summaryrefslogtreecommitdiffstats
path: root/base/java-tools/src
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-05-26 13:06:18 -0400
committerAde Lee <alee@redhat.com>2017-06-07 16:00:41 -0400
commit38df4274214938ceece85627abb6d4fe77b960ff (patch)
treec3361a13185302f03ddb4162aa04f5816190c27d /base/java-tools/src
parent9db838825b60719e6670c92957db3f33c5b12ae0 (diff)
downloadpki-38df4274214938ceece85627abb6d4fe77b960ff.tar.gz
pki-38df4274214938ceece85627abb6d4fe77b960ff.tar.xz
pki-38df4274214938ceece85627abb6d4fe77b960ff.zip
Refactor client to not use keysets
It is simpler to simply tell the client which algorithm to use for key wrapping and encryption, rather than use key sets. Therefore: * KRAInfo and CAInfo are refactored to provide the algorithms required for key wrapping and encryption. * Client is modified to use these parameters to determine which algorithms to use. * We specify the OIDs that will be used in the PKIARchiveOptions more correctly. The options are basically: AES-128-CBC, DES3-CBC, AES KeyWrap/Pad Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
Diffstat (limited to 'base/java-tools/src')
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java153
-rw-r--r--base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java34
2 files changed, 77 insertions, 110 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 0057a1d52..b06faa6be 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -190,11 +190,7 @@ public class CRMFPopClient {
option.setArgName("extractable");
options.addOption(option);
- option = new Option("g", true, "KeyWrap");
- option.setArgName("keyWrap");
- options.addOption(option);
-
- option = new Option("w", true, "Wrapping Keyset");
+ option = new Option("w", true, "Algorithm to be used for key wrapping");
option.setArgName("keySet");
options.addOption(option);
@@ -231,10 +227,7 @@ public class CRMFPopClient {
System.out.println(" - POP_NONE: without POP");
System.out.println(" - POP_SUCCESS: with valid POP");
System.out.println(" - POP_FAIL: with invalid POP (for testing)");
- System.out.println(" -g <true|false> Use KeyWrapping to wrap private key (default: true)");
- System.out.println(" - true: use a key wrapping algorithm");
- System.out.println(" - false: use an encryption algorithm");
- System.out.println(" -w <keyset_id> Key set ID to use when wrapping the private key");
+ System.out.println(" -w <keywrap algorithm> Algorithm to use for key wrapping");
System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)");
System.out.println(" -v, --verbose Run in verbose mode.");
System.out.println(" --help Show help message.");
@@ -329,20 +322,17 @@ public class CRMFPopClient {
boolean self_sign = cmd.hasOption("y");
- // get the key wrapping mechanism
- boolean keyWrap = true;
- if (cmd.hasOption("g")) {
- keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
+ // get the keywrap algorithm
+ KeyWrapAlgorithm keyWrapAlgorithm = null;
+ String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString();
+ if (cmd.hasOption("w")) {
+ kwAlg = cmd.getOptionValue("w");
} else {
- String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
- if (useKeyWrap != null) {
- keyWrap = Boolean.parseBoolean(useKeyWrap);
+ String alg = System.getenv("KEY_ARCHIVAL_KEYWRAP_ALGORITHM");
+ if (alg != null) {
+ kwAlg = alg;
}
}
- String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
- KRAInfoResource.ENCRYPT_MECHANISM;
-
- String wrappingKeySet = cmd.getOptionValue("w");
String output = cmd.getOptionValue("o");
@@ -351,12 +341,11 @@ public class CRMFPopClient {
String requestor = cmd.getOptionValue("r");
if (hostPort != null) {
- if (cmd.hasOption("g") || cmd.hasOption("w")) {
- printError("Wrapping Key Set (-g) and keywrap (-w) options should " +
- "not be specified when hostport is specified. " +
- "CRMFPopClient will contact the server to " +
- "determine the correct values for these parameters");
- System.exit(1);
+ if (cmd.hasOption("w")) {
+ printError("Any value specified for the key wrap parameter (-w) " +
