Change internal wrapping to AES

There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
   TransportUnit into those classes.  This helps to determine which methods are called by
   which class (because in general they require different arguments).  It may be possible
   to later simplify and reduce code repetition by pulling core functionality back into
   the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
   as part of the KeyRecord when the key is stored.  On retrieval, this data is read and
   used to extract the data.  If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
   for storage by default.  If a parameter kra.storageUnit.useOldWrapping=true, then
   the old wrapping will be used instead.

Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562

5 files changed, 206 insertions, 196 deletions

diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
index f66d53f1e..163d4dd5d 100644
--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
@@ -22,6 +22,7 @@ import java.util.Date;
 
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.MetaInfo;
+import com.netscape.certsrv.security.WrappingParams;
 
 /**
  * An interface contains constants for key record.
@@ -167,4 +168,8 @@ public interface IKeyRecord {
      * @exception EBaseException failed to retrieve authorization realm
      */
     public String getRealm() throws EBaseException;
+
+    public void setWrappingParams(WrappingParams params) throws Exception;
+
+    public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception;
 }
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
index 7f5e95ec3..1b8a0bf25 100644
--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
@@ -22,7 +22,6 @@ import java.security.PublicKey;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.SymmetricKey;
-import org.mozilla.jss.crypto.SymmetricKey.Type;
 
 import com.netscape.certsrv.base.EBaseException;
 
@@ -41,26 +40,6 @@ public interface IEncryptionUnit extends IToken {
     public PublicKey getPublicKey();
 
     /**
-     * Wraps data. The given key will be wrapped by the
-     * private key in this unit.
-     *
-     * @param priKey private key to be wrapped
-     * @return wrapped data
-     * @exception EBaseException failed to wrap
-     */
-    public byte[] wrap(PrivateKey priKey) throws Exception;
-
-    /**
-     * Wraps data. The given key will be wrapped by the
-     * private key in this unit.
-     *
-     * @param symKey symmetric key to be wrapped
-     * @return wrapped data
-     * @exception EBaseException failed to wrap
-     */
-    public byte[] wrap(SymmetricKey symKey) throws Exception;
-
-    /**
      * Verifies the given key pair.
      *
      * @param publicKey public key
@@ -70,69 +49,6 @@ public interface IEncryptionUnit extends IToken {
             EBaseException;
 
     /**
-     * Unwraps data. This method rebuilds the private key by
-     * unwrapping the private key data.
-     *
-     * @param sessionKey session key that unwrap the private key
-     * @param symmAlgOID symmetric algorithm
-     * @param symmAlgParams symmetric algorithm parameters
-     * @param privateKey private key data
-     * @param pubKey public key
-     * @return private key object
-     * @throws Exception
-     */
-    public PrivateKey unwrap(byte sessionKey[], String symmAlgOID,
-            byte symmAlgParams[], byte privateKey[],
-            PublicKey pubKey)
-            throws Exception;
-
-    /**
-     * Unwraps data. This method rebuilds the private key by
-     * unwrapping the private key data.
-     *
-     * @param symmAlgOID symmetric algorithm
-     * @param symmAlgParams symmetric algorithm parameters
-     * @param pubKey public key
-     * @param transportCert transport certificate
-     * @return private key object
-     * @throws Exception
-     */
-    public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID,
-            byte symmAlgParams[], byte encValue[], PublicKey pubKey,
-            org.mozilla.jss.crypto.X509Certificate transportCert)
-            throws Exception;
-
-    /**
-     * Unwraps symmetric key data. This method rebuilds the symmetric key by
-     * unwrapping the private data blob.
-     *
-     * @param wrappedKeyData symmetric key data wrapped up with session key
-     * @return Symmetric key object
-     * @exception Exception failed to unwrap
-     */
-
-    public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize)
-            throws Exception;
-
-    /**
-     * Unwraps symmetric key . This method
-     * unwraps the symmetric key.
-     *
-     * @param sessionKey session key that unwrap the symmetric key
-     * @param symmAlgOID symmetric algorithm
-     * @param symmAlgParams symmetric algorithm parameters
-     * @param symmetricKey  symmetric key data
-     * @param type symmetric key algorithm
-     * @param strength symmetric key strength in bytes
-     * @return Symmetric key object
-     * @throws Exception
-     */
-
-    public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID,
-            byte symmAlgParams[], byte symmetricKey[], Type type, int strength)
-            throws Exception;
-
-    /**
      * Unwraps symmetric key . This method
      * unwraps the symmetric key.
      *
@@ -143,70 +59,8 @@ public interface IEncryptionUnit extends IToken {
     public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[],
             SymmetricKey.Usage usage, WrappingParams params);
 
