diff options
| author | Ade Lee <alee@redhat.com> | 2017-02-28 12:18:29 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-03-14 17:09:09 -0400 |
| commit | d13181faea23cdb5a07136d3fdabeedb70effda9 (patch) | |
| tree | b944588c3adfd297bcda4b4a26360d982557e3da | |
| parent | e1789708a9a6f66c3e3f1478e7bbc03da5b3b0df (diff) | |
| download | pki-d13181faea23cdb5a07136d3fdabeedb70effda9.tar.gz pki-d13181faea23cdb5a07136d3fdabeedb70effda9.tar.xz pki-d13181faea23cdb5a07136d3fdabeedb70effda9.zip | |
Change internal wrapping to AES
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
17 files changed, 716 insertions, 598 deletions
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java index f66d53f1e..163d4dd5d 100644 --- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java @@ -22,6 +22,7 @@ import java.util.Date; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; +import com.netscape.certsrv.security.WrappingParams; /** * An interface contains constants for key record. @@ -167,4 +168,8 @@ public interface IKeyRecord { * @exception EBaseException failed to retrieve authorization realm */ public String getRealm() throws EBaseException; + + public void setWrappingParams(WrappingParams params) throws Exception; + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception; } diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index 7f5e95ec3..1b8a0bf25 100644 --- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -22,7 +22,6 @@ import java.security.PublicKey; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.SymmetricKey.Type; import com.netscape.certsrv.base.EBaseException; @@ -41,26 +40,6 @@ public interface IEncryptionUnit extends IToken { public PublicKey getPublicKey(); /** - * Wraps data. The given key will be wrapped by the - * private key in this unit. - * - * @param priKey private key to be wrapped - * @return wrapped data - * @exception EBaseException failed to wrap - */ - public byte[] wrap(PrivateKey priKey) throws Exception; - - /** - * Wraps data. The given key will be wrapped by the - * private key in this unit. - * - * @param symKey symmetric key to be wrapped - * @return wrapped data - * @exception EBaseException failed to wrap - */ - public byte[] wrap(SymmetricKey symKey) throws Exception; - - /** * Verifies the given key pair. * * @param publicKey public key @@ -70,69 +49,6 @@ public interface IEncryptionUnit extends IToken { EBaseException; /** - * Unwraps data. This method rebuilds the private key by - * unwrapping the private key data. - * - * @param sessionKey session key that unwrap the private key - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param privateKey private key data - * @param pubKey public key - * @return private key object - * @throws Exception - */ - public PrivateKey unwrap(byte sessionKey[], String symmAlgOID, - byte symmAlgParams[], byte privateKey[], - PublicKey pubKey) - throws Exception; - - /** - * Unwraps data. This method rebuilds the private key by - * unwrapping the private key data. - * - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param pubKey public key - * @param transportCert transport certificate - * @return private key object - * @throws Exception - */ - public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, - byte symmAlgParams[], byte encValue[], PublicKey pubKey, - org.mozilla.jss.crypto.X509Certificate transportCert) - throws Exception; - - /** - * Unwraps symmetric key data. This method rebuilds the symmetric key by - * unwrapping the private data blob. - * - * @param wrappedKeyData symmetric key data wrapped up with session key - * @return Symmetric key object - * @exception Exception failed to unwrap - */ - - public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize) - throws Exception; - - /** - * Unwraps symmetric key . This method - * unwraps the symmetric key. - * - * @param sessionKey session key that unwrap the symmetric key - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param symmetricKey symmetric key data - * @param type symmetric key algorithm - * @param strength symmetric key strength in bytes - * @return Symmetric key object - * @throws Exception - */ - - public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID, - byte symmAlgParams[], byte symmetricKey[], Type type, int strength) - throws Exception; - - /** * Unwraps symmetric key . This method * unwraps the symmetric key. * @@ -143,70 +59,8 @@ public interface IEncryptionUnit extends IToken { public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage, WrappingParams params); - public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey) - throws Exception; - - /** - * Unwraps data. This method rebuilds the private key by - * unwrapping the private key data. - * - * @param privateKey private key data - * @param pubKey public key object - * @return private key object - * @throws Exception - */ - public PrivateKey unwrap(byte privateKey[], PublicKey pubKey) - throws Exception; - - /** - * Encrypts the internal private key (private key to the KRA's - * internal storage). - * - * @param rawPrivate user's private key (key to be archived) - * @return encrypted data - * @exception EBaseException failed to encrypt - */ - public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception; - - /** - * Decrypts the internal private key (private key from the KRA's - * internal storage). - * - * @param wrappedPrivateData unwrapped private key data (key to be recovered) - * @return raw private key - * @throws Exception - */ - public byte[] decryptInternalPrivate(byte wrappedPrivateData[]) - throws Exception; - /** - * Decrypts the external private key (private key from the end-user). - * - * @param sessionKey session key that protects the user private - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param privateKey private key data - * @return private key data - * @throws Exception - */ - public byte[] decryptExternalPrivate(byte sessionKey[], - String symmAlgOID, - byte symmAlgParams[], byte privateKey[]) - throws Exception; + public WrappingParams getWrappingParams() throws EBaseException; - /** - * Decrypts the external private key (private key from the end-user). - * - * @param sessionKey session key that protects the user private - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param privateKey private key data - * @param transportCert transport certificate - * @return private key data - * @throws Exception - */ - public byte[] decryptExternalPrivate(byte sessionKey[], - String symmAlgOID, byte symmAlgParams[], byte privateKey[], - org.mozilla.jss.crypto.X509Certificate transportCert) - throws Exception; + public WrappingParams getOldWrappingParams(); } diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java index 4e651d394..6f6e31201 100644 --- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java @@ -17,9 +17,12 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.security; +import java.security.PublicKey; import java.util.Enumeration; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.base.EBaseException; @@ -96,4 +99,74 @@ public interface IStorageKeyUnit extends IEncryptionUnit { public CryptoToken getToken(); + /** + * Encrypts the internal private key (private key to the KRA's + * internal