Refactor code that creates PKIArchiveOptions objects

* Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
author: Ade Lee <alee@redhat.com> 2017-03-23 00:20:32 -0400
committer: Ade Lee <alee@redhat.com> 2017-03-23 16:16:08 -0400
commit: 5b7ce994b8698dca62c23e653b7a1cfeebf959e4 (patch)
tree: f7673ab05610d8cc8444d4482a95b1949c9eb985 /base/java-tools/src
parent: 58bfe7d510126609969703325d7655175be5da62 (diff)
download: pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.gz
pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.xz
pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.zip
3 files changed, 56 insertions, 75 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 0a05a395a..670185666 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -53,12 +53,11 @@ import org.mozilla.jss.asn1.TeletexString;
 import org.mozilla.jss.asn1.UTF8String;
 import org.mozilla.jss.asn1.UniversalString;
 import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
 import org.mozilla.jss.crypto.IVParameterSpec;
 import org.mozilla.jss.crypto.KeyGenAlgorithm;
-import org.mozilla.jss.crypto.KeyGenerator;
-import org.mozilla.jss.crypto.KeyPairAlgorithm;
-import org.mozilla.jss.crypto.KeyPairGenerator;
 import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.Signature;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.crypto.SymmetricKey;
@@ -66,8 +65,6 @@ import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.pkix.crmf.CertReqMsg;
 import org.mozilla.jss.pkix.crmf.CertRequest;
 import org.mozilla.jss.pkix.crmf.CertTemplate;
-import org.mozilla.jss.pkix.crmf.EncryptedKey;
-import org.mozilla.jss.pkix.crmf.EncryptedValue;
 import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
 import org.mozilla.jss.pkix.crmf.POPOSigningKey;
 import org.mozilla.jss.pkix.crmf.ProofOfPossession;
@@ -82,6 +79,7 @@ import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.HMACDigest;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.util.WrappingParams;
 import netscape.security.x509.X500Name;
 
 /**
@@ -427,8 +425,7 @@ public class CRMFPopClient {
             if (verbose) System.out.println("Generating key pair");
             KeyPair keyPair;
             if (algorithm.equals("rsa")) {
-                keyPair = client.generateRSAKeyPair(token, keySize);
-
+                keyPair = CryptoUtil.generateRSAKeyPair(token, keySize);
             } else if (algorithm.equals("ec")) {
                 keyPair = client.generateECCKeyPair(token, curve, sslECDH, temporary, sensitive, extractable);
 
@@ -510,12 +507,6 @@ public class CRMFPopClient {
         return verbose;
     }
 
-    public KeyPair generateRSAKeyPair(CryptoToken token, int length) throws Exception {
-        KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA);
-        kg.initialize(length);
-        return kg.genKeyPair();
-    }
-
     public KeyPair generateECCKeyPair(
             CryptoToken token,
             String curve,
@@ -547,25 +538,6 @@ public class CRMFPopClient {
                 extractable);
     }
 
-    public byte[] wrapPrivateKey(CryptoToken token, SymmetricKey sessionKey, byte[] iv, KeyPair keyPair) throws Exception {
-
-        // wrap private key using session
-        return CryptoUtil.wrapUsingSymmetricKey(
-                token,
-                sessionKey,
-                (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(),
-                new IVParameterSpec(iv),
-                KeyWrapAlgorithm.DES3_CBC_PAD);
-    }
-
-    public byte[] wrapSessionKey(CryptoToken token, X509Certificate transportCert, SymmetricKey sessionKey) throws Exception {
-
-        // wrap session key using KRA transport cert
-        // currently, a transport cert has to be an RSA cert,
-        // regardless of the key you are wrapping
-        return CryptoUtil.wrapUsingPublicKey(token, transportCert.getPublicKey(), sessionKey, KeyWrapAlgorithm.RSA);
-    }
-
     public CertRequest createCertRequest(
             CryptoToken token,
             X509Certificate transportCert,
@@ -573,7 +545,33 @@ public class CRMFPopClient {
             KeyPair keyPair,
             Name subject) throws Exception {
 
-        PKIArchiveOptions opts = createPKIArchiveOptions(token, transportCert, algorithm, keyPair);
+        byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+        IVParameterSpec ivps = new IVParameterSpec(iv);
+
+        AlgorithmIdentifier aid;
+        if (algorithm.equals("rsa")) {
+            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv));
+
+        } else if (algorithm.equals("ec")) {
+            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
+
+        } else {
+            throw new Exception("Unknown algorithm: " + algorithm);
+        }
+
+        WrappingParams params = new WrappingParams(
+                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+                KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps);
+
+        // TODO(alee) check the cast on the third argument
+        PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
+                token,
+                transportCert.getPublicKey(),
+                (PrivateKey) keyPair.getPrivate(),
+                params,
+                aid);
+
         CertTemplate certTemplate = createCertTemplate(subject, keyPair.getPublic());
 
