diff options
| author | Ade Lee <alee@redhat.com> | 2017-02-21 13:17:57 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-02-28 12:20:12 -0500 |
| commit | 7ea4774b5b9dbf2ba4410d0db58f76bbfd71ba55 (patch) | |
| tree | 20f54d7a3c2993152d8224abd1ec01ec2ead5b14 | |
| parent | aa742e5feb0342fa49a272afc81537d6b1f5a12e (diff) | |
Refactor exception handling in the EncryptionUnit
Exceptions should be bubbled up and not swallowed at the EncryptionUnit
level. This will help in diagnosing issues.
10 files changed, 380 insertions, 392 deletions
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index 822736c13..7f5e95ec3 100644 --- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -48,7 +48,7 @@ public interface IEncryptionUnit extends IToken { * @return wrapped data * @exception EBaseException failed to wrap */ - public byte[] wrap(PrivateKey priKey) throws EBaseException; + public byte[] wrap(PrivateKey priKey) throws Exception; /** * Wraps data. The given key will be wrapped by the @@ -58,7 +58,7 @@ public interface IEncryptionUnit extends IToken { * @return wrapped data * @exception EBaseException failed to wrap */ - public byte[] wrap(SymmetricKey symKey) throws EBaseException; + public byte[] wrap(SymmetricKey symKey) throws Exception; /** * Verifies the given key pair. @@ -79,12 +79,12 @@ public interface IEncryptionUnit extends IToken { * @param privateKey private key data * @param pubKey public key * @return private key object - * @exception EBaseException failed to unwrap + * @throws Exception */ public PrivateKey unwrap(byte sessionKey[], String symmAlgOID, byte symmAlgParams[], byte privateKey[], PublicKey pubKey) - throws EBaseException; + throws Exception; /** * Unwraps data. This method rebuilds the private key by @@ -95,12 +95,12 @@ public interface IEncryptionUnit extends IToken { * @param pubKey public key * @param transportCert transport certificate * @return private key object - * @exception EBaseException failed to unwrap + * @throws Exception */ public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, byte symmAlgParams[], byte encValue[], PublicKey pubKey, org.mozilla.jss.crypto.X509Certificate transportCert) - throws EBaseException; + throws Exception; /** * Unwraps symmetric key data. This method rebuilds the symmetric key by @@ -108,11 +108,11 @@ public interface IEncryptionUnit extends IToken { * * @param wrappedKeyData symmetric key data wrapped up with session key * @return Symmetric key object - * @exception EBaseException failed to unwrap + * @exception Exception failed to unwrap */ public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize) - throws EBaseException; + throws Exception; /** * Unwraps symmetric key . This method @@ -125,12 +125,12 @@ public interface IEncryptionUnit extends IToken { * @param type symmetric key algorithm * @param strength symmetric key strength in bytes * @return Symmetric key object - * @exception EBaseException failed to unwrap + * @throws Exception */ public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID, byte symmAlgParams[], byte symmetricKey[], Type type, int strength) - throws EBaseException; + throws Exception; /** * Unwraps symmetric key . This method @@ -144,7 +144,7 @@ public interface IEncryptionUnit extends IToken { SymmetricKey.Usage usage, WrappingParams params); public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey) - throws EBaseException; + throws Exception; /** * Unwraps data. This method rebuilds the private key by @@ -153,10 +153,10 @@ public interface IEncryptionUnit extends IToken { * @param privateKey private key data * @param pubKey public key object * @return private key object - * @exception EBaseException failed to unwrap + * @throws Exception */ public PrivateKey unwrap(byte privateKey[], PublicKey pubKey) - throws EBaseException; + throws Exception; /** * Encrypts the internal private key (private key to the KRA's @@ -166,8 +166,7 @@ public interface IEncryptionUnit extends IToken { * @return encrypted data * @exception EBaseException failed to encrypt */ - public byte[] encryptInternalPrivate(byte rawPrivate[]) - throws EBaseException; + public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception; /** * Decrypts the internal private key (private key from the KRA's @@ -175,10 +174,10 @@ public interface IEncryptionUnit extends IToken { * * @param wrappedPrivateData unwrapped private key data (key to be recovered) * @return raw private key - * @exception EBaseException failed to decrypt + * @throws Exception */ public byte[] decryptInternalPrivate(byte wrappedPrivateData[]) - throws EBaseException; + throws Exception; /** * Decrypts the external private key (private key