storage). + * + * @param rawPrivate user's private key (key to be archived) + * @return encrypted data + * @exception EBaseException failed to encrypt + */ + public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception; + + /** + * Wraps data. The given key will be wrapped by the + * private key in this unit. + * + * @param priKey private key to be wrapped + * @param WrappingParams - wrapping parameters + * @return wrapped data + * @exception EBaseException failed to wrap + */ + public byte[] wrap(PrivateKey priKey) throws Exception; + + /** + * Wraps data. The given key will be wrapped by the + * private key in this unit. + * + * @param symKey symmetric key to be wrapped + * @param wrappingParams - wrapping parameters + * @return wrapped data + * @exception EBaseException failed to wrap + */ + public byte[] wrap(SymmetricKey symKey) throws Exception; + + /** + * Decrypts the internal private key (private key from the KRA's + * internal storage). + * + * @param wrappedPrivateData unwrapped private key data (key to be recovered) + * @param params - wrapping params + * @return raw private key + * @throws Exception + */ + public byte[] decryptInternalPrivate(byte wrappedPrivateData[], WrappingParams params) + throws Exception; + + /** + * Unwraps symmetric key data. This method rebuilds the symmetric key by + * unwrapping the private data blob. + * + * @param wrappedKeyData symmetric key data wrapped up with session key + * @return Symmetric key object + * @exception Exception failed to unwrap + */ + + public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize, + WrappingParams params) throws Exception; + + /** + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. + * + * @param privateKey private key data + * @param pubKey public key object + * @param temporary - temporary key? + * @param params - wrapping parameters + * @return private key object + * @throws Exception + */ + public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary, + WrappingParams params) throws Exception; + } diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java index 965101ffa..675c7340a 100644 --- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -22,6 +22,7 @@ import java.security.PublicKey; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.SymmetricKey.Type; import com.netscape.certsrv.base.EBaseException; @@ -63,58 +64,86 @@ public interface ITransportKeyUnit extends IEncryptionUnit { public PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); /** - * Unwraps symmetric key . This method - * unwraps the symmetric key. - * - * @param encSymmKey wrapped symmetric key to be unwrapped - * @param usage Key usage for unwrapped key. - * @return Symmetric key object + * Returns this Unit's crypto token object. + * @return CryptoToken object. */ - public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage, - WrappingParams params); + public CryptoToken getToken(); + + /** + * Returns this Unit's signing algorithm in String format. + * @return String of signing algorithm + * @throws EBaseException + */ + + public String getSigningAlgorithm() throws EBaseException; + + /** + * Sets this Unit's signing algorithm. + * @param str String of signing algorithm to set. + * @throws EBaseException + */ + public void setSigningAlgorithm(String str) throws EBaseException; + + /** + * Decrypts the external private key (private key from the end-user). + * + * @param sessionKey session key that protects the user private + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param privateKey private key data + * @param transportCert transport certificate + * @return private key data + * @throws Exception + */ + public byte[] decryptExternalPrivate(byte sessionKey[], + String symmAlgOID, byte symmAlgParams[], byte privateKey[], + org.mozilla.jss.crypto.X509Certificate transportCert) + throws Exception; /** * Unwraps symmetric key . This method * unwraps the symmetric key. * - * @param encSymmKey wrapped symmetric key to be unwrapped + * @param sessionKey session key that unwrap the symmetric key + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param symmetricKey symmetric key data + * @param type symmetric key algorithm + * @param strength symmetric key strength in bytes * @return Symmetric key object + * @throws Exception */ - public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params); + public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID, + byte symmAlgParams[], byte symmetricKey[], Type type, int strength) + throws Exception; /** - * Unwraps temporary private key . This method - * unwraps the temporary private key. + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. * - * @param wrappedKeyData wrapped private key to be unwrapped + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters * @param pubKey public key - * @return Private key object + * @param transportCert transport certificate + * @return private key object * @throws Exception */ + public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, + byte symmAlgParams[], byte encValue[], PublicKey pubKey, + org.mozilla.jss.crypto.X509Certificate transportCert) + throws Exception; - public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey - pubKey) throws Exception; /** - * Returns this Unit's crypto token object. - * @return CryptoToken object. + * Unwraps symmetric key . This method + * unwraps the symmetric key. + * + * @param encSymmKey wrapped symmetric key to be unwrapped + * @return Symmetric key object */ - public CryptoToken getToken(); - - /** - * Returns this Unit's signing algorithm in String format. - * @return String of signing algorithm - * @throws EBaseException - */ + public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params); - public String getSigningAlgorithm() throws EBaseException; - /** - * Sets this Unit's signing algorithm. - * @param str String of signing algorithm to set. - * @throws EBaseException - */ - public void setSigningAlgorithm(String str) throws EBaseException; } diff --git a/base/common/src/com/netscape/certsrv/security/WrappingParams.java b/base/common/src/com/netscape/certsrv/security/WrappingParams.java index 9689ecc60..b3fabfc63 100644 --- a/base/common/src/com/netscape/certsrv/security/WrappingParams.java +++ b/base/common/src/com/netscape/certsrv/security/WrappingParams.java @@ -1,16 +1,17 @@ package com.netscape.certsrv.security; +import java.security.NoSuchAlgorithmException; + import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.SymmetricKey.Type; -import org.mozilla.jss.crypto.SymmetricKey.Usage; public class WrappingParams { // session key attributes - SymmetricKey.Type skTyoe; - SymmetricKey.Usage[] skUsages; + SymmetricKey.Type skType; KeyGenAlgorithm skKeyGenAlgorithm; int skLength; @@ -23,33 +24,38 @@ public class WrappingParams { //wrapping algorithm for payload KeyWrapAlgorithm payloadWrapAlgorithm; - public WrappingParams(Type skTyoe, Usage[] skUsages, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, + // payload encryption IV + IVParameterSpec payloadEncryptionIV; + + // payload wrapping IV + IVParameterSpec payloadWrappingIV; + + public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm, - KeyWrapAlgorithm