diff options
author | Christina Fu <cfu@redhat.com> | 2013-01-15 23:59:24 -0800 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-01-15 23:58:46 -0500 |
commit | 7a0252247e860806d6456e997149602c9750206a (patch) | |
tree | cb72b43ee39d7bf777dcf09702dbc7bc7bd4e51c /base/java-tools/src/com/netscape/cmstools/CMCRequest.java | |
parent | 3dc5d33f394c30071b3c8794c8adb2e7dcd54e5c (diff) | |
download | pki-7a0252247e860806d6456e997149602c9750206a.tar.gz pki-7a0252247e860806d6456e997149602c9750206a.tar.xz pki-7a0252247e860806d6456e997149602c9750206a.zip |
https://fedorahosted.org/pki/ticket/362 RFE: CMC ECC
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools/CMCRequest.java')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 144 |
1 files changed, 103 insertions, 41 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java index 159759517..c2382d671 100644 --- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java @@ -52,6 +52,7 @@ import org.mozilla.jss.asn1.SEQUENCE; import org.mozilla.jss.asn1.SET; import org.mozilla.jss.asn1.UTF8String; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.CryptoStore; import org.mozilla.jss.crypto.DigestAlgorithm; import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.crypto.SignatureAlgorithm; @@ -95,6 +96,7 @@ public class CMCRequest { public static final String PR_REQUEST_CMC = "CMC"; public static final String PR_REQUEST_CRMF = "CRMF"; + public static final String PR_INTERNAL_TOKEN_NAME = "internal"; public static final int ARGC = 1; public static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; @@ -104,20 +106,20 @@ public class CMCRequest { } - public static X509Certificate getCertificate(String tokenname, + public static X509Certificate getCertificate(String tokenName, String nickname) throws Exception { CryptoManager manager = CryptoManager.getInstance(); CryptoToken token = null; - if (tokenname.equals("internal")) { + if (tokenName.equals(PR_INTERNAL_TOKEN_NAME)) { token = manager.getInternalKeyStorageToken(); } else { - token = manager.getTokenByName(tokenname); + token = manager.getTokenByName(tokenName); } StringBuffer certname = new StringBuffer(); if (!token.equals(manager.getInternalKeyStorageToken())) { - certname.append(tokenname); + certname.append(tokenName); certname.append(":"); } certname.append(nickname); @@ -128,16 +130,18 @@ public class CMCRequest { } } - public static java.security.PrivateKey getPrivateKey(String tokenname, String nickname) + public static java.security.PrivateKey getPrivateKey(String tokenName, String nickname) throws Exception { - X509Certificate cert = getCertificate(tokenname, nickname); + X509Certificate cert = getCertificate(tokenName, nickname); + if (cert != null) + System.out.println("got signing cert"); return CryptoManager.getInstance().findPrivKeyByCert(cert); } /** - * getCMCBlob create and return the enrollent request. + * getCMCBlob create and return the enrollment request. * <P> * * @param signerCert the certificate of the authorized signer of the CMC revocation request. @@ -146,12 +150,12 @@ public class CMCRequest { * @param format either crmf or pkcs10 * @return the CMC enrollment request encoded in base64 */ - static ContentInfo getCMCBlob(X509Certificate signerCert, String nickname, + static ContentInfo getCMCBlob(X509Certificate signerCert, String tokenName, String nickname, String[] rValue, String format, CryptoManager manager, String transactionMgtEnable, String transactionMgtId, String identityProofEnable, String identityProofSharedSecret, SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) { - String tokenname = "internal"; + System.out.println("in getCMCBlob"); ContentInfo fullEnrollmentReq = null; try { @@ -171,7 +175,9 @@ public class CMCRequest { si = new SignerIdentifier( SignerIdentifier.ISSUER_AND_SERIALNUMBER, ias, null); - privKey = getPrivateKey(tokenname, nickname); + privKey = getPrivateKey(tokenName, nickname); + if (privKey != null) + System.out.println("getCMCBlob: got privKey"); TaggedRequest trq = null; PKCS10 pkcs = null; @@ -181,10 +187,12 @@ public class CMCRequest { SEQUENCE reqSequence = new SEQUENCE(); try { for (int k = 0; k < rValue.length; k++) { + System.out.println("k="+ k); String asciiBASE64Blob = rValue[k]; byte[] decodedBytes = Utils.base64decode(asciiBASE64Blob); if (format.equals("crmf")) { + System.out.println("getCMCBlob: format: crmf"); ByteArrayInputStream reqBlob = new ByteArrayInputStream(decodedBytes); SEQUENCE crmfMsgs = null; @@ -192,7 +200,7 @@ public class