from the end-user). @@ -188,12 +187,12 @@ public interface IEncryptionUnit extends IToken { * @param symmAlgParams symmetric algorithm parameters * @param privateKey private key data * @return private key data - * @exception EBaseException failed to decrypt + * @throws Exception */ public byte[] decryptExternalPrivate(byte sessionKey[], String symmAlgOID, byte symmAlgParams[], byte privateKey[]) - throws EBaseException; + throws Exception; /** * Decrypts the external private key (private key from the end-user). @@ -204,10 +203,10 @@ public interface IEncryptionUnit extends IToken { * @param privateKey private key data * @param transportCert transport certificate * @return private key data - * @exception EBaseException failed to decrypt + * @throws Exception */ public byte[] decryptExternalPrivate(byte sessionKey[], String symmAlgOID, byte symmAlgParams[], byte privateKey[], org.mozilla.jss.crypto.X509Certificate transportCert) - throws EBaseException; + throws Exception; } diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java index 11901fa3d..965101ffa 100644 --- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -91,11 +91,11 @@ public interface ITransportKeyUnit extends IEncryptionUnit { * @param wrappedKeyData wrapped private key to be unwrapped * @param pubKey public key * @return Private key object - * @exception EBaseException failed to unwrap + * @throws Exception */ public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey - pubKey) throws EBaseException; + pubKey) throws Exception; /** * Returns this Unit's crypto token object. * @return CryptoToken object. diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java index 26a284fd0..7b43548d5 100644 --- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java @@ -153,8 +153,25 @@ public class AsymKeyGenService implements IService { throw new EBaseException("Errors in generating Asymmetric key: " + e); } - KeyRecord record = new KeyRecord(null, kp.getPublic().getEncoded(), storageUnit.wrap((PrivateKey) kp - .getPrivate()), owner, algorithm, owner); + if (kp == null) { + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to generate asymmetric key"); + throw new EBaseException("Failed to generate asymmetric key!"); + } + + byte[] privateSecurityData = null; + + try { + privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate()); + } catch (Exception e) { + CMS.debug("Failed to generate security data to archive: " + e); + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + throw new EBaseException("Failed to generate security data to archive!", e); + } + + KeyRecord record = new KeyRecord(null, kp.getPublic().getEncoded(), privateSecurityData, + owner, algorithm, owner); IKeyRepository storage = kra.getKeyRepository(); BigInteger serialNo = storage.getNextSerialNumber(); diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 817ae7ffc..af4c3ec19 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -32,10 +32,8 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.key.KeyRequestResource; -import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.IEncryptionUnit; import com.netscape.certsrv.security.WrappingParams; -import com.netscape.cmscore.util.Debug; import netscape.security.util.DerInputStream; import netscape.security.util.DerOutputStream; @@ -78,8 +76,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { * Protects the private key so that it can be stored in * internal database. */ - public byte[] encryptInternalPrivate(byte priKey[]) - throws EBaseException { + public byte[] encryptInternalPrivate(byte priKey[]) throws Exception { try (DerOutputStream out = new DerOutputStream()) { CMS.debug("EncryptionUnit.encryptInternalPrivate"); CryptoToken internalToken = getInternalToken(); @@ -111,19 +108,14 @@ public abstract class EncryptionUnit implements IEncryptionUnit { out.write(DerValue.tag_Sequence, tmp); return out.toByteArray(); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); - return null; } } - public byte[] wrap(PrivateKey privKey) throws EBaseException { + public byte[] wrap(PrivateKey privKey) throws Exception { return _wrap(privKey,null); } - public byte[] wrap(SymmetricKey symmKey) throws EBaseException { + public byte[] wrap(SymmetricKey symmKey) throws Exception { return _wrap(null,symmKey); } @@ -146,7 +138,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { */ public byte[] decryptExternalPrivate(byte encSymmKey[], String symmAlgOID, byte symmAlgParams[], byte encValue[]) - throws EBaseException { + throws Exception { return decryptExternalPrivate(encSymmKey, symmAlgOID, symmAlgParams, encValue, null); } @@ -157,36 +149,29 @@ public abstract class EncryptionUnit implements