payloadWrapAlgorithm) { + KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) { super(); - this.skTyoe = skTyoe; - this.skUsages = skUsages; + this.skType = skType; this.skKeyGenAlgorithm = skKeyGenAlgorithm; this.skLength = skLength; this.skWrapAlgorithm = skWrapAlgorithm; this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; this.payloadWrapAlgorithm = payloadWrapAlgorithm; + this.payloadEncryptionIV = payloadEncryptIV; + this.payloadWrappingIV = payloadWrapIV; } - public SymmetricKey.Type getSkTyoe() { - return skTyoe; - } + public WrappingParams() {} - public void setSkTyoe(SymmetricKey.Type skTyoe) { - this.skTyoe = skTyoe; + public SymmetricKey.Type getSkType() { + return skType; } - public SymmetricKey.Usage[] getSkUsages() { - return skUsages; + public void setSkType(SymmetricKey.Type skType) { + this.skType = skType; } - public void setSkUsages(SymmetricKey.Usage[] skUsages) { - this.skUsages = skUsages; + public void setSkType(String skTypeName) throws NoSuchAlgorithmException { + this.skType = SymmetricKey.Type.fromName(skTypeName); } public KeyGenAlgorithm getSkKeyGenAlgorithm() { @@ -60,6 +66,20 @@ public class WrappingParams { this.skKeyGenAlgorithm = skKeyGenAlgorithm; } + public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException { + // JSS mapping is not working. Lets just do something brain-dead to + // handle the cases we expect. + if (algName.equalsIgnoreCase("AES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; + } else if (algName.equalsIgnoreCase("DES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; + } else if (algName.equalsIgnoreCase("DESede")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } else if (algName.equalsIgnoreCase("DES3")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } + } + public int getSkLength() { return skLength; } @@ -76,6 +96,10 @@ public class WrappingParams { this.skWrapAlgorithm = skWrapAlgorithm; } + public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + public EncryptionAlgorithm getPayloadEncryptionAlgorithm() { return payloadEncryptionAlgorithm; } @@ -84,6 +108,11 @@ public class WrappingParams { this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; } + public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength) + throws NoSuchAlgorithmException { + this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength); + } + public KeyWrapAlgorithm getPayloadWrapAlgorithm() { return payloadWrapAlgorithm; } @@ -91,4 +120,24 @@ public class WrappingParams { public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) { this.payloadWrapAlgorithm = payloadWrapAlgorithm; } + + public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + + public IVParameterSpec getPayloadEncryptionIV() { + return payloadEncryptionIV; + } + + public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) { + this.payloadEncryptionIV = payloadEncryptionIV; + } + + public IVParameterSpec getPayloadWrappingIV() { + return payloadWrappingIV; + } + + public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) { + this.payloadWrappingIV = payloadWrappingIV; + } } diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java index 7b43548d5..ffd8b03cf 100644 --- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java @@ -197,6 +197,14 @@ public class AsymKeyGenService implements IService { record.set(KeyRecord.ATTR_REALM, realm); } + try { + record.setWrappingParams(storageUnit.getOldWrappingParams()); + } catch (Exception e) { + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to store wrapping params"); + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + storage.addKeyRecord(record); auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index af4c3ec19..c337e7f04 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -35,10 +35,6 @@ import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.security.IEncryptionUnit; import com.netscape.certsrv.security.WrappingParams; -import netscape.security.util.DerInputStream; -import netscape.security.util.DerOutputStream; -import netscape.security.util.DerValue; - /** * A class represents the transport key pair. This key pair * is used to protected EE's private key in transit. @@ -51,13 +47,13 @@ public abstract class EncryptionUnit implements IEncryptionUnit { /* Establish one constant IV for base class, to be used for internal operations. Constant IV acceptable for symmetric keys. */ - private byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - protected IVParameterSpec IV = null; + public static final byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + public static final byte[] iv2 = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + public static final IVParameterSpec IV = new IVParameterSpec(iv); + public static final IVParameterSpec IV2 = new IVParameterSpec(iv2); public EncryptionUnit() { CMS.debug("EncryptionUnit.EncryptionUnit this: " + this.toString()); - - IV = new IVParameterSpec(iv); } public abstract CryptoToken getToken(); @@ -72,51 +68,13 @@ public abstract class EncryptionUnit implements IEncryptionUnit { public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); - /** - * Protects the private key so that it can be stored in - * internal database. - */ - public byte[] encryptInternalPrivate(byte priKey[]) throws Exception { - try (DerOutputStream out = new DerOutputStream()) { - CMS.debug("EncryptionUnit.encryptInternalPrivate"); - CryptoToken internalToken = getInternalToken(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - // (1) generate session key - SymmetricKey sk = generate_session_key(internalToken, false, params); - - // (2) wrap private key with session key - byte[] pri = encrypt_private_key(internalToken, sk, priKey, params); - - // (3) wrap session with transport public - byte[] session = wrap_session_key(internalToken, getPublicKey(), sk, params); - - // use MY own structure for now: - // SEQUENCE { - // encryptedSession OCTET STRING, - // encryptedPrivate OCTET STRING - // } - - DerOutputStream tmp = new DerOutputStream(); - - tmp.putOctetString(session); - tmp.putOctetString(pri); - out.write(DerValue.tag_Sequence, tmp); - - return out.toByteArray(); - } - } - - public byte[] wrap(PrivateKey privKey) throws Exception { - return _wrap(privKey,null); - } + public abstract WrappingParams getWrappingParams() throws EBaseException; - public byte[] wrap(SymmetricKey symmKey) throws Exception { - return _wrap(null,symmKey); + public WrappingParams getOldWrappingParams() { + return new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD, IV, IV); } public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage, @@ -129,288 +87,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return unwrap_session_key(token, encSymmKey, usage, wrappingKey, params); } - public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) { - return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP, params); - } - - /** - * Decrypts the user private key. - */ - public byte[] decryptExternalPrivate(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], byte encValue[]) - throws Exception { - return decryptExternalPrivate(encSymmKey, symmAlgOID, symmAlgParams, - encValue, null); - } - - /** - * Decrypts the user private key. - */ - public