         SEQUENCE seq = new SEQUENCE();
@@ -611,44 +609,6 @@ public class CRMFPopClient {
         return new OCTET_STRING(finalDigest);
     }
 
-    public PKIArchiveOptions createPKIArchiveOptions(
-            CryptoToken token,
-            X509Certificate transportCert,
-            String algorithm,
-            KeyPair keyPair) throws Exception {
-
-        KeyGenerator keyGen = token.getKeyGenerator(KeyGenAlgorithm.DES3);
-        SymmetricKey sessionKey = keyGen.generate();
-
-        byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
-
-        byte[] wrappedPrivateKey = wrapPrivateKey(token, sessionKey, iv, keyPair);
-        byte[] wrappedSessionKey = wrapSessionKey(token, transportCert, sessionKey);
-
-        AlgorithmIdentifier algorithmID;
-        if (algorithm.equals("rsa")) {
-            algorithmID = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv));
-
-        } else if (algorithm.equals("ec")) {
-            algorithmID = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
-
-        } else {
-            throw new Exception("Unknown algorithm: " + algorithm);
-        }
-
-        EncryptedValue encValue = new EncryptedValue(
-                null,
-                algorithmID,
-                new BIT_STRING(wrappedSessionKey, 0),
-                null,
-                null,
-                new BIT_STRING(wrappedPrivateKey, 0));
-
-        EncryptedKey key = new EncryptedKey(encValue);
-
-        return new PKIArchiveOptions(key);
-    }
-
     public CertTemplate createCertTemplate(Name subject, PublicKey publicKey) throws Exception {
 
         CertTemplate template = new CertTemplate();
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
index 2fafe5204..d2ec62f03 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
@@ -7,15 +7,23 @@ import java.security.PublicKey;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.asn1.OCTET_STRING;
 import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
 import org.mozilla.jss.crypto.IVParameterSpec;
 import org.mozilla.jss.crypto.KeyGenAlgorithm;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.SymmetricKey;
 import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
 
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmsutil.crypto.CryptoUtil;
 
+import netscape.security.util.WrappingParams;
+
 public class AuthorityKeyExportCLI extends CLI {
 
     public AuthorityCLI authorityCLI;
@@ -78,9 +86,21 @@ public class AuthorityKeyExportCLI extends CLI {
         byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
         IVParameterSpec ivps = new IVParameterSpec(iv);
 
-        byte[] data = CryptoUtil.createPKIArchiveOptions(
-            token, wrappingKey, toBeWrapped,
-            KeyGenAlgorithm.DES3, 0, ivps);
+        WrappingParams params = new WrappingParams(
+                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+                KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps);
+
+        AlgorithmIdentifier aid = new AlgorithmIdentifier(
+                new OBJECT_IDENTIFIER("1.2.840.113549.3.7"),
+                new OCTET_STRING(ivps.getIV()));
+
+        byte[] data = CryptoUtil.createEncodedPKIArchiveOptions(
+                token,
+                wrappingKey,
+                toBeWrapped,
+                params,
+                aid);
 
         Files.newOutputStream(Paths.get(filename)).write(data);
     }
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 37d0e81ae..8c3a55115 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -47,6 +47,7 @@ import com.netscape.cmstools.CRMFPopClient;
 import com.netscape.cmstools.cert.CertCLI;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmsutil.crypto.CryptoUtil;
 import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.Utils;
 
@@ -396,7 +397,7 @@ public class ClientCertRequestCLI extends CLI {
 
         KeyPair keyPair;
         if (algorithm.equals("rsa")) {
-            keyPair = client.generateRSAKeyPair(token, length);
+            keyPair = CryptoUtil.generateRSAKeyPair(token, length);
 
         } else if (algorithm.equals("ec")) {
             keyPair = client.generateECCKeyPair(token, curve, sslECDH, temporary, sensitive, extractable);
author	Ade Lee <alee@redhat.com>	2017-03-23 00:20:32 -0400
committer	Ade Lee <alee@redhat.com>	2017-03-23 16:16:08 -0400
commit	5b7ce994b8698dca62c23e653b7a1cfeebf959e4 (patch)
tree	f7673ab05610d8cc8444d4482a95b1949c9eb985 /base/java-tools/src
parent	58bfe7d510126609969703325d7655175be5da62 (diff)
download	pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.gz pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.xz pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.zip