diff options
author | Andrew Wnuk <awnuk@redhat.com> | 2013-09-27 19:32:35 -0400 |
---|---|---|
committer | Andrew Wnuk <awnuk@redhat.com> | 2013-09-30 19:47:20 -0400 |
commit | 2b9fcdae818eded53ab64e5b86b947c80a262722 (patch) | |
tree | 527b0977700ebcdfdfdd723e37667456d46532af /base/common/src/com/netscape/certsrv/security | |
parent | d042f57747ed314030de70ee09c13d3aa7f8855c (diff) | |
download | pki-2b9fcdae818eded53ab64e5b86b947c80a262722.tar.gz pki-2b9fcdae818eded53ab64e5b86b947c80a262722.tar.xz pki-2b9fcdae818eded53ab64e5b86b947c80a262722.zip |
DRM Transport Key Rotation
This patch provides basic support for DRM Transport Key Rotation described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute in submitted archival
request and validate transport certificate against DRM's transport key list
- 731 - DRM to provide handling for alternative transport key based on detected
and validated transport certificate arriving as a part of extended archival request
Diffstat (limited to 'base/common/src/com/netscape/certsrv/security')
-rw-r--r-- | base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java | 34 | ||||
-rw-r--r-- | base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java | 21 |
2 files changed, 55 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index 6b96dbc11..55bd56318 100644 --- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -85,6 +85,24 @@ public interface IEncryptionUnit extends IToken { throws EBaseException; /** + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. + * + * @param sessionKey session key that unwrap the private key + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param privateKey private key data + * @param pubKey public key + * @param transportCert transport certificate + * @return private key object + * @exception EBaseException failed to unwrap + */ + public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, + byte symmAlgParams[], byte encValue[], PublicKey pubKey, + org.mozilla.jss.crypto.X509Certificate transportCert) + throws EBaseException; + + /** * Unwraps symmetric key data. This method rebuilds the symmetric key by * unwrapping the private data blob. * @@ -172,4 +190,20 @@ public interface IEncryptionUnit extends IToken { String symmAlgOID, byte symmAlgParams[], byte privateKey[]) throws EBaseException; + + /** + * Decrypts the external private key (private key from the end-user). + * + * @param sessionKey session key that protects the user private + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param privateKey private key data + * @param transportCert transport certificate + * @return private key data + * @exception EBaseException failed to decrypt + */ + public byte[] decryptExternalPrivate(byte sessionKey[], + String symmAlgOID, byte symmAlgParams[], byte privateKey[], + org.mozilla.jss.crypto.X509Certificate transportCert) + throws EBaseException; } diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java index e7bf77b49..1208a7d42 100644 --- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -42,6 +42,27 @@ public interface ITransportKeyUnit extends IEncryptionUnit { public org.mozilla.jss.crypto.X509Certificate getCertificate(); /** + * Retrieves new transport certificate. + * + * @return certificate + */ + public org.mozilla.jss.crypto.X509Certificate getNewCertificate(); + + /** + * Verifies transport certificate. + * + * @return certificate + */ + public org.mozilla.jss.crypto.X509Certificate verifyCertificate(String transportCert); + + /** + * Retrieves private key associated with certificate + * + * @return certificate + */ + public PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); + + /** * Unwraps symmetric key . This method * unwraps the symmetric key. * |