IEncryptionUnit { public byte[] decryptExternalPrivate(byte encSymmKey[], String symmAlgOID, byte symmAlgParams[], byte encValue[], org.mozilla.jss.crypto.X509Certificate transCert) - throws EBaseException { - try { + throws Exception { - CMS.debug("EncryptionUnit.decryptExternalPrivate"); - CryptoToken token = getToken(transCert); + CMS.debug("EncryptionUnit.decryptExternalPrivate"); + CryptoToken token = getToken(transCert); - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD); - PrivateKey wrappingKey = getPrivateKey(transCert); - String priKeyAlgo = wrappingKey.getAlgorithm(); - if (priKeyAlgo.equals("EC")) - params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); + PrivateKey wrappingKey = getPrivateKey(transCert); + String priKeyAlgo = wrappingKey.getAlgorithm(); + if (priKeyAlgo.equals("EC")) + params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); - SymmetricKey sk = unwrap_session_key( - token, - encSymmKey, - SymmetricKey.Usage.DECRYPT, - wrappingKey, - params); + SymmetricKey sk = unwrap_session_key( + token, + encSymmKey, + SymmetricKey.Usage.DECRYPT, + wrappingKey, + params); - return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); - return null; - } + return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params); } /** @@ -194,37 +179,30 @@ public abstract class EncryptionUnit implements IEncryptionUnit { * the transport private key. */ public SymmetricKey unwrap_symmetric(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], SymmetricKey.Type algorithm, int strength) - throws EBaseException { - try { - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); + String symmAlgOID, byte symmAlgParams[], + byte encValue[], SymmetricKey.Type algorithm, int strength) + throws Exception { + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD); + + CryptoToken token = getToken(); + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params); + + // (2) unwrap the session-wrapped-symmetric-key + SymmetricKey symKey = unwrap_symmetric_key( + token, + new IVParameterSpec(symmAlgParams), + algorithm, + strength, + SymmetricKey.Usage.DECRYPT, + sk, + encValue, + params); - CryptoToken token = getToken(); - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params); - - // (2) unwrap the session-wrapped-symmetric-key - SymmetricKey symKey = unwrap_symmetric_key( - token, - new IVParameterSpec(symmAlgParams), - algorithm, - strength, - SymmetricKey.Usage.DECRYPT, - sk, - encValue, - params); - - return symKey; - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); - Debug.trace("EncryptionUnit::unwrap " + e.toString()); - return null; - } + return symKey; } /** @@ -234,7 +212,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, byte symmAlgParams[], byte encValue[], PublicKey pubKey) - throws EBaseException { + throws Exception { return unwrap (encSymmKey, symmAlgOID, symmAlgParams, encValue, pubKey, null); } @@ -244,46 +222,39 @@ public abstract class EncryptionUnit implements IEncryptionUnit { * the transport private key. */ public PrivateKey unwrap(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], PublicKey pubKey, - org.mozilla.jss.crypto.X509Certificate transCert) - throws EBaseException { - try { - CryptoToken token = getToken(transCert); + String symmAlgOID, byte symmAlgParams[], + byte encValue[], PublicKey pubKey, + org.mozilla.jss.crypto.X509Certificate transCert) + throws Exception { + CryptoToken token = getToken(transCert); - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD); - PrivateKey wrappingKey = getPrivateKey(transCert); - String priKeyAlgo = wrappingKey.getAlgorithm(); - if (priKeyAlgo.equals("EC")) - params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); - - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key( - token, - encSymmKey, - SymmetricKey.Usage.UNWRAP, - wrappingKey, - params); - - // (2) unwrap the session-wrapped-private key - return unwrap_private_key( - token, - pubKey, - new IVParameterSpec(symmAlgParams), - true /*temporary*/, - sk, - encValue, - params); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); - Debug.trace("EncryptionUnit::unwrap " + e.toString()); - CMS.debug("EncryptionUnit.unwrap "+ e.toString()); - return null; - } + PrivateKey wrappingKey = getPrivateKey(transCert); + String priKeyAlgo = wrappingKey.getAlgorithm(); + if (priKeyAlgo.equals("EC")) + params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); + + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key( + token, + encSymmKey, + SymmetricKey.Usage.UNWRAP, + wrappingKey, + params); + + // (2) unwrap the session-wrapped-private key + return unwrap_private_key( + token, + pubKey, + new IVParameterSpec(symmAlgParams), + true /*temporary*/, + sk, + encValue, + params); } /** @@ -292,77 +263,62 @@ public abstract class EncryptionUnit implements IEncryptionUnit { */ public byte[] decryptInternalPrivate(byte wrappedKeyData[]) - throws EBaseException { - try { - CMS.debug("EncryptionUnit.decryptInternalPrivate"); - DerValue val = new DerValue(wrappedKeyData); - // val.tag == DerValue.tag_Sequence - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - CryptoToken token = getToken(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - // (1) unwrap the session key - CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName()); - SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params); - - // (2) decrypt the private key - return decrypt_private_key(token, IV, sk, pri, params); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); - return null; - } + throws Exception { + CMS.debug("EncryptionUnit.decryptInternalPrivate"); + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + CryptoToken token = getToken(); + + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD); + + // (1) unwrap the session key + CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName()); + SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params); + + // (2) decrypt the private key + return decrypt_private_key(token, IV, sk, pri, params); } /** * External unwrapping of stored symmetric key. */ public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize) - throws EBaseException { - try { - DerValue val = new DerValue(wrappedKeyData); - // val.tag == DerValue.tag_Sequence - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - CryptoToken token = getToken(); - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); - - // (2) unwrap the session-wrapped-symmetric key - return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); - Debug.trace("EncryptionUnit::unwrap " + e.toString()); - CMS.debug(e); - return null; - } + throws Exception { + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD); + + CryptoToken token = getToken(); + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); + + // (2) unwrap the session-wrapped-symmetric key + return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params); } /** * Internal unwrapping. */ public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) - throws EBaseException { + throws Exception { return _unwrap(wrappedKeyData, pubKey, true); } @@ -370,50 +326,40 @@ public abstract class EncryptionUnit implements IEncryptionUnit { * Internal unwrapping. */ public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) - throws EBaseException { + throws Exception { return _unwrap(wrappedKeyData, pubKey, false); } /** * Internal unwrapping. */ - private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey - pubKey, boolean temporary) - throws EBaseException { - try { - - DerValue val = new DerValue(wrappedKeyData); - // val.tag == DerValue.tag_Sequence - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - CryptoToken token = getToken(); - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); - - // (2) unwrap the private key - return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); - Debug.trace("EncryptionUnit::unwrap " + e.toString()); - CMS.debug(e); - return null; - } + private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary) + throws Exception { + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD); + + CryptoToken token = getToken(); + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); + + // (2) unwrap the private key + return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params); } /*** * Internal wrap, accounts for either private or symmetric key */ - private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) { + private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception { try (DerOutputStream out = new DerOutputStream()) { if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) { return null; @@ -462,11 +408,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { out.write(DerValue.tag_Sequence, tmp); return out.toByteArray(); - } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); - Debug.trace("EncryptionUnit::wrap " + e.toString()); - return null; } } diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index f901b5767..fbefc549e 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -229,53 +229,55 @@ public class EnrollmentService implements IService { for (int i = 0; i < aOpts.length; i++) { ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); - if (allowEncDecrypt_archival == true) { - if (tCert == null) { - CMS.debug("EnrollmentService: Invalid transport certificate: "+transportCert); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT")); - } - if (statsSub != null) { - statsSub.startTiming("decrypt_user_key"); - } - mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); - if (CMS.debugOn()) - CMS.debug("EnrollmentService::about to decryptExternalPrivate"); - tmp_unwrapped = mTransportUnit.decryptExternalPrivate( - opts.getEncSymmKey(), - opts.getSymmAlgOID(), - opts.getSymmAlgParams(), - opts.getEncValue(), - tCert); - if (statsSub != null) { - statsSub.endTiming("decrypt_user_key"); - } - if (CMS.debugOn()) - CMS.debug("EnrollmentService::finished decryptExternalPrivate"); - if (tmp_unwrapped == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + if (allowEncDecrypt_archival == true) { + if (tCert == null) { + CMS.debug("EnrollmentService: Invalid transport certificate: " + transportCert); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT")); + } + if (statsSub != null) { + statsSub.startTiming("decrypt_user_key"); + } + mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); + if (CMS.debugOn()) + CMS.debug("EnrollmentService::about to decryptExternalPrivate"); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + try { + tmp_unwrapped = mTransportUnit.decryptExternalPrivate( + opts.getEncSymmKey(), + opts.getSymmAlgOID(), + opts.getSymmAlgParams(), + opts.getEncValue(), + tCert); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); - } + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); - /* making sure leading 0's are removed */ - int first=0; - for (int j=0; (j< tmp_unwrapped.length) && (tmp_unwrapped[j]==0); j++) { - first++; - } - unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length); - } /*else { allowEncDecrypt_archival != true - this is done below with unwrap() - } - */ + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } + if (statsSub != null) { + statsSub.endTiming("decrypt_user_key"); + } + if (CMS.debugOn()) + CMS.debug("EnrollmentService::finished decryptExternalPrivate"); + + /* making sure leading 0's are removed */ + int first = 0; + for (int j = 0; (j < tmp_unwrapped.length) && (tmp_unwrapped[j] == 0); j++) { + first++; + } + unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length); + } /*else { allowEncDecrypt_archival != true + this is done below with unwrap() + } + */ // retrieve public key X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos); @@ -312,16 +314,31 @@ public class EnrollmentService implements IService { } catch (Exception e) { CMS.debug("EnrollmentService: parsePublicKey:"+e.toString()); throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"), e); + } + + try { + entityPrivKey = mTransportUnit.unwrap( + opts.getEncSymmKey(), + opts.getSymmAlgOID(), + opts.getSymmAlgParams(), + opts.getEncValue(), + pubkey, + tCert); + } catch (Exception e) { + mKRA.log(ILogger.LL_DEBUG, e.getMessage()); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); } - entityPrivKey = - mTransportUnit.unwrap( - opts.getEncSymmKey(), - opts.getSymmAlgOID(), - opts.getSymmAlgParams(), - opts.getEncValue(), - pubkey, - tCert); } // !allowEncDecrypt_archival /* Bugscape #54948 - verify public and private key before archiving key */ @@ -381,18 +398,14 @@ public class EnrollmentService implements IService { } byte privateKeyData[] = null; - if (allowEncDecrypt_archival == true) { - privateKeyData = mStorageUnit.encryptInternalPrivate( - unwrapped); - } else { - privateKeyData = mStorageUnit.wrap(entityPrivKey); - } - - if (statsSub != null) { - statsSub.endTiming("encrypt_user_key"); - } - - if (privateKeyData == null) { + try { + if (allowEncDecrypt_archival == true) { + privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped); + } else { + privateKeyData = mStorageUnit.wrap(entityPrivKey); + } + } catch (Exception e) { + mKRA.log(ILogger.LL_DEBUG, e.getMessage()); mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); auditMessage = CMS.getLogMessage( @@ -403,8 +416,11 @@ public class EnrollmentService implements IService { auditArchiveID); audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + } + + if (statsSub != null) { + statsSub.endTiming("encrypt_user_key"); } // create key record diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index d48f9ffa2..d3937915b 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -611,16 +611,19 @@ public class NetkeyKeygenService implements IService { auditArchiveID); audit(auditMessage); + CMS.debug("KRA encrypts private key to put on internal ldap db"); - byte privateKeyData[] = - mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey); + byte privateKeyData[] = null; - if (privateKeyData == null) { + try { + privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey); + } catch (Exception e) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); return false; - } else - CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); + } + + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); // create key record KeyRecord rec = new KeyRecord(null, publicKeyData, diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index 7bcceb833..70b5e57a7 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -271,8 +271,14 @@ public class RecoveryService implements IService { if (statsSub != null) { statsSub.startTiming("unwrap_key"); } - mKRA.getStorageKeyUnit().unwrap( - keyRecord.getPrivateKeyData(), null); // throw exception on error + + try { + mKRA.getStorageKeyUnit().unwrap( + keyRecord.getPrivateKeyData(), null); + } catch (Exception e) { + throw new EBaseException("Failed to unwrap private key", e); + } + if (statsSub != null) { statsSub.endTiming("unwrap_key"); } @@ -405,18 +411,19 @@ public class RecoveryService implements IService { throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure")); } byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - PrivateKey privKey = - mStorageUnit.unwrap( - session, - keyRecord.getAlgorithm(), - iv, - pri, - pubkey); - - if (privKey == null) { + PrivateKey privKey = null; + try { + privKey = mStorageUnit.unwrap( + session, + keyRecord.getAlgorithm(), + iv, + pri, + pubkey); + + } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", - "private key unwrapping failure")); + "private key unwrapping failure"), e); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { mStorageUnit.logout(); @@ -555,18 +562,19 @@ public class RecoveryService implements IService { mStorageUnit.login(creds); } mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); - if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); - } - if (privateKeyData == null) { + try { + byte[] privateKeyData = mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData()); + + if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { + mStorageUnit.logout(); + } + + return privateKeyData; + } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } - return privateKeyData; } /** diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 2a373344a..5f815a4b6 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -174,13 +174,14 @@ public class SecurityDataProcessor { keyType = KeyRequestResource.SYMMETRIC_KEY_TYPE; if (allowEncDecrypt_archival == true) { - tmp_unwrapped = transportUnit.decryptExternalPrivate( - wrappedSessionKey, - algStr, - sparams, - secdata); + try { + tmp_unwrapped = transportUnit.decryptExternalPrivate( + wrappedSessionKey, + algStr, + sparams, + secdata); - if(tmp_unwrapped == null ) { + } catch (Exception e) { throw new EBaseException("Can't decrypt symm key using allEncDecrypt_archival : true ."); } @@ -194,42 +195,58 @@ public class SecurityDataProcessor { } else { + try { + securitySymKey = transportUnit.unwrap_symmetric( + wrappedSessionKey, + algStr, + sparams, + secdata, + KeyRequestService.SYMKEY_TYPES.get(algorithm), + strength); + } catch (Exception e) { + throw new EBaseException("Can't decrypt symmetric key.", e); + } + } - securitySymKey = transportUnit.unwrap_symmetric( + } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { + keyType = KeyRequestResource.PASS_PHRASE_TYPE; + try { + securityData = transportUnit.decryptExternalPrivate( wrappedSessionKey, algStr, sparams, - secdata, - KeyRequestService.SYMKEY_TYPES.get(algorithm), - strength); + secdata); + } catch (Exception e) { + throw new EBaseException("Can't decrypt passphrase.", e); } - } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { - keyType = KeyRequestResource.PASS_PHRASE_TYPE; - securityData = transportUnit.decryptExternalPrivate( - wrappedSessionKey, - algStr, - sparams, - secdata); - } byte[] publicKey = null; byte privateSecurityData[] = null; - if (securitySymKey != null && unwrapped == null) { - privateSecurityData = storageUnit.wrap(securitySymKey); - } else if (unwrapped != null && allowEncDecrypt_archival == true) { - privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped); - Arrays.fill(unwrapped, (byte)0); - CMS.debug("allowEncDecrypt_archival of symmetric key."); - }else if (securityData != null) { - privateSecurityData = storageUnit.encryptInternalPrivate(securityData); - } else { // We have no data. + try { + if (securitySymKey != null && unwrapped == null) { + privateSecurityData = storageUnit.wrap(securitySymKey); + } else if (unwrapped != null && allowEncDecrypt_archival == true) { + privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped); + Arrays.fill(unwrapped, (byte)0); + CMS.debug("allowEncDecrypt_archival of symmetric key."); + } else