diff options
author | Abhishek Koneru <akoneru@redhat.com> | 2014-02-26 13:15:57 -0500 |
---|---|---|
committer | Abhishek Koneru <akoneru@redhat.com> | 2014-03-19 19:17:39 -0400 |
commit | 24294c097dd0dd9f7de0202443a8c8e34807bb2f (patch) | |
tree | 03e393bb71fb1263ee85571b26a0f108e1133e1b /base/common/src/com/netscape/certsrv/util | |
parent | fbd1b96a35946b7ebf36afea3f3a2a50dcbf193f (diff) | |
download | pki-24294c097dd0dd9f7de0202443a8c8e34807bb2f.tar.gz pki-24294c097dd0dd9f7de0202443a8c8e34807bb2f.tar.xz pki-24294c097dd0dd9f7de0202443a8c8e34807bb2f.zip |
Changes to KeyClient on the java side.
The KeyClient class on the java side is modified to
have a similar design as the KeyClient class on the python side.
Diffstat (limited to 'base/common/src/com/netscape/certsrv/util')
-rw-r--r-- | base/common/src/com/netscape/certsrv/util/CryptoProvider.java | 25 | ||||
-rw-r--r-- | base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java | 204 |
2 files changed, 229 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/util/CryptoProvider.java b/base/common/src/com/netscape/certsrv/util/CryptoProvider.java new file mode 100644 index 000000000..f5e5603aa --- /dev/null +++ b/base/common/src/com/netscape/certsrv/util/CryptoProvider.java @@ -0,0 +1,25 @@ +package com.netscape.certsrv.util; + +import org.mozilla.jss.crypto.SymmetricKey; + +public abstract class CryptoProvider { + + public abstract void initialize() throws Exception; + + public abstract SymmetricKey generateSymmetricKey(String keyAlgorithm, int keySize) throws Exception; + + public abstract SymmetricKey generateSessionKey() throws Exception; + + public abstract byte[] wrapSessionKeyWithTransportCert(SymmetricKey sessionKey, String transportCert) + throws Exception; + + public abstract byte[] wrapUsingSessionKey(String passphrase, byte[] iv, SymmetricKey key, String keyAlgorithm) + throws Exception; + + public abstract String unwrapUsingSessionKey(byte[] wrappedRecoveredKey, SymmetricKey recoveryKey, + String keyAlgorithm, byte[] nonceData) throws Exception; + + public abstract String unWrapUsingPassphrase(String wrappedRecoveredKey, String recoveryPassphrase) + throws Exception; + +} diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java new file mode 100644 index 000000000..ae4e0d168 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java @@ -0,0 +1,204 @@ +package com.netscape.certsrv.util; + +import java.io.File; +import java.security.GeneralSecurityException; +import java.security.NoSuchAlgorithmException; + +import org.mozilla.jss.CertDatabaseException; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.KeyDatabaseException; +import org.mozilla.jss.crypto.AlreadyInitializedException; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.TokenException; +import org.mozilla.jss.util.IncorrectPasswordException; +import org.mozilla.jss.util.Password; + +import com.netscape.certsrv.client.ClientConfig; +import com.netscape.certsrv.key.KeyRequestResource; +import com.netscape.cmsutil.crypto.CryptoUtil; + +public class NSSCryptoProvider extends CryptoProvider { + + private CryptoManager manager; + private CryptoToken token; + private File certDBDir; + private String certDBPassword; + + public CryptoManager getManager() { + return manager; + } + + public void setManager(CryptoManager manager) { + this.manager = manager; + } + + public CryptoToken getToken() { + return token; + } + + public void setToken(CryptoToken token) { + this.token = token; + } + + public NSSCryptoProvider(ClientConfig config) + throws Exception { + if (config == null) { + throw new IllegalArgumentException("ClientConfig object must be specified."); + } + if ((config.getCertDatabase() == null) || (config.getCertPassword() == null)) { + throw new IllegalArgumentException(" Both the db directory path and the password must be specified."); + } + this.certDBDir = new File(config.getCertDatabase()); + if (this.certDBDir.exists()) { + if (!this.certDBDir.isDirectory()) + throw new IllegalArgumentException("Cert database must be a directory."); + } + this.certDBDir.mkdir(); + this.certDBPassword = config.getCertPassword(); + initialize(); + } + + /** + * Initializes the NSS DB. + * + */ + @Override + public void initialize() throws