-    public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey)
-            throws Exception;
-
-    /**
-     * Unwraps data. This method rebuilds the private key by
-     * unwrapping the private key data.
-     *
-     * @param privateKey private key data
-     * @param pubKey public key object
-     * @return private key object
-     * @throws Exception
-     */
-    public PrivateKey unwrap(byte privateKey[], PublicKey pubKey)
-            throws Exception;
-
-    /**
-     * Encrypts the internal private key (private key to the KRA's
-     * internal storage).
-     *
-     * @param rawPrivate user's private key (key to be archived)
-     * @return encrypted data
-     * @exception EBaseException failed to encrypt
-     */
-    public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception;
-
-    /**
-     * Decrypts the internal private key (private key from the KRA's
-     * internal storage).
-     *
-     * @param wrappedPrivateData unwrapped private key data (key to be recovered)
-     * @return raw private key
-     * @throws Exception
-     */
-    public byte[] decryptInternalPrivate(byte wrappedPrivateData[])
-            throws Exception;
 
-    /**
-     * Decrypts the external private key (private key from the end-user).
-     *
-     * @param sessionKey session key that protects the user private
-     * @param symmAlgOID symmetric algorithm
-     * @param symmAlgParams symmetric algorithm parameters
-     * @param privateKey private key data
-     * @return private key data
-     * @throws Exception
-     */
-    public byte[] decryptExternalPrivate(byte sessionKey[],
-            String symmAlgOID,
-            byte symmAlgParams[], byte privateKey[])
-            throws Exception;
+    public WrappingParams getWrappingParams() throws EBaseException;
 
-    /**
-     * Decrypts the external private key (private key from the end-user).
-     *
-     * @param sessionKey session key that protects the user private
-     * @param symmAlgOID symmetric algorithm
-     * @param symmAlgParams symmetric algorithm parameters
-     * @param privateKey private key data
-     * @param transportCert transport certificate
-     * @return private key data
-     * @throws Exception
-     */
-    public byte[] decryptExternalPrivate(byte sessionKey[],
-            String symmAlgOID, byte symmAlgParams[], byte privateKey[],
-            org.mozilla.jss.crypto.X509Certificate transportCert)
-            throws Exception;
+    public WrappingParams getOldWrappingParams();
 }
diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
index 4e651d394..6f6e31201 100644
--- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
+++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
@@ -17,9 +17,12 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.certsrv.security;
 
+import java.security.PublicKey;
 import java.util.Enumeration;
 
 import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.SymmetricKey;
 
 import com.netscape.certsrv.base.EBaseException;
 
@@ -96,4 +99,74 @@ public interface IStorageKeyUnit extends IEncryptionUnit {
 
     public CryptoToken getToken();
 
+    /**
+     * Encrypts the internal private key (private key to the KRA's
+     * internal storage).
+     *
+     * @param rawPrivate user's private key (key to be archived)
+     * @return encrypted data
+     * @exception EBaseException failed to encrypt
+     */
+    public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception;
+
+    /**
+     * Wraps data. The given key will be wrapped by the
+     * private key in this unit.
+     *
+     * @param priKey private key to be wrapped
+     * @param WrappingParams - wrapping parameters
+     * @return wrapped data
+     * @exception EBaseException failed to wrap
+     */
+    public byte[] wrap(PrivateKey priKey) throws Exception;
+
+    /**
+     * Wraps data. The given key will be wrapped by the
+     * private key in this unit.
+     *
+     * @param symKey symmetric key to be wrapped
+     * @param wrappingParams - wrapping parameters
+     * @return wrapped data
+     * @exception EBaseException failed to wrap
+     */
+    public byte[] wrap(SymmetricKey symKey) throws Exception;
+
+    /**
+     * Decrypts the internal private key (private key from the KRA's
+     * internal storage).
+     *
+     * @param wrappedPrivateData unwrapped private key data (key to be recovered)
+     * @param params - wrapping params
+     * @return raw private key
+     * @throws Exception
+     */
+    public byte[] decryptInternalPrivate(byte wrappedPrivateData[], WrappingParams params)
+            throws Exception;
+
+    /**
+     * Unwraps symmetric key data. This method rebuilds the symmetric key by
+     * unwrapping the private data blob.
+     *
+     * @param wrappedKeyData symmetric key data wrapped up with session key
+     * @return Symmetric key object
+     * @exception Exception failed to unwrap
+     */
+
+    public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize,
+            WrappingParams params) throws Exception;
+
+    /**
+     * Unwraps data. This method rebuilds the private key by
+     * unwrapping the private key data.
+     *
+     * @param privateKey private key data
+     * @param pubKey public key object
+     * @param temporary - temporary key?
+     * @param params - wrapping parameters
+     * @return private key object
+     * @throws Exception
+     */
+    public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary,
+            WrappingParams params) throws Exception;
+
 }
diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
index 965101ffa..675c7340a 100644
--- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
+++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java
@@ -22,6 +22,7 @@ import java.security.PublicKey;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.SymmetricKey;
+import org.mozilla.jss.crypto.SymmetricKey.Type;
 
 import com.netscape.certsrv.base.EBaseException;
 
