DRM Transport Key Rotation

This patch provides basic support for DRM Transport Key Rotation described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation

This patch provides implementation for tickets:
 - 729 - CA to include transport certificate when submitting archival request to DRM
 - 730 - DRM to detect presence of transport certificate attribute in submitted archival
         request and validate transport certificate against DRM's transport key list
 - 731 - DRM to provide handling for alternative transport key based on detected
         and validated transport certificate arriving as a part of extended archival request

2 files changed, 55 insertions, 0 deletions

diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
index 6b96dbc11..55bd56318 100644
--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
@@ -85,6 +85,24 @@ public interface IEncryptionUnit extends IToken {
             throws EBaseException;
 
     /**
+     * Unwraps data. This method rebuilds the private key by
+     * unwrapping the private key data.
+     *
+     * @param sessionKey session key that unwrap the private key
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param privateKey private key data
+     * @param pubKey public key
+     * @param transportCert transport certificate
+     * @return private key object
+     * @exception EBaseException failed to unwrap
+     */
+    public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID,
+            byte symmAlgParams[], byte encValue[], PublicKey pubKey,
+            org.mozilla.jss.crypto.X509Certificate transportCert)
+            throws EBaseException;
+
+    /**
      * Unwraps symmetric key data. This method rebuilds the symmetric key by
      * unwrapping the private data blob.
      *
@@ -172,4 +190,20 @@ public interface IEncryptionUnit extends IToken {
             String symmAlgOID,
             byte symmAlgParams[], byte privateKey[])
             throws EBaseException;
+
+    /**
+     * Decrypts the external private key (private key from the end-user).
+     *
+     * @param sessionKey session key that protects the user private
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param privateKey private key data
+     * @param transportCert transport certificate
+     * @return private key data
+     * @exception EBaseException failed to decrypt
+     */
+    public byte[] decryptExternalPrivate(byte sessionKey[],
+            String symmAlgOID, byte symmAlgParams[], byte privateKey[],
+            org.mozilla.jss.crypto.X509Certificate transportCert)
+            throws EBaseException;
 }
diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
index e7bf77b49..1208a7d42 100644
--- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
+++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
@@ -42,6 +42,27 @@ public interface ITransportKeyUnit extends IEncryptionUnit {
     public org.mozilla.jss.crypto.X509Certificate getCertificate();
 
     /**
+     * Retrieves new transport certificate.
+     *
+     * @return certificate
+     */
+    public org.mozilla.jss.crypto.X509Certificate getNewCertificate();
+
+    /**
+     * Verifies transport certificate.
+     *
+     * @return certificate
+     */
+    public org.mozilla.jss.crypto.X509Certificate verifyCertificate(String transportCert);
+
+    /**
+     * Retrieves private key associated with certificate
+     *
+     * @return certificate
+     */
+    public PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert);
+
+    /**
      * Unwraps symmetric key . This method
      * unwraps the symmetric key.
      *