diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2017-03-23 14:34:31 +1100 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2017-04-29 23:49:48 -0600 |
| commit | 633c7c6519c925af7e3700adff29961d72435c7f (patch) | |
| tree | 00f5e127f2b682351f209be1862043f8b8f1f0b0 /base/java-tools/src/com | |
| parent | f31ad87440332845e7e5a1d6ea1f092fefd9eef1 (diff) | |
| download | pki-633c7c6519c925af7e3700adff29961d72435c7f.tar.gz pki-633c7c6519c925af7e3700adff29961d72435c7f.tar.xz pki-633c7c6519c925af7e3700adff29961d72435c7f.zip | |
PKCS12Util: use AES to encrypt private keys
Update PKCS12Util to use AES-256-CBC to encrypt private keys.
Use JSS CryptoStore methods to ensure that all key wrapping and
unwrapping is done on the token.
Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the
previous process where a symmetric key was generated, the private
key wrapped to the symmetric key, then decryted into Dogtag's
memory, then re-encrypted under the supplied passphrase. Now the
key gets wrapped directly to the supplied passphrase.
Similarly, for import, the EncryptedPrivateKeyInfo was decrypted
using the supplied passphrase, then encrypted to a freshly generated
symmetric key, which was then used to unwrap the key into the token.
Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is
used to unwrap the EncryptedPrivateKeyInfo directly into the token,
using the supplied passphrase.
As a result, the PKCS12KeyInfo class, which previously stored
unencrypted key material (a PrivateKeyInfo object), it now only
deals with PrivateKey (an opaque handle to an PKCS #11 object)
on export and encoded (byte[]) EncryptedPrivateKeyInfo data on
import. This split suggests that PKCS12KeyInfo should be decomposed
into two classes - one containing a PrivateKey and the other
containing a byte[] encryptedPrivateKeyInfo - but this refactoring
is left for another day.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70
(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
Diffstat (limited to 'base/java-tools/src/com')
| -rw-r--r-- | base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java | 4 | ||||
| -rw-r--r-- | base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java | 1 |
2 files changed, 2 insertions, 3 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java index da5478c60..de432848c 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12ImportCLI.java @@ -124,12 +124,12 @@ public class PKCS12ImportCLI extends CLI { if (nicknames.length == 0) { // store all certificates - util.storeIntoNSS(pkcs12, overwrite); + util.storeIntoNSS(pkcs12, password, overwrite); } else { // load specified certificates for (String nickname : nicknames) { - util.storeCertIntoNSS(pkcs12, nickname, overwrite); + util.storeCertIntoNSS(pkcs12, password, nickname, overwrite); } } diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java index fbebddabb..e74b63a59 100644 --- a/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/pkcs12/PKCS12KeyCLI.java @@ -38,6 +38,5 @@ public class PKCS12KeyCLI extends CLI { System.out.println(" Key ID: " + keyInfo.getID().toString(16)); System.out.println(" Subject DN: " + keyInfo.getSubjectDN()); - System.out.println(" Algorithm: " + keyInfo.getPrivateKeyInfo().getAlgorithm()); } } |