CMCRequest { crmfMsgs = (SEQUENCE) new SEQUENCE.OF_Template(new CertReqMsg.Template()).decode(reqBlob); } catch (InvalidBERException ee) { - System.out.println("This is not a crmf request. Or this request has an error."); + System.out.println("getCMCBlob: This is not a crmf request. Or this request has an error."); System.exit(1); } certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0); @@ -200,9 +208,9 @@ public class CMCRequest { certReqMsg); } else if (format.equals("pkcs10")) { try { - pkcs = new PKCS10(decodedBytes); - } catch (IllegalArgumentException e) { - System.out.println("This is not a PKCS10 request."); + pkcs = new PKCS10(decodedBytes, true); + } catch (Exception e2) { + System.out.println("getCMCBlob: Excception:"+e2.toString()); System.exit(1); } ByteArrayInputStream crInputStream = new ByteArrayInputStream( @@ -214,17 +222,14 @@ public class CMCRequest { trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null); } else { - System.out.println("Unrecognized request format: " + format); + System.out.println("getCMCBlob: Unrecognized request format: " + format); System.exit(1); } reqSequence.addElement(trq); } - } catch (IOException e) { - throw new IOException("Internal Error - " + e.toString()); - } catch (SignatureException e) { - throw new IOException("Internal Error - " + e.toString()); - } catch (NoSuchAlgorithmException e) { - throw new IOException("Internal Error - " + e.toString()); + } catch (Exception e) { + System.out.println("getCMCBlob: Exception:"+ e.toString()); + System.exit(1); } if (transactionMgtEnable.equals("true")) @@ -241,12 +246,16 @@ public class CMCRequest { EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata); // SHA1 is the default digest Alg for now. DigestAlgorithm digestAlg = null; - SignatureAlgorithm signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; - org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = - ((org.mozilla.jss.crypto.PrivateKey) privKey).getType(); - - if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) + SignatureAlgorithm signAlg = null; + org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey).getType(); + if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) { + signAlg = SignatureAlgorithm.RSASignatureWithSHA1Digest; + } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) { + signAlg = SignatureAlgorithm.ECSignatureWithSHA1Digest; + } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) { signAlg = SignatureAlgorithm.DSASignatureWithSHA1Digest; + } + MessageDigest SHADigest = null; byte[] digest = null; @@ -322,6 +331,9 @@ public class CMCRequest { System.out.println("#output: full path for the CMC request in binary format"); System.out.println("output=/u/doc/cmcReq"); System.out.println(""); + System.out.println("#tokenname: name of token where agent signing cert can be found (default is internal)"); + System.out.println("tokenname=internal"); + System.out.println(""); System.out.println("#nickname: nickname for agent certificate which will be used"); System.out.println("#to sign the CMC full request."); System.out.println("nickname=CMS Agent Certificate"); @@ -539,7 +551,7 @@ public class CMCRequest { return bpid; } - private static int addRevRequestAttr(int bpid, SEQUENCE seq, SEQUENCE otherMsgSeq, String nickname, + private static int addRevRequestAttr(int bpid, SEQUENCE seq, SEQUENCE otherMsgSeq, CryptoToken token, String tokenName, String nickname, String revRequestIssuer, String revRequestSerial, String revRequestReason, String revRequestSharedSecret, String revRequestComment, String invalidityDatePresent, CryptoManager manager) { @@ -578,24 +590,42 @@ public class CMCRequest { EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo( OBJECT_IDENTIFIER.id_cct_PKIData, revRequestControl); - DigestAlgorithm digestAlg1 = null; - SignatureAlgorithm signAlg1 = SignatureAlgorithm.RSASignatureWithSHA1Digest; + + StringBuffer certname = new StringBuffer(); + + if (!token.equals(manager.getInternalKeyStorageToken())) { + certname.append(tokenName); + certname.append(":"); + } + certname.append(nickname); java.security.PrivateKey revokePrivKey = null; X509Certificate revokeCert = null; + System.out.println("finding cert:"+certname.toString()); try { - revokeCert = manager.findCertByNickname(nickname1); + revokeCert = manager.findCertByNickname(certname.toString()); } catch (ObjectNotFoundException e) { - System.out.println("Certificate not found: " + nickname1); + System.out.println("Certificate not found: "+nickname1); + System.exit(1); + } catch (Exception e2) { + System.out.println("Certificate not found: "+e2.toString()); System.exit(1); } + System.out.println("finding private key for cert:"+certname.toString()); revokePrivKey = manager.findPrivKeyByCert(revokeCert); org.mozilla.jss.crypto.PrivateKey.Type signingKeyType1 = - ((org.mozilla.jss.crypto.PrivateKey) revokePrivKey).getType(); - if (signingKeyType1.