byte[] decryptExternalPrivate(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], byte encValue[], - org.mozilla.jss.crypto.X509Certificate transCert) - throws Exception { - - CMS.debug("EncryptionUnit.decryptExternalPrivate"); - CryptoToken token = getToken(transCert); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - PrivateKey wrappingKey = getPrivateKey(transCert); - String priKeyAlgo = wrappingKey.getAlgorithm(); - if (priKeyAlgo.equals("EC")) - params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); - - SymmetricKey sk = unwrap_session_key( - token, - encSymmKey, - SymmetricKey.Usage.DECRYPT, - wrappingKey, - params); - - return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params); - } - - /** - * External unwrapping. Unwraps the symmetric key using - * the transport private key. - */ - public SymmetricKey unwrap_symmetric(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], SymmetricKey.Type algorithm, int strength) - throws Exception { - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - CryptoToken token = getToken(); - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params); - - // (2) unwrap the session-wrapped-symmetric-key - SymmetricKey symKey = unwrap_symmetric_key( - token, - new IVParameterSpec(symmAlgParams), - algorithm, - strength, - SymmetricKey.Usage.DECRYPT, - sk, - encValue, - params); - - return symKey; - } - - /** - * External unwrapping. Unwraps the data using - * the transport private key. - */ - public PrivateKey unwrap(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], PublicKey pubKey) - throws Exception { - return unwrap (encSymmKey, symmAlgOID, symmAlgParams, - encValue, pubKey, null); - } - - /** - * External unwrapping. Unwraps the data using - * the transport private key. - */ - public PrivateKey unwrap(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], PublicKey pubKey, - org.mozilla.jss.crypto.X509Certificate transCert) - throws Exception { - CryptoToken token = getToken(transCert); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - PrivateKey wrappingKey = getPrivateKey(transCert); - String priKeyAlgo = wrappingKey.getAlgorithm(); - if (priKeyAlgo.equals("EC")) - params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); - - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key( - token, - encSymmKey, - SymmetricKey.Usage.UNWRAP, - wrappingKey, - params); - - // (2) unwrap the session-wrapped-private key - return unwrap_private_key( - token, - pubKey, - new IVParameterSpec(symmAlgParams), - true /*temporary*/, - sk, - encValue, - params); - } - - /** - * External unwrapping. Unwraps the data using - * the transport private key. - */ - - public byte[] decryptInternalPrivate(byte wrappedKeyData[]) - throws Exception { - CMS.debug("EncryptionUnit.decryptInternalPrivate"); - DerValue val = new DerValue(wrappedKeyData); - // val.tag == DerValue.tag_Sequence - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - CryptoToken token = getToken(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - // (1) unwrap the session key - CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName()); - SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params); - - // (2) decrypt the private key - return decrypt_private_key(token, IV, sk, pri, params); - } - - /** - * External unwrapping of stored symmetric key. - */ - public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize) - throws Exception { - DerValue val = new DerValue(wrappedKeyData); - // val.tag == DerValue.tag_Sequence - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - CryptoToken token = getToken(); - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); - - // (2) unwrap the session-wrapped-symmetric key - return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params); - } - - /** - * Internal unwrapping. - */ - public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) - throws Exception { - return _unwrap(wrappedKeyData, pubKey, true); - } - - /** - * Internal unwrapping. - */ - public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) - throws Exception { - return _unwrap(wrappedKeyData, pubKey, false); - } - - /** - * Internal unwrapping. - */ - private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary) - throws Exception { - DerValue val = new DerValue(wrappedKeyData); - // val.tag == DerValue.tag_Sequence - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - CryptoToken token = getToken(); - // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); - - // (2) unwrap the private key - return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params); - } - - /*** - * Internal wrap, accounts for either private or symmetric key - */ - private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception { - try (DerOutputStream out = new DerOutputStream()) { - if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) { - return null; - } - CMS.debug("EncryptionUnit.wrap interal."); - CryptoToken token = getToken(); - - SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2]; - usages[0] = SymmetricKey.Usage.WRAP; - usages[1] = SymmetricKey.Usage.UNWRAP; - - WrappingParams params = new WrappingParams( - SymmetricKey.DES3, usages, KeyGenAlgorithm.DES3, 0, - KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); - - // (1) generate session key - SymmetricKey sk = generate_session_key(token, true, params); - - // (2) wrap private key with session key - // KeyWrapper wrapper = internalToken.getKeyWrapper( - - byte pri[] = null; - - if (priKey != null) { - pri = wrap_private_key(token, sk, priKey, params); - } else if (symmKey != null) { - pri = wrap_symmetric_key(token, sk, symmKey, params); - } - - CMS.debug("EncryptionUnit:wrap() privKey wrapped"); - - byte[] session = wrap_session_key(token, getPublicKey(), sk, params); - CMS.debug("EncryptionUnit:wrap() session key wrapped"); - - // use MY own structure for now: - // SEQUENCE { - // encryptedSession OCTET STRING, - // encryptedPrivate OCTET STRING - // } - - DerOutputStream tmp = new DerOutputStream(); - - tmp.putOctetString(session); - tmp.putOctetString(pri); - out.write(DerValue.tag_Sequence, tmp); - - return out.toByteArray(); - } - } - /** * Verify the given key pair. */ @@ -422,10 +98,9 @@ public abstract class EncryptionUnit implements IEncryptionUnit { // Crypto specific methods below here ... ////////////////////////////////////////////////////////////////////////////////////////////////////////////// - private SymmetricKey generate_session_key(CryptoToken token, boolean temporary, WrappingParams params) - throws Exception{ + protected SymmetricKey generate_session_key(CryptoToken token, boolean temporary, WrappingParams params, + SymmetricKey.Usage[] usages) throws Exception { org.mozilla.jss.crypto.KeyGenerator kg = token.getKeyGenerator(params.getSkKeyGenAlgorithm()); - SymmetricKey.Usage[] usages = params.getSkUsages(); if (usages != null) kg.setKeyUsages(usages); kg.temporaryKeys(temporary); @@ -436,7 +111,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return sk; } - private byte[] wrap_session_key(CryptoToken token, PublicKey wrappingKey, SymmetricKey sessionKey, + protected byte[] wrap_session_key(CryptoToken token, PublicKey wrappingKey, SymmetricKey sessionKey, WrappingParams