+ "will be overriden. CRMFPopClient will contact the " +
+ "CA to determine the supported algorithm when " +
+ "hostport is specified");
}
}
@@ -493,9 +482,9 @@ public class CRMFPopClient {
System.out.println("Keypair private key id: " + kid);
if (hostPort != null) {
- // check the CA for the required keyset and archival mechanism
+ // check the CA for the required key wrap algorithm
// if found, override whatever has been set by the command line
- // options or environment for archivalMechanism and wrappingKeySet
+ // options for the key wrap algorithm
ClientConfig config = new ClientConfig();
String host = hostPort.substring(0, hostPort.indexOf(':'));
@@ -503,31 +492,17 @@ public class CRMFPopClient {
config.setServerURL("http", host, port);
PKIClient pkiclient = new PKIClient(config);
-
- // get archival mechanism
- CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca");
- try {
- CAInfo info = infoClient.getInfo();
- archivalMechanism = info.getArchivalMechanism();
- wrappingKeySet = info.getWrappingKeySet();
- } catch (PKIException e) {
- if (e.getCode() == 404) {
- // assume this is an older server,
- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
- wrappingKeySet = "0";
- } else {
- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
- }
- } catch (Exception e) {
- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
- }
+ kwAlg = getKeyWrapAlgotihm(pkiclient);
}
+ if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg);
+ keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg);
+
if (verbose) System.out.println("Creating certificate request");
CertRequest certRequest = client.createCertRequest(
self_sign,
token, transportCert, algorithm, keyPair,
- subject, archivalMechanism, wrappingKeySet);
+ subject, keyWrapAlgorithm);
ProofOfPossession pop = null;
@@ -592,6 +567,36 @@ public class CRMFPopClient {
}
}
+ public static String getKeyWrapAlgotihm(PKIClient pkiclient)
+ throws Exception {
+ String kwAlg = null;
+ CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca");
+ String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+
+ try {
+ CAInfo info = infoClient.getInfo();
+ archivalMechanism = info.getArchivalMechanism();
+ kwAlg = info.getKeyWrapAlgorithm();
+ } catch (PKIException e) {
+ if (e.getCode() == 404) {
+ // assume this is an older server,
+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+ kwAlg = KeyWrapAlgorithm.DES3_CBC_PAD.toString();
+ } else {
+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+ }
+ } catch (Exception e) {
+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+ }
+
+ if (!archivalMechanism.equals(KRAInfoResource.KEYWRAP_MECHANISM)) {
+ // new server with encryption set. Use something we know will
+ // work. AES-128-CBC
+ kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString();
+ }
+ return kwAlg;
+ }
+
public void setVerbose(boolean verbose) {
this.verbose = verbose;
}
@@ -637,10 +642,9 @@ public class CRMFPopClient {
String algorithm,
KeyPair keyPair,
Name subject,
- String archivalMechanism,
- String wrappingKeySet) throws Exception {
+ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
return createCertRequest(false, token, transportCert, algorithm, keyPair,
- subject, archivalMechanism, wrappingKeySet);
+ subject, keyWrapAlgorithm);
}
public CertRequest createCertRequest(
@@ -650,24 +654,15 @@ public class CRMFPopClient {
String algorithm,
KeyPair keyPair,
Name subject,
- String archivalMechanism,
- String wrappingKeySet) throws Exception {
- EncryptionAlgorithm encryptAlg = null;
-
- if (wrappingKeySet == null) {
- wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET");
+ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
+ byte[] iv = null;
+ if (keyWrapAlgorithm.getParameterClasses() != null) {
+ iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
}
+ OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm);
- if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) {
- // talking to an old server?