@@ -63,58 +64,86 @@ public interface ITransportKeyUnit extends IEncryptionUnit {
     public PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert);
 
     /**
-     * Unwraps symmetric key . This method
-     * unwraps the symmetric key.
-     *
-     * @param encSymmKey wrapped symmetric key to be unwrapped
-     * @param usage Key usage for unwrapped key.
-     * @return Symmetric key object
+     * Returns this Unit's crypto token object.
+     * @return CryptoToken object.
      */
 
-    public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage,
-            WrappingParams params);
+    public CryptoToken getToken();
+
+    /**
+     * Returns this Unit's signing algorithm in String format.
+     * @return String of signing algorithm
+     * @throws EBaseException
+     */
+
+    public String getSigningAlgorithm() throws EBaseException;
+
+    /**
+     * Sets this Unit's signing algorithm.
+     * @param str String of signing algorithm to set.
+     * @throws EBaseException
+     */
+    public void setSigningAlgorithm(String str) throws EBaseException;
+
+    /**
+     * Decrypts the external private key (private key from the end-user).
+     *
+     * @param sessionKey session key that protects the user private
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param privateKey private key data
+     * @param transportCert transport certificate
+     * @return private key data
+     * @throws Exception
+     */
+    public byte[] decryptExternalPrivate(byte sessionKey[],
+            String symmAlgOID, byte symmAlgParams[], byte privateKey[],
+            org.mozilla.jss.crypto.X509Certificate transportCert)
+            throws Exception;
 
     /**
      * Unwraps symmetric key . This method
      * unwraps the symmetric key.
      *
-     * @param encSymmKey wrapped symmetric key to be unwrapped
+     * @param sessionKey session key that unwrap the symmetric key
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
+     * @param symmetricKey  symmetric key data
+     * @param type symmetric key algorithm
+     * @param strength symmetric key strength in bytes
      * @return Symmetric key object
+     * @throws Exception
      */
 
-    public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params);
+    public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID,
+            byte symmAlgParams[], byte symmetricKey[], Type type, int strength)
+            throws Exception;
 
     /**
-     * Unwraps temporary private key . This method
-     * unwraps the temporary private key.
+     * Unwraps data. This method rebuilds the private key by
+     * unwrapping the private key data.
      *
-     * @param wrappedKeyData wrapped private key to be unwrapped
+     * @param symmAlgOID symmetric algorithm
+     * @param symmAlgParams symmetric algorithm parameters
      * @param pubKey public key
-     * @return Private key object
+     * @param transportCert transport certificate
+     * @return private key object
      * @throws Exception
      */
+    public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID,
+            byte symmAlgParams[], byte encValue[], PublicKey pubKey,
+            org.mozilla.jss.crypto.X509Certificate transportCert)
+            throws Exception;
 
-    public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey
-            pubKey) throws Exception;
     /**
-     * Returns this Unit's crypto token object.
-     * @return CryptoToken object.
+     * Unwraps symmetric key . This method
+     * unwraps the symmetric key.
+     *
+     * @param encSymmKey wrapped symmetric key to be unwrapped
+     * @return Symmetric key object
      */
 
-    public CryptoToken getToken();
-
-    /**
-     * Returns this Unit's signing algorithm in String format.
-     * @return String of signing algorithm
-     * @throws EBaseException
-     */
+    public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params);
 
-    public String getSigningAlgorithm() throws EBaseException;
 
-    /**
-     * Sets this Unit's signing algorithm.
-     * @param str String of signing algorithm to set.
-     * @throws EBaseException
-     */
-    public void setSigningAlgorithm(String str) throws EBaseException;
 }
diff --git a/base/common/src/com/netscape/certsrv/security/WrappingParams.java b/base/common/src/com/netscape/certsrv/security/WrappingParams.java
index 9689ecc60..b3fabfc63 100644
--- a/base/common/src/com/netscape/certsrv/security/WrappingParams.java
+++ b/base/common/src/com/netscape/certsrv/security/WrappingParams.java
@@ -1,16 +1,17 @@
 package com.netscape.certsrv.security;
 
