicKey(token, tcert.getPublicKey(), sk, KeyWrapAlgorithm.RSA); } public static byte[] createPKIArchiveOptions(CryptoManager manager, CryptoToken token, String transportCert, - SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) throws TokenException, - CharConversionException, - NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException, - CertificateEncodingException, IOException, IllegalStateException, IllegalBlockSizeException, - BadPaddingException, InvalidBERException { + SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) + throws Exception { byte[] key_data = null; //generate session key - SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize); + SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); if (passphrase != null) { key_data = wrapPassphrase(token, passphrase, IV, sk, EncryptionAlgorithm.DES3_CBC_PAD); } else { // wrap payload using session key - KeyWrapper wrapper1 = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper1.initWrap(sk, IV); - key_data = wrapper1.wrap(vek); + key_data = wrapUsingSymmetricKey(token, sk, vek, IV, KeyWrapAlgorithm.DES3_CBC_PAD); } // wrap session key using transport key @@ -2001,19 +1950,11 @@ public class CryptoUtil { public static byte[] createPKIArchiveOptions( CryptoToken token, PublicKey wrappingKey, PrivateKey toBeWrapped, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) - throws TokenException, NoSuchAlgorithmException, - InvalidAlgorithmParameterException, InvalidKeyException, - IOException, InvalidBERException { - SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize); - - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(sessionKey, IV); - byte[] key_data = wrapper.wrap(toBeWrapped); - - wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - wrapper.initWrap(wrappingKey, null); - byte session_data[] = wrapper.wrap(sessionKey); + throws Exception { + SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); + byte[] key_data = wrapUsingSymmetricKey(token, sessionKey, toBeWrapped, IV, KeyWrapAlgorithm.DES3_CBC_PAD); + byte[] session_data = wrapUsingPublicKey(token, wrappingKey, sessionKey, KeyWrapAlgorithm.RSA); return createPKIArchiveOptions(IV, session_data, key_data); } @@ -2098,22 +2039,22 @@ public class CryptoUtil { km.deleteUniqueNamedKey(nickname); } - // Return a list of two wrapped keys: first element: temp DES3 key wrapped by cert , second element: shared secret wrapped by temp DES3 key - public static List<byte[]> exportSharedSecret(String nickname, java.security.cert.X509Certificate wrappingCert,SymmetricKey wrappingKey) - throws NotInitializedException, TokenException, IOException, NoSuchAlgorithmException, InvalidKeyException, - InvalidAlgorithmParameterException, InvalidKeyFormatException { + // Return a list of two wrapped keys: + // first element: temp DES3 key wrapped by cert , + // second element: shared secret wrapped by temp DES3 key + public static List<byte[]> exportSharedSecret(String nickname, java.security.cert.X509Certificate wrappingCert, + SymmetricKey wrappingKey) throws Exception { CryptoManager cm = CryptoManager.getInstance(); CryptoToken token = cm.getInternalKeyStorageToken(); List<byte[]> listWrappedKeys = new ArrayList<byte[]>(); - KeyManager km = new KeyManager(token); if (!km.uniqueNamedKeyExists(nickname)) { throw new IOException("Shared secret " + nickname + " does not exist"); } - SymmetricKey sharedSecretKey = null; + SymmetricKey sharedSecretKey = null; try { sharedSecretKey = getSymKeyByName(token, nickname); @@ -2125,25 +2066,18 @@ public class CryptoUtil { throw new IOException("Shared secret " + nickname + " does not exist"); } - KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); PublicKey pub = wrappingCert.getPublicKey(); PK11PubKey pubK = PK11PubKey.fromSPKI(pub.getEncoded()); - keyWrap.initWrap(pubK, null); //Wrap the temp DES3 key with the cert - byte[] wrappedKey = keyWrap.wrap(wrappingKey); - + byte[] wrappedKey = wrapUsingPublicKey(token, pubK, wrappingKey, KeyWrapAlgorithm.RSA); listWrappedKeys.add(wrappedKey); //Use the DES3 key to wrap the shared secret - KeyWrapper keyWrapSharedSecret = token.getKeyWrapper(KeyWrapAlgorithm.DES3_ECB); - keyWrapSharedSecret.initWrap(wrappingKey,null); - - byte[] wrappedSharedSecret = keyWrapSharedSecret.wrap(sharedSecretKey); - + byte[] wrappedSharedSecret = wrapUsingSymmetricKey(token, wrappingKey, sharedSecretKey, null, KeyWrapAlgorithm.DES3_ECB); listWrappedKeys.add(wrappedSharedSecret); - if(listWrappedKeys.size() != 2) { + if (listWrappedKeys.size() != 2) { throw new IOException("Can't write out shared secret data to export for nickname: " + nickname); } @@ -2236,6 +2170,46 @@ public class CryptoUtil { return vect; } + + ////////////////////////////////////////////////////////////////////////////////////////////// + //generic crypto operations + ////////////////////////////////////////////////////////////////////////////////////////////// + + public static byte[] decryptUsingSymmetricKey(CryptoToken token, IVParameterSpec ivspec, byte[] encryptedData, + SymmetricKey wrappingKey, EncryptionAlgorithm encryptionAlgorithm) throws Exception { + Cipher decryptor = token.getCipherContext(encryptionAlgorithm); + decryptor.initDecrypt(wrappingKey, ivspec); + return decryptor.doFinal(encryptedData); + } + + public static byte[] encryptUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, byte[] data, + EncryptionAlgorithm alg, IVParameterSpec ivspec) + throws Exception { + Cipher cipher = token.getCipherContext(alg); + cipher.initEncrypt(wrappingKey, ivspec); + return cipher.doFinal(data); + } + + public static byte[] wrapUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, SymmetricKey data, + IVParameterSpec ivspec, KeyWrapAlgorithm alg) throws Exception { + KeyWrapper wrapper = token.getKeyWrapper(alg); + wrapper.initWrap(wrappingKey, ivspec); + return wrapper.wrap(data); + } + + public static byte[] wrapUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, PrivateKey data, + IVParameterSpec ivspec, KeyWrapAlgorithm alg) throws Exception { + KeyWrapper wrapper = token.getKeyWrapper(alg); + wrapper.initWrap(wrappingKey, ivspec); + return wrapper.wrap(data); + } + + public static byte[] wrapUsingPublicKey(CryptoToken token, PublicKey wrappingKey, SymmetricKey data, + KeyWrapAlgorithm alg) throws Exception { + KeyWrapper rsaWrap = token.getKeyWrapper(alg); + rsaWrap.initWrap(wrappingKey, null); + return rsaWrap.wrap(data); + } } // START ENABLE_ECC diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 9adb62972..0b164aafc 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -47,7 +47,6 @@ import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.InternalCertificate; import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.NoSuchItemOnTokenException; @@ -68,6 +67,8 @@ import org.mozilla.jss.util.Password; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.netscape.cmsutil.crypto.CryptoUtil; + import netscape.ldap.LDAPDN; import netscape.ldap.util.DN; import netscape.security.x509.X509CertImpl; @@ -114,18 +115,19 @@ public class PKCS12Util { } byte[] getEncodedKey(PrivateKey privateKey) throws Exception { - CryptoManager cm = CryptoManager.getInstance(); CryptoToken token = cm.getInternalKeyStorageToken(); - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; IVParameterSpec param = new IVParameterSpec(iv); - wrapper.initWrap(sk, param); - byte[] enckey = wrapper.wrap(privateKey); + + SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); + byte[] enckey = CryptoUtil.wrapUsingSymmetricKey( + token, + sk, + privateKey, + param, + KeyWrapAlgorithm.DES3_CBC_PAD); Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); c.initDecrypt(sk, param); @@ -592,6 +594,9 @@ public class PKCS12Util { logger.debug("Importing private key " + keyInfo.subjectDN); + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + IVParameterSpec param = new IVParameterSpec(iv); + PrivateKeyInfo privateKeyInfo = keyInfo.privateKeyInfo; // encode private key @@ -622,13 +627,9 @@ public class PKCS12Util { } // encrypt private key - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - IVParameterSpec param = new IVParameterSpec(iv); - Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - c.initEncrypt(sk, param); - byte[] encpkey = c.doFinal(privateKey); + SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); + byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey( + token, sk, privateKey, EncryptionAlgorithm.DES3_CBC_PAD, param); // unwrap private key to load into database KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); |