if (securityData != null) { + privateSecurityData = storageUnit.encryptInternalPrivate(securityData); + } else { // We have no data. + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, + clientKeyId, null, "Failed to create security data to archive"); + throw new EBaseException("Failed to create security data to archive!"); + } + } catch (Exception e) { + CMS.debug("Failed to create security data to archive: " + e.getMessage()); auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, - clientKeyId, null, "Failed to create security data to archive"); - throw new EBaseException("Failed to create security data to archive!"); + clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } + // create key record // Note that in this case the owner is the same as the approving agent // because the archival request is made by the agent. @@ -392,7 +409,7 @@ public class SecurityDataProcessor { privateKey = storageUnit.unwrap_temp(privateKeyData, publicKey); } - } catch (IOException e) { + } catch (Exception e) { throw new EBaseException("Cannot fetch the private key from the database.", e); } @@ -590,15 +607,8 @@ public class SecurityDataProcessor { keyRecord.getPrivateKeyData(), KeyRequestService.SYMKEY_TYPES.get(keyRecord.getAlgorithm()), keyRecord.getKeySize()); - - if (symKey == null) { - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", - "symmetric key unwrapping failure")); - } - return symKey; } catch (Exception e) { - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverSymKey() " + e.toString())); } @@ -606,21 +616,10 @@ public class SecurityDataProcessor { public byte[] recoverSecurityData(KeyRecord keyRecord) throws EBaseException { - - byte[] decodedData = null; - try { - decodedData = storageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); - - if (decodedData == null) { - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", - "security data unwrapping failure")); - } - - return decodedData; + return storageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData()); } catch (Exception e) { - + CMS.debug("Failed to recover security data: " + e); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverSecurityData() " + e.toString())); } diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index 89c776d75..7d42cb45b 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -174,14 +174,21 @@ public class SymKeyGenService implements IService { byte[] publicKey = null; byte privateSecurityData[] = null; - if (sk != null) { - privateSecurityData = mStorageUnit.wrap(sk); - } else { // We have no data. + if (sk == null) { auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to create security data to archive"); throw new EBaseException("Failed to create security data to archive!"); } + try { + privateSecurityData = mStorageUnit.wrap(sk); + } catch (Exception e) { + CMS.debug("Failed to generate security data to archive: " + e); + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); + throw new EBaseException("Failed to generate security data to archive!"); + } + // create key record KeyRecord rec = new KeyRecord(null, publicKey, privateSecurityData, owner, diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index d1196b6e4..5ad8044d7 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -693,16 +693,19 @@ public class TokenKeyRecoveryService implements IService { throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure")); } byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; - PrivateKey privKey = - mStorageUnit.unwrap( - session, - keyRecord.getAlgorithm(), - iv, - pri, - pubkey); - if (privKey == null) { - CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery failure"); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key recovery/unwrapping failure")); + PrivateKey privKey = null; + try { + privKey = mStorageUnit.unwrap( + session, + keyRecord.getAlgorithm(), + iv, + pri, + pubkey); + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService: recoverKey() - recovery failure"); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", + "private key recovery/unwrapping failure"), e); } CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery completed, returning privKey"); return privKey; @@ -724,18 +727,13 @@ public class TokenKeyRecoveryService implements IService { mStorageUnit.login(creds); */ - CMS.debug("KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); - /* - mStorageUnit.logout(); - */ - if (privateKeyData == null) { + try { + return mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData()); + /* mStorageUnit.logout();*/ + } catch (Exception e){ mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } - return privateKeyData; } /** |