params) throws Exception { KeyWrapper rsaWrap = token.getKeyWrapper(params.getSkWrapAlgorithm()); rsaWrap.initWrap(wrappingKey, null); @@ -444,7 +119,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return session; } - public SymmetricKey unwrap_session_key(CryptoToken token, byte[] wrappedSessionKey, SymmetricKey.Usage usage, + protected SymmetricKey unwrap_session_key(CryptoToken token, byte[] wrappedSessionKey, SymmetricKey.Usage usage, PrivateKey wrappingKey, WrappingParams params) { try { KeyWrapper keyWrapper = token.getKeyWrapper(params.getSkWrapAlgorithm()); @@ -452,7 +127,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { SymmetricKey sk = keyWrapper.unwrapSymmetric( wrappedSessionKey, - params.getSkTyoe(), + params.getSkType(), usage, 0); CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: " @@ -464,15 +139,14 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } } - private byte[] wrap_symmetric_key(CryptoToken token, SymmetricKey sessionKey, SymmetricKey data, + protected byte[] wrap_symmetric_key(CryptoToken token, SymmetricKey sessionKey, SymmetricKey data, WrappingParams params) throws Exception { KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - - wrapper.initWrap(sessionKey, IV); + wrapper.initWrap(sessionKey, params.getPayloadEncryptionIV()); return wrapper.wrap(data); } - private SymmetricKey unwrap_symmetric_key(CryptoToken token, IVParameterSpec iv, SymmetricKey.Type algorithm, + protected SymmetricKey unwrap_symmetric_key(CryptoToken token, IVParameterSpec iv, SymmetricKey.Type algorithm, int strength, SymmetricKey.Usage usage, SymmetricKey sessionKey, byte[] wrappedData, WrappingParams params) throws Exception { KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); @@ -481,18 +155,18 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return symKey; } - private byte[] wrap_private_key(CryptoToken token, SymmetricKey sessionKey, PrivateKey data, + protected byte[] wrap_private_key(CryptoToken token, SymmetricKey sessionKey, PrivateKey data, WrappingParams params) throws Exception { KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - wrapper.initWrap(sessionKey, IV); + wrapper.initWrap(sessionKey, params.getPayloadWrappingIV()); return wrapper.wrap(data); } - private PrivateKey unwrap_private_key(CryptoToken token, PublicKey pubKey, IVParameterSpec iv, + protected PrivateKey unwrap_private_key(CryptoToken token, PublicKey pubKey, boolean temporary, SymmetricKey sessionKey, byte[] wrappedData, WrappingParams params) throws Exception { KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - wrapper.initUnwrap(sessionKey, iv); + wrapper.initUnwrap(sessionKey, params.getPayloadWrappingIV()); // Get the key type for unwrapping the private key. PrivateKey.Type keyType = null; @@ -515,19 +189,18 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return pk; } - private byte[] encrypt_private_key(CryptoToken token, SymmetricKey sessionKey, byte[] data, WrappingParams params) + protected byte[] encrypt_private_key(CryptoToken token, SymmetricKey sessionKey, byte[] data, WrappingParams params) throws Exception { Cipher cipher = token.getCipherContext(params.getPayloadEncryptionAlgorithm()); - - cipher.initEncrypt(sessionKey, IV); + cipher.initEncrypt(sessionKey, params.getPayloadEncryptionIV()); byte pri[] = cipher.doFinal(data); return pri; } - private byte[] decrypt_private_key(CryptoToken token, IVParameterSpec iv, SymmetricKey sessionKey, + protected byte[] decrypt_private_key(CryptoToken token, SymmetricKey sessionKey, byte[] encryptedData, WrappingParams params) throws Exception { Cipher cipher = token.getCipherContext(params.getPayloadEncryptionAlgorithm()); - cipher.initDecrypt(sessionKey, iv); + cipher.initDecrypt(sessionKey, params.getPayloadEncryptionIV()); return cipher.doFinal(encryptedData); } diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index fbefc549e..5aa35da57 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -169,7 +169,7 @@ public class EnrollmentService implements IService { if (CMS.debugOn()) CMS.debug("EnrollmentServlet: KRA services enrollment request"); - // the request reocrd field delayLDAPCommit == "true" will cause + // the request record field delayLDAPCommit == "true" will cause // updateRequest() to delay actual write to ldap request.setExtData("delayLDAPCommit", "true"); @@ -502,6 +502,22 @@ public class EnrollmentService implements IService { rec.set(KeyRecord.ATTR_REALM, realm); } + try { + rec.setWrappingParams(mStorageUnit.getWrappingParams()); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); + // TODO(alee) Set correct audit message here + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + IKeyRepository storage = mKRA.getKeyRepository(); BigInteger serialNo = storage.getNextSerialNumber(); diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index d3937915b..da227a113 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -456,9 +456,9 @@ public class NetkeyKeygenService implements IService { (wrapped_des_key.length > 0)) { WrappingParams wrapParams = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0, KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV); // unwrap the DES key sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams); @@ -686,6 +686,9 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: serialNo null"); return false; } + + rec.setWrappingParams(mStorageUnit.getWrappingParams()); + CMS.debug("NetkeyKeygenService: before addKeyRecord"); rec.set(KeyRecord.ATTR_ID, serialNo); request.setExtData(ATTR_KEY_RECORD, serialNo); diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index 70b5e57a7..c89e2f388 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -274,7 +274,10 @@ public class RecoveryService implements IService { try { mKRA.getStorageKeyUnit().unwrap( - keyRecord.getPrivateKeyData(), null); + keyRecord.getPrivateKeyData(), + null, + false, + keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams())); } catch (Exception e) { throw new EBaseException("Failed to unwrap private key", e); } @@ -393,33 +396,21 @@ public class RecoveryService implements IService { mStorageUnit.login(creds); } - /* wrapped retrieve session key and private key */ - DerValue val = new DerValue(keyRecord.getPrivateKeyData()); - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - /* debug */ - byte publicKeyData[] = keyRecord.getPublicKeyData(); PublicKey pubkey = null; try { - pubkey = X509Key.parsePublicKey(new DerValue(publicKeyData)); + pubkey = X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData())); } catch (Exception e) { CMS.debug("RecoverService: after parsePublicKey:" + e.toString()); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure")); } - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + PrivateKey privKey = null; try { privKey = mStorageUnit.unwrap( - session, - keyRecord.getAlgorithm(), - iv, - pri, - pubkey); - + keyRecord.getPrivateKeyData(), + pubkey, + false, + keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams())); } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", @@ -564,7 +555,9 @@ public class RecoveryService implements IService { mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private"); try { - byte[] privateKeyData = mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData()); + byte[] privateKeyData = mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData(), + keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams())); if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { mStorageUnit.logout(); diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 1c94bca6e..212e99217 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -179,7 +179,8 @@ public class SecurityDataProcessor { wrappedSessionKey, algStr, sparams, - secdata); + secdata, + null); } catch (Exception e) { throw new EBaseException("Can't decrypt symm key using allEncDecrypt_archival : true ."); @@ -215,7 +216,8 @@ public class SecurityDataProcessor { wrappedSessionKey, algStr, sparams, - secdata); + secdata, + null); } catch (Exception e) { throw new EBaseException("Can't decrypt passphrase.", e); } @@ -290,6 +292,16 @@ public class SecurityDataProcessor { rec.set(KeyRecord.ATTR_REALM, realm); } + try { + rec.setWrappingParams(storageUnit.getWrappingParams()); + } catch (Exception e) { + kra.log(ILogger.LL_FAILURE, + "Failed to store wrapping parameters: " + e); + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, + clientKeyId, null, "Failed to store wrapping parameters"); + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e); + } + CMS.debug("KRA adding Security Data key record " + serialNo); keyRepository.addKeyRecord(rec); @@ -406,7 +418,11 @@ public class SecurityDataProcessor { byte[] privateKeyData = keyRecord.getPrivateKeyData(); PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData)); - privateKey = storageUnit.unwrap_temp(privateKeyData, publicKey); + privateKey = storageUnit.unwrap( + privateKeyData, + publicKey, + true, + keyRecord.getWrappingParams(storageUnit.getOldWrappingParams())); } } catch (Exception e) { @@ -420,9 +436,9 @@ public class SecurityDataProcessor { CryptoToken ct = transportUnit.getToken(); WrappingParams wrapParams = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0, KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV); byte[] key_data = null; String pbeWrappedData = null; @@ -612,7 +628,8 @@ public class SecurityDataProcessor { storageUnit.unwrap( keyRecord.getPrivateKeyData(), KeyRequestService.SYMKEY_TYPES.get(keyRecord.getAlgorithm()), - keyRecord.getKeySize()); + keyRecord.getKeySize(), + keyRecord.getWrappingParams(storageUnit.getOldWrappingParams())); return symKey; } catch (Exception e) { throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", @@ -623,7 +640,9 @@ public class SecurityDataProcessor { public byte[] recoverSecurityData(KeyRecord keyRecord) throws EBaseException { try { - return storageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData()); + return storageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData(), + keyRecord.getWrappingParams(storageUnit.getOldWrappingParams())); } catch (Exception e) { CMS.debug("Failed to recover security data: " + e); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java index 83f3e2a79..d486fa7f6 100644 --- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -36,6 +36,7 @@ import org.mozilla.jss.crypto.Cipher; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IllegalBlockSizeException; +import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.KeyWrapper; @@ -60,9 +61,14 @@ import com.netscape.certsrv.kra.IShare; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.Credential; import com.netscape.certsrv.security.IStorageKeyUnit; +import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; +import netscape.security.util.DerInputStream; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; + /** * A class represents a storage key unit. Currently, this * is implemented with cryptix, the final implementation @@ -99,6 +105,7 @@ public class StorageKeyUnit extends EncryptionUnit implements public static final String PROP_KEYDB = "keydb"; public static final String PROP_CERTDB = "certdb"; public static final String PROP_MN = "mn"; + public static final String PROP_OLD_WRAPPING = "useOldWrapping"; /** * Constructs this token. @@ -123,6 +130,17 @@ public class StorageKeyUnit extends EncryptionUnit implements throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION")); } + public WrappingParams getWrappingParams() throws EBaseException { + if (mConfig.getBoolean(PROP_OLD_WRAPPING, false)) { + return this.getOldWrappingParams(); + } + + return new WrappingParams( + SymmetricKey.AES, KeyGenAlgorithm.AES, 256, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_256_CBC_PAD, + KeyWrapAlgorithm.AES_KEY_WRAP_PAD, IV2, null); + } + /** * return true if byte arrays are equal, false otherwise */ @@ -1001,4 +1019,160 @@ public class StorageKeyUnit extends EncryptionUnit implements return true; } + /**************************************************************************************** + * Methods to encrypt and store secrets in the database + ***************************************************************************************/ + + public byte[] encryptInternalPrivate(byte priKey[]) throws Exception { + try (DerOutputStream out = new DerOutputStream()) { + CMS.debug("EncryptionUnit.encryptInternalPrivate"); + CryptoToken internalToken = getInternalToken(); + + WrappingParams params = getWrappingParams(); + + // (1) generate session key + SymmetricKey sk = generate_session_key(internalToken, false, params, null); + + // (2) wrap private key with session key + byte[] pri = encrypt_private_key(internalToken, sk, priKey, params); + + // (3) wrap session with storage public + byte[] session = wrap_session_key(internalToken, getPublicKey(), sk, params); + + // use MY own structure for now: + // SEQUENCE { + // encryptedSession OCTET STRING, + // encryptedPrivate OCTET STRING + // } + + DerOutputStream tmp = new DerOutputStream(); + + tmp.putOctetString(session); + tmp.putOctetString(pri); + out.write(DerValue.tag_Sequence, tmp); + + return out.toByteArray(); + } + } + + public byte[] wrap(PrivateKey privKey) throws Exception { + return _wrap(privKey,null); + } + + public byte[] wrap(SymmetricKey symmKey) throws Exception { + return _wrap(null,symmKey); + } + + /*** + * Internal wrap, accounts for either private or symmetric key + */ + private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception { + try (DerOutputStream out = new DerOutputStream()) { + if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) { + return null; + } + CMS.debug("EncryptionUnit.wrap interal."); + WrappingParams params = getWrappingParams(); + CryptoToken token = getToken(); + + SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2]; + usages[0] = SymmetricKey.Usage.WRAP; + usages[1] = SymmetricKey.Usage.UNWRAP; + + // (1) generate session key + SymmetricKey sk = generate_session_key(token, true, params, usages); + + // (2) wrap private key with session key + // KeyWrapper wrapper = internalToken.getKeyWrapper( + + byte pri[] = null; + + if (priKey != null) { + pri = wrap_private_key(token, sk, priKey, params); + } else if (symmKey != null) { + pri = wrap_symmetric_key(token, sk, symmKey, params); + } + + CMS.debug("EncryptionUnit:wrap() privKey wrapped"); + + byte[] session = wrap_session_key(token, getPublicKey(), sk, params); + CMS.debug("EncryptionUnit:wrap() session