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) + ((org.mozilla.jss.crypto.PrivateKey) revokePrivKey).getType(); + SignatureAlgorithm signAlg1 = null; + if (signingKeyType1.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) { + signAlg1 = SignatureAlgorithm.RSASignatureWithSHA1Digest; + } else if (signingKeyType1.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) { + signAlg1 = SignatureAlgorithm.ECSignatureWithSHA1Digest; + } else if (signingKeyType1.equals(org.mozilla.jss.crypto.PrivateKey.Type.DSA)) { signAlg1 = SignatureAlgorithm.DSASignatureWithSHA1Digest; + } MessageDigest rSHADigest = null; byte[] rdigest = null; + DigestAlgorithm digestAlg1 = null; try { rSHADigest = MessageDigest.getInstance("SHA1"); digestAlg1 = DigestAlgorithm.SHA1; @@ -644,7 +674,7 @@ public class CMCRequest { System.out.println("Successfully create revRequest control. bpid = " + (bpid - 1)); System.out.println(""); } catch (Exception e) { - System.out.println("Error in creating revRequest control. Check the parameters."); + System.out.println("Error in creating revRequest control. Check the parameters. Exception="+ e.toString()); System.exit(1); } @@ -798,6 +828,7 @@ public class CMCRequest { public static void main(String[] s) { String numRequests = null; String dbdir = null, nickname = null; + String tokenName = PR_INTERNAL_TOKEN_NAME; String ifilename = null, ofilename = null, password = null, format = null; String confirmCertEnable = "false", confirmCertIssuer = null, confirmCertSerial = null; String getCertEnable = "false", getCertIssuer = null, getCertSerial = null; @@ -855,6 +886,8 @@ public class CMCRequest { format = val; } else if (name.equals("dbdir")) { dbdir = val; + } else if (name.equals("tokenname")) { + tokenName = val; } else if (name.equals("nickname")) { nickname = val; } else if (name.equals("password")) { @@ -979,19 +1012,48 @@ public class CMCRequest { String mPrefix = ""; System.out.println("cert/key prefix = " + mPrefix); System.out.println("path = " + dbdir); +/* CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(dbdir, mPrefix, mPrefix, "secmod.db"); - - CryptoManager.initialize(vals); +*/ + CryptoManager.initialize(dbdir); + CryptoToken token = null; CryptoManager cm = CryptoManager.getInstance(); - CryptoToken token = cm.getInternalKeyStorageToken(); + System.out.println("CryptoManger initialized"); + + if ((tokenName == null) || (tokenName.equals(""))) { + token = cm.getInternalKeyStorageToken(); + tokenName = PR_INTERNAL_TOKEN_NAME; + } else { + token = cm.getTokenByName(tokenName); + } + cm.setThreadToken(token); + Password pass = new Password(password.toCharArray()); - token.login(pass); + try { + token.login(pass); + System.out.println("token "+ tokenName + " logged in..."); + } catch (Exception e) { + System.out.println("login Exception: " + e.toString()); + System.exit(1); + } + + CryptoStore store = token.getCryptoStore(); + X509Certificate[] list = store.getCertificates(); X509Certificate signerCert = null; - signerCert = cm.findCertByNickname(nickname); + StringBuffer certname = new StringBuffer(); + if (!token.equals(cm.getInternalKeyStorageToken())) { + certname.append(tokenName); + certname.append(":"); + } + certname.append(nickname); + signerCert = cm.findCertByNickname(certname.toString()); + if (signerCert != null) { + System.out.println("got signerCert: "+ certname.toString()); + } String[] requests = new String[num]; for (int i = 0; i < num; i++) { @@ -1091,12 +1153,12 @@ public class CMCRequest { System.exit(1); } - bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, revCertNickname, + bpid = addRevRequestAttr(bpid, controlSeq, otherMsgSeq, token, tokenName, revCertNickname, revRequestIssuer, revRequestSerial, revRequestReason, revRequestSharedSecret, revRequestComment, revRequestInvalidityDatePresent, cm); } - ContentInfo cmcblob = getCMCBlob(signerCert, nickname, requests, format, + ContentInfo cmcblob = getCMCBlob(signerCert, tokenName, nickname, requests, format, cm, transactionMgtEnable, transactionMgtId, identityProofEnable, identityProofSharedSecret, controlSeq, otherMsgSeq, bpid); |