+import java.security.NoSuchAlgorithmException;
+
 import org.mozilla.jss.crypto.EncryptionAlgorithm;
+import org.mozilla.jss.crypto.IVParameterSpec;
 import org.mozilla.jss.crypto.KeyGenAlgorithm;
 import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.SymmetricKey;
 import org.mozilla.jss.crypto.SymmetricKey.Type;
-import org.mozilla.jss.crypto.SymmetricKey.Usage;
 
 public class WrappingParams {
     // session key attributes
-    SymmetricKey.Type skTyoe;
-    SymmetricKey.Usage[] skUsages;
+    SymmetricKey.Type skType;
     KeyGenAlgorithm skKeyGenAlgorithm;
     int skLength;
 
@@ -23,33 +24,38 @@ public class WrappingParams {
     //wrapping algorithm for payload
     KeyWrapAlgorithm payloadWrapAlgorithm;
 
-    public WrappingParams(Type skTyoe, Usage[] skUsages, KeyGenAlgorithm skKeyGenAlgorithm, int skLength,
+    // payload encryption IV
+    IVParameterSpec payloadEncryptionIV;
+
+    // payload wrapping IV
+    IVParameterSpec payloadWrappingIV;
+
+    public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength,
             KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm,
-            KeyWrapAlgorithm payloadWrapAlgorithm) {
+            KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) {
         super();
-        this.skTyoe = skTyoe;
-        this.skUsages = skUsages;
+        this.skType = skType;
         this.skKeyGenAlgorithm = skKeyGenAlgorithm;
         this.skLength = skLength;
         this.skWrapAlgorithm = skWrapAlgorithm;
         this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm;
         this.payloadWrapAlgorithm = payloadWrapAlgorithm;
+        this.payloadEncryptionIV = payloadEncryptIV;
+        this.payloadWrappingIV = payloadWrapIV;
     }
 
-    public SymmetricKey.Type getSkTyoe() {
-        return skTyoe;
-    }
+    public WrappingParams() {}
 
-    public void setSkTyoe(SymmetricKey.Type skTyoe) {
-        this.skTyoe = skTyoe;
+    public SymmetricKey.Type getSkType() {
+        return skType;
     }
 
-    public SymmetricKey.Usage[] getSkUsages() {
-        return skUsages;
+    public void setSkType(SymmetricKey.Type skType) {
+        this.skType = skType;
     }
 
-    public void setSkUsages(SymmetricKey.Usage[] skUsages) {
-        this.skUsages = skUsages;
+    public void setSkType(String skTypeName) throws NoSuchAlgorithmException {
+        this.skType = SymmetricKey.Type.fromName(skTypeName);
     }
 
     public KeyGenAlgorithm getSkKeyGenAlgorithm() {
@@ -60,6 +66,20 @@ public class WrappingParams {
         this.skKeyGenAlgorithm = skKeyGenAlgorithm;
     }
 
+    public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException {
+        // JSS mapping is not working.  Lets just do something brain-dead to
+        // handle the cases we expect.
+        if (algName.equalsIgnoreCase("AES")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.AES;
+        } else if (algName.equalsIgnoreCase("DES")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES;
+        } else if (algName.equalsIgnoreCase("DESede")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
+        } else if (algName.equalsIgnoreCase("DES3")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
+        }
+    }
+
     public int getSkLength() {
         return skLength;
     }
@@ -76,6 +96,10 @@ public class WrappingParams {
         this.skWrapAlgorithm = skWrapAlgorithm;
     }
 
+    public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException {
+        this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name);
+    }
+
     public EncryptionAlgorithm getPayloadEncryptionAlgorithm() {
         return payloadEncryptionAlgorithm;
     }
@@ -84,6 +108,11 @@ public class WrappingParams {
         this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm;
     }
 
+    public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength)
+            throws NoSuchAlgorithmException {
+        this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength);
+    }
+
     public KeyWrapAlgorithm getPayloadWrapAlgorithm() {
         return payloadWrapAlgorithm;
     }
@@ -91,4 +120,24 @@ public class WrappingParams {
     public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) {
         this.payloadWrapAlgorithm = payloadWrapAlgorithm;
     }
+
+    public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException {
+        this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name);
+    }
+
+    public IVParameterSpec getPayloadEncryptionIV() {
+        return payloadEncryptionIV;
+    }
+
+    public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) {
+        this.payloadEncryptionIV = payloadEncryptionIV;
+    }
+
+    public IVParameterSpec getPayloadWrappingIV() {
+        return payloadWrappingIV;
+    }
+
+    public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) {
+        this.payloadWrappingIV = payloadWrappingIV;
+    }
 }