- encryptAlg = EncryptionAlgorithm.DES3_CBC;
- } else {
- encryptAlg = EncryptionAlgorithm.AES_128_CBC;
- }
-
- byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
- AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
- WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism);
+ AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv));
+ WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv);
PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
token,
@@ -698,29 +693,21 @@ public class CRMFPopClient {
return new CertRequest(new INTEGER(1), certTemplate, seq);
}
- private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV,
- String archivalMechanism) throws Exception {
- if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
- KeyWrapAlgorithm wrapAlg = null;
- IVParameterSpec wrapIVS = null;
- if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) {
- // We will use AES_CBC_PAD as the a key wrap mechanism. This
- // can be decrypted using the same mechanism on the server.
- wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
- wrapIVS = new IVParameterSpec(wrapIV);
- } else {
- wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
- }
+ private WrappingParams getWrappingParams(KeyWrapAlgorithm kwAlg, byte[] iv) throws Exception {
+ IVParameterSpec ivps = iv != null ? new IVParameterSpec(iv): null;
+
+ if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD ||
+ kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
return new WrappingParams(
SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
- KeyWrapAlgorithm.RSA, encryptAlg,
- wrapAlg, wrapIVS, wrapIVS);
- } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_128_CBC_PAD,
+ kwAlg, ivps, ivps);
+ } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) {
return new WrappingParams(
SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
KeyWrapAlgorithm.DES3_CBC_PAD,
- new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV));
+ ivps, ivps);
} else {
throw new Exception("Invalid encryption algorithm");
}
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index a14bb242d..9a0cfcc4b 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -29,18 +29,15 @@ import java.util.Vector;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.io.FileUtils;
-import org.dogtagpki.common.CAInfo;
-import org.dogtagpki.common.CAInfoClient;
-import org.dogtagpki.common.KRAInfoResource;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.Signature;
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.pkix.crmf.CertRequest;
import org.mozilla.jss.pkix.crmf.ProofOfPossession;
import org.mozilla.jss.pkix.primitive.Name;
-import com.netscape.certsrv.base.PKIException;
import com.netscape.certsrv.cert.CertClient;
import com.netscape.certsrv.cert.CertEnrollmentRequest;
import com.netscape.certsrv.cert.CertRequestInfos;
@@ -249,29 +246,13 @@ public class ClientCertRequestCLI extends CLI {
CryptoManager manager = CryptoManager.getInstance();
X509Certificate transportCert = manager.importCACertPackage(transportCertData);
- // get archival mechanism
- CAInfoClient infoClient = new CAInfoClient(client, "ca");
- String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
- String wrappingKeySet = "1";
- try {
- CAInfo info = infoClient.getInfo();
- archivalMechanism = info.getArchivalMechanism();
- wrappingKeySet = info.getWrappingKeySet();
- } catch (PKIException e) {
- if (e.getCode() == 404) {
- // assume this is an older server,
- archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
- wrappingKeySet = "0";
- } else {
- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
- }
- } catch (Exception e) {
- throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
- }
+ // get archival and key wrap mechanisms from CA
+ String kwAlg = CRMFPopClient.getKeyWrapAlgotihm(client);
+ KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg);
csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding,
algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop,
- archivalMechanism, wrappingKeySet);
+ keyWrapAlgorithm);
} else {
throw new Exception("Unknown request type: " + requestType);
@@ -411,8 +392,7 @@ public class ClientCertRequestCLI extends CLI {
int sensitive,
int extractable,
boolean withPop,
- String archivalMechanism,
- String wrappingKeySet
+ KeyWrapAlgorithm keyWrapAlgorithm
) throws Exception {
CryptoManager manager = CryptoManager.getInstance();
@@ -434,7 +414,7 @@ public class ClientCertRequestCLI extends CLI {
}
CertRequest certRequest = client.createCertRequest(
- token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet);
+ token, transportCert, algorithm, keyPair, subject, keyWrapAlgorithm);
ProofOfPossession pop = null;
if (withPop) {
generated by cgit (git 2.34.1) at 2026-01-03 10:22:54 +0000