key wrapped"); + + // use MY own structure for now: + // SEQUENCE { + // encryptedSession OCTET STRING, + // encryptedPrivate OCTET STRING + // } + + DerOutputStream tmp = new DerOutputStream(); + + tmp.putOctetString(session); + tmp.putOctetString(pri); + out.write(DerValue.tag_Sequence, tmp); + + return out.toByteArray(); + } + } + + /**************************************************************************************** + * Methods to decrypt and retrieve secrets from the database + ***************************************************************************************/ + + public byte[] decryptInternalPrivate(byte wrappedKeyData[], WrappingParams params) + throws Exception { + CMS.debug("EncryptionUnit.decryptInternalPrivate"); + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + CryptoToken token = getToken(); + + // (1) unwrap the session key + CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName()); + SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params); + + // (2) decrypt the private key + return decrypt_private_key(token, sk, pri, params); + } + + public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize, + WrappingParams params) throws Exception { + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + CryptoToken token = getToken(); + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); + + // (2) unwrap the session-wrapped-symmetric key + return unwrap_symmetric_key(token, params.getPayloadWrappingIV(), algorithm, keySize, SymmetricKey.Usage.UNWRAP, + sk, pri, params); + } + + public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary, WrappingParams params) + throws Exception { + DerValue val = new DerValue(wrappedKeyData); + // val.tag == DerValue.tag_Sequence + DerInputStream in = val.data; + DerValue dSession = in.getDerValue(); + byte session[] = dSession.getOctetString(); + DerValue dPri = in.getDerValue(); + byte pri[] = dPri.getOctetString(); + + CryptoToken token = getToken(); + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); + + // (2) unwrap the private key + return unwrap_private_key(token, pubKey, temporary, sk, pri, params); + } } diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index 7d42cb45b..17475d922 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -224,6 +224,16 @@ public class SymKeyGenService implements IService { rec.set(KeyRecord.ATTR_REALM, realm); } + try { + rec.setWrappingParams(mStorageUnit.getWrappingParams()); + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, + "Failed to store wrapping parameters: " + e); + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to store wraping parameters."); + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e); + } + CMS.debug("KRA adding Security Data key record " + serialNo); storage.addKeyRecord(rec); diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 5ad8044d7..c08369271 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -273,9 +273,9 @@ public class TokenKeyRecoveryService implements IService { (wrapped_des_key.length > 0)) { WrappingParams wrapParams = new WrappingParams( - SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0, + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0, KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, - KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV); // unwrap the des key sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams); @@ -676,31 +676,21 @@ public class TokenKeyRecoveryService implements IService { } try { - /* wrapped retrieve session key and private key */ - DerValue val = new DerValue(keyRecord.getPrivateKeyData()); - DerInputStream in = val.data; - DerValue dSession = in.getDerValue(); - byte session[] = dSession.getOctetString(); - DerValue dPri = in.getDerValue(); - byte pri[] = dPri.getOctetString(); - - byte publicKeyData[] = keyRecord.getPublicKeyData(); PublicKey pubkey = null; try { - pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); + pubkey = X509Key.parsePublicKey (new DerValue(keyRecord.getPublicKeyData())); } catch (Exception e) { CMS.debug("TokenKeyRecoverService: after parsePublicKey:"+e.toString()); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure")); } - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + PrivateKey privKey = null; try { privKey = mStorageUnit.unwrap( - session, - keyRecord.getAlgorithm(), - iv, - pri, - pubkey); + keyRecord.getPrivateKeyData(), + pubkey, + false, + keyRecord.getWrappingParams(mStorageUnit.getOldWrappingParams())); } catch (Exception e) { CMS.debug("TokenKeyRecoveryService: recoverKey() - recovery failure"); throw new EKRAException( @@ -728,7 +718,9 @@ public class TokenKeyRecoveryService implements IService { mStorageUnit.login(creds); */ try { - return mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData()); + return mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData(), + keyRecord.getWrappingParams(mStorageUnit.getOldWrappingParams())); /* mStorageUnit.logout();*/ } catch (Exception e){ mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java index 2efdac7ad..768aee552 100644 --- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -21,10 +21,15 @@ import java.security.PublicKey; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.SignatureAlgorithm; +import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; @@ -32,6 +37,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.security.ITransportKeyUnit; +import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmsutil.util.Cert; /** @@ -110,6 +116,10 @@ public class TransportKeyUnit extends EncryptionUnit implements } } + public WrappingParams getWrappingParams() { + return getOldWrappingParams(); + } + public CryptoToken getInternalToken() { try { return CryptoManager.getInstance().getInternalKeyStorageToken(); @@ -253,4 +263,112 @@ public class TransportKeyUnit extends EncryptionUnit implements throws EBaseException { // XXX } + + public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) { + return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP, params); + } + + /** + * Decrypts the user private key. This is called on the transport unit. + */ + public byte[] decryptExternalPrivate(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], byte encValue[], + org.mozilla.jss.crypto.X509Certificate transCert) + throws Exception { + + CMS.debug("EncryptionUnit.decryptExternalPrivate"); + CryptoToken token = getToken(transCert); + + // TODO(alee) Strictly speaking, we should set the wrapping params from the + // params coming in. (symmAlgOID etc). Will fix this in a later patch. + WrappingParams params = getWrappingParams(); + params.setPayloadEncryptionIV(new IVParameterSpec(symmAlgParams)); + + PrivateKey wrappingKey = getPrivateKey(transCert); + String priKeyAlgo = wrappingKey.getAlgorithm(); + if (priKeyAlgo.equals("EC")) + params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); + + SymmetricKey sk = unwrap_session_key( + token, + encSymmKey, + SymmetricKey.Usage.DECRYPT, + wrappingKey, + params); + + return decrypt_private_key(token, sk, encValue, params); + } + + /** + * External unwrapping. Unwraps the symmetric key using + * the transport private key. + */ + public SymmetricKey