Exception { + if ((certDBDir == null) || (certDBPassword == null)) { + throw new Exception("NSS db location and password need to be specified."); + } + try { + CryptoManager.initialize(certDBDir.getAbsolutePath()); + } catch (AlreadyInitializedException e) { + // Can be ignored since it is just for getting the token + } catch (KeyDatabaseException | CertDatabaseException | GeneralSecurityException e1) { + throw e1; + } + try { + manager = CryptoManager.getInstance(); + token = manager.getInternalKeyStorageToken(); + Password password = new Password(certDBPassword.toCharArray()); + try { + token.login(password); + } catch (IncorrectPasswordException | TokenException e) { + if (!token.isLoggedIn()) { + token.initPassword(password, password); + } + } + } catch (AlreadyInitializedException e1) { + //Ignore + } catch (NotInitializedException | TokenException | IncorrectPasswordException e2) { + throw e2; + } + } + + @Override + public SymmetricKey generateSymmetricKey(String keyAlgorithm, int keySize) throws Exception { + if (token == null) { + throw new NotInitializedException(); + } + return CryptoUtil.generateKey(token, getKeyGenAlgorithm(keyAlgorithm), keySize); + } + + @Override + public SymmetricKey generateSessionKey() throws Exception { + return generateSymmetricKey(KeyRequestResource.DES3_ALGORITHM, 168); + } + + @Override + public byte[] wrapSessionKeyWithTransportCert(SymmetricKey sessionKey, String transportCert) throws Exception { + if ((manager == null) || (token == null)) { + throw new NotInitializedException(); + } + return CryptoUtil.wrapSymmetricKey(manager, token, transportCert, sessionKey); + } + + @Override + public byte[] wrapUsingSessionKey(String passphrase, byte[] iv, SymmetricKey key, String encryptionAlgorithm) + throws Exception { + if (token == null) { + throw new NotInitializedException(); + } + return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, + getEncryptionAlgorithm(encryptionAlgorithm)); + } + + @Override + public String unwrapUsingSessionKey(byte[] wrappedRecoveredKey, SymmetricKey recoveryKey, + String encryptionAlgorithm, byte[] nonceData) throws Exception { + if (token == null) { + throw new NotInitializedException(); + } + return CryptoUtil.unwrapUsingSymmetricKey(token, new IVParameterSpec(nonceData), wrappedRecoveredKey, + recoveryKey, + getEncryptionAlgorithm(encryptionAlgorithm)); + } + + @Override + public String unWrapUsingPassphrase(String wrappedRecoveredKey, String recoveryPassphrase) throws Exception { + return CryptoUtil.unwrapUsingPassphrase(wrappedRecoveredKey, recoveryPassphrase); + } + + public KeyGenAlgorithm getKeyGenAlgorithm(String keyAlgorithm) throws NoSuchAlgorithmException { + if (keyAlgorithm == null) { + return KeyGenAlgorithm.DES3; + } + KeyGenAlgorithm alg = null; + switch (keyAlgorithm) { + case KeyRequestResource.AES_ALGORITHM: + alg = KeyGenAlgorithm.AES; + break; + case KeyRequestResource.DES_ALGORITHM: + alg = KeyGenAlgorithm.DES; + break; + case KeyRequestResource.DESEDE_ALGORITHM: + alg = KeyGenAlgorithm.DESede; + break; + case KeyRequestResource.RC2_ALGORITHM: + alg = KeyGenAlgorithm.RC2; + break; + case KeyRequestResource.RC4_ALGORITHM: + alg = KeyGenAlgorithm.RC4; + break; + case KeyRequestResource.DES3_ALGORITHM: + alg = KeyGenAlgorithm.DES3; + break; + default: + throw new NoSuchAlgorithmException("No Algorithm named: " + keyAlgorithm); + } + return alg; + } + + public EncryptionAlgorithm getEncryptionAlgorithm(String encryptionAlgorithm) throws NoSuchAlgorithmException { + if (encryptionAlgorithm == null) { + return EncryptionAlgorithm.DES3_CBC_PAD; + } + EncryptionAlgorithm alg = null; + switch (encryptionAlgorithm) { + case KeyRequestResource.AES_ALGORITHM: + alg = EncryptionAlgorithm.AES_CBC_PAD; + break; + case KeyRequestResource.DES_ALGORITHM: + alg = EncryptionAlgorithm.DES_CBC_PAD; + break; + case KeyRequestResource.RC2_ALGORITHM: + alg = EncryptionAlgorithm.RC2_CBC_PAD; + break; + case KeyRequestResource.RC4_ALGORITHM: + alg = EncryptionAlgorithm.RC4; + break; + case KeyRequestResource.DES3_ALGORITHM: + alg = EncryptionAlgorithm.DES3_CBC_PAD; + break; + default: + throw new NoSuchAlgorithmException("No Algorithm named: " + encryptionAlgorithm); + } + return alg; + } + +} |