unwrap_symmetric(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], + byte encValue[], SymmetricKey.Type algorithm, int strength) + throws Exception { + + // TODO(alee) Strictly speaking, we should set the wrapping params from the + // params coming in. (symmAlgOID etc). Will fix this in a later patch. + WrappingParams params = getWrappingParams(); + params.setPayloadEncryptionIV(new IVParameterSpec(symmAlgParams)); + + CryptoToken token = getToken(); + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params); + + // (2) unwrap the session-wrapped-symmetric-key + SymmetricKey symKey = unwrap_symmetric_key( + token, + new IVParameterSpec(symmAlgParams), + algorithm, + strength, + SymmetricKey.Usage.DECRYPT, + sk, + encValue, + params); + + return symKey; + } + + /** + * External unwrapping. Unwraps the data using + * the transport private key. + */ + public PrivateKey unwrap(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], + byte encValue[], PublicKey pubKey, + org.mozilla.jss.crypto.X509Certificate transCert) + throws Exception { + CryptoToken token = getToken(transCert); + + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD, + new IVParameterSpec(symmAlgParams), + new IVParameterSpec(symmAlgParams)); + + PrivateKey wrappingKey = getPrivateKey(transCert); + String priKeyAlgo = wrappingKey.getAlgorithm(); + if (priKeyAlgo.equals("EC")) + params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); + + // (1) unwrap the session key + SymmetricKey sk = unwrap_session_key( + token, + encSymmKey, + SymmetricKey.Usage.UNWRAP, + wrappingKey, + params); + + // (2) unwrap the session-wrapped-private key + return unwrap_private_key( + token, + pubKey, + true /*temporary*/, + sk, + encValue, + params); + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java index 256f72879..c1711c240 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java @@ -46,6 +46,18 @@ public class KeyRecordParser { public final static String OUT_RECOVERED_BY = "recoveredBy"; public final static String OUT_RECOVERED_ON = "recoveredOn"; + /* parameters to populate WrappingParams */ + public final static String OUT_SK_TYPE = "sessionKeyType"; + public final static String OUT_SK_KEYGEN_ALGORITHM = "sessionKeyKeyGenAlgorithm"; + public final static String OUT_SK_LENGTH = "sessionKeyLength"; + public final static String OUT_SK_WRAP_ALGORITHM = "sessionKeyWrapAlgorithm"; + public final static String OUT_PL_WRAP_ALGORITHM = "payloadWrapAlgorithm"; + public final static String OUT_PL_WRAP_IV = "payloadWrapIV"; + public final static String OUT_PL_ENCRYPTION_ALGORITHM = "payloadEncryptionAlgorithm"; + public final static String OUT_PL_ENCRYPTION_MODE = "payloadEncryptionMode"; + public final static String OUT_PL_ENCRYPTION_PADDING = "payloadEncryptionPadding"; + public final static String OUT_PL_ENCRYPTION_IV = "payloadEncryptionIV"; + /** * Fills key record into argument block. */ diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java index 90050132b..31459aefa 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java @@ -22,11 +22,16 @@ import java.util.Date; import java.util.Enumeration; import java.util.Vector; +import org.apache.commons.codec.binary.Base64; +import org.mozilla.jss.crypto.IVParameterSpec; + import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.dbs.IDBObj; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.KeyState; +import com.netscape.certsrv.security.WrappingParams; +import com.netscape.cms.servlet.key.KeyRecordParser; /** * A class represents a Key record. It maintains the key @@ -397,4 +402,89 @@ public class KeyRecord implements IDBObj, IKeyRecord { public String getRealm() throws EBaseException { return realm; } + + public void setWrappingParams(WrappingParams params) throws Exception { + if (mMetaInfo == null) { + mMetaInfo = new MetaInfo(); + } + // set session key parameters + mMetaInfo.set(KeyRecordParser.OUT_SK_LENGTH, String.valueOf(params.getSkLength())); + if (params.getSkType() != null) { + mMetaInfo.set(KeyRecordParser.OUT_SK_TYPE, params.getSkType().toString()); + } + if (params.getSkKeyGenAlgorithm() != null) { + // JSS doesn't have a name map or a functional OID map + // for now, save the "name" + mMetaInfo.set(KeyRecordParser.OUT_SK_KEYGEN_ALGORITHM, params.getSkKeyGenAlgorithm().toString()); + } + if (params.getSkWrapAlgorithm() != null) { + mMetaInfo.set(KeyRecordParser.OUT_SK_WRAP_ALGORITHM, params.getSkWrapAlgorithm().toString()); + } + + // set payload parameters + if (params.getPayloadEncryptionAlgorithm() != null) { + mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTION_ALGORITHM, params.getPayloadEncryptionAlgorithm().getAlg().toString()); + mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTION_MODE, params.getPayloadEncryptionAlgorithm().getMode().toString()); + mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTION_PADDING, params.getPayloadEncryptionAlgorithm().getPadding().toString()); + } + if (params.getPayloadWrapAlgorithm() != null) { + mMetaInfo.set(KeyRecordParser.OUT_PL_WRAP_ALGORITHM, params.getPayloadWrapAlgorithm().toString()); + } + if (params.getPayloadWrappingIV() != null) { + // store as base64 encoded string + mMetaInfo.set( + KeyRecordParser.OUT_PL_WRAP_IV, + Base64.encodeBase64String(params.getPayloadWrappingIV().getIV()) + ); + } + if (params.getPayloadEncryptionIV() != null) { + // store as base 64 encoded string + mMetaInfo.set( + KeyRecordParser.OUT_PL_ENCRYPTION_IV, + Base64.encodeBase64String(params.getPayloadEncryptionIV().getIV()) + ); + } + + } + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception { + if ((mMetaInfo == null) || (mMetaInfo.get(KeyRecordParser.OUT_SK_TYPE) == null)) { + // This is likely a legacy record. Return the old DES3 parameters. + // TODO(alee) modify to pass this in - to keep bean-ness + return oldParams; + } + + WrappingParams params = new WrappingParams(); + params.setSkType(mMetaInfo.get(KeyRecordParser.OUT_SK_TYPE).toString()); + params.setSkLength(Integer.parseInt(mMetaInfo.get(KeyRecordParser.OUT_SK_LENGTH).toString())); + + Object data = mMetaInfo.get(KeyRecordParser.OUT_SK_WRAP_ALGORITHM); + if (data != null) params.setSkWrapAlgorithm(data.toString()); + + data = mMetaInfo.get(KeyRecordParser.OUT_SK_KEYGEN_ALGORITHM); + if (data != null) params.setSkKeyGenAlgorithm(data.toString()); + + data = mMetaInfo.get(KeyRecordParser.OUT_PL_WRAP_ALGORITHM); + if (data != null) params.setPayloadWrapAlgorithm(data.toString()); + + params.setPayloadEncryptionAlgorithm( + mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_ALGORITHM).toString(), + mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_MODE).toString(), + mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_PADDING).toString(), + Integer.parseInt(mMetaInfo.get(KeyRecordParser.OUT_SK_LENGTH).toString())); + + data = mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_IV); + if (data != null) { + byte[] iv = Base64.decodeBase64(data.toString()); + params.setPayloadEncryptionIV(new IVParameterSpec(iv)); + } + + data = mMetaInfo.get(KeyRecordParser.OUT_PL_WRAP_IV); + if (data != null) { + byte[] iv = Base64.decodeBase64(data.toString()); + params.setPayloadWrappingIV(new IVParameterSpec(iv)); + } + + return params; + } } |