summaryrefslogtreecommitdiffstats
path: root/base/kra/src/com/netscape/kra
diff options
context:
space:
mode:
authorAbhishek Koneru <akoneru@redhat.com>2014-07-24 11:20:12 -0400
committerAbhishek Koneru <akoneru@redhat.com>2014-08-27 01:15:35 -0400
commit6444287caa2ad171086d0ce9d93761a897247e06 (patch)
tree86e13cafc3f7b866be86b21cf0d96e401d0b9f01 /base/kra/src/com/netscape/kra
parent8e464b6ba5d83d7915978db5841967f20672dfd0 (diff)
downloadpki-6444287caa2ad171086d0ce9d93761a897247e06.tar.gz
pki-6444287caa2ad171086d0ce9d93761a897247e06.tar.xz
pki-6444287caa2ad171086d0ce9d93761a897247e06.zip
Generate asymmetric keys in the DRM.
Adds methods to key client to generate asymmetric keys using algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096. The generated keys are archived in the database. Using the CLI, the public key(base64 encoded) can be retrieved by using the key-show command. The private key(base64 encoded) can be retrieved using the key-retrieve command. Ticket #1023
Diffstat (limited to 'base/kra/src/com/netscape/kra')
-rw-r--r--base/kra/src/com/netscape/kra/AsymKeyGenService.java210
-rw-r--r--base/kra/src/com/netscape/kra/EncryptionUnit.java16
-rw-r--r--base/kra/src/com/netscape/kra/EnrollmentService.java4
-rw-r--r--base/kra/src/com/netscape/kra/KRAService.java2
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java78
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataService.java5
-rw-r--r--base/kra/src/com/netscape/kra/SymKeyGenService.java9
7 files changed, 291 insertions, 33 deletions
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
new file mode 100644
index 000000000..f4f68ea01
--- /dev/null
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -0,0 +1,210 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2014 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.kra;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.KeyPairAlgorithm;
+import org.mozilla.jss.crypto.KeyPairGenerator;
+import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.TokenException;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.dbs.keydb.IKeyRecord;
+import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+import com.netscape.certsrv.key.AsymKeyGenerationRequest;
+import com.netscape.certsrv.key.KeyRequestResource;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IService;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.security.IStorageKeyUnit;
+import com.netscape.cms.servlet.key.KeyRequestDAO;
+import com.netscape.cmscore.dbs.KeyRecord;
+
+/**
+ * Service class to handle asymmetric key generation requests.
+ * A new asymmetric key is generated and archived the database as a key record.
+ * The private key is wrapped with the storage key and stored in the privateKeyData attribute of the
+ * ldap record.
+ * The public key is stored in the publicKeyData attribute of the record.
+ *
+ * @author akoneru
+ *
+ */
+public class AsymKeyGenService implements IService {
+
+ private static final String ATTR_KEY_RECORD = "keyRecord";
+ private static final String STATUS_ACTIVE = "active";
+
+ private IKeyRecoveryAuthority kra = null;
+ private IStorageKeyUnit storageUnit = null;
+ private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
+ private final static String LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED =
+ "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6";
+
+ public AsymKeyGenService(IKeyRecoveryAuthority kra) {
+ this.kra = kra;
+ this.storageUnit = kra.getStorageKeyUnit();
+ }
+
+ @Override
+ public boolean serviceRequest(IRequest request) throws EBaseException {
+
+ String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
+ String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
+
+ String keySizeStr = request.getExtDataInString(IRequest.KEY_GEN_SIZE);
+ int keySize = Integer.valueOf(keySizeStr);
+
+ KeyPairGeneratorSpi.Usage[] usageList = null;
+ String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
+ if (usageStr != null) {
+ String[] usages = usageStr.split(",");
+
+ if (usages.length > 0) {
+ usageList = new KeyPairGeneratorSpi.Usage[usages.length];
+ for (int i = 0; i < usages.length; i++) {
+ switch (usages[i]) {
+ case AsymKeyGenerationRequest.DECRYPT:
+ usageList[i] = KeyPairGeneratorSpi.Usage.DECRYPT;
+ break;
+ case AsymKeyGenerationRequest.ENCRYPT:
+ usageList[i] = KeyPairGeneratorSpi.Usage.ENCRYPT;
+ break;
+ case AsymKeyGenerationRequest.WRAP:
+ usageList[i] = KeyPairGeneratorSpi.Usage.WRAP;
+ break;
+ case AsymKeyGenerationRequest.UNWRAP:
+ usageList[i] = KeyPairGeneratorSpi.Usage.UNWRAP;
+ break;
+ case AsymKeyGenerationRequest.DERIVE:
+ usageList[i] = KeyPairGeneratorSpi.Usage.DERIVE;
+ break;
+ case AsymKeyGenerationRequest.SIGN:
+ usageList[i] = KeyPairGeneratorSpi.Usage.SIGN;
+ break;
+ case AsymKeyGenerationRequest.SIGN_RECOVER:
+ usageList[i] = KeyPairGeneratorSpi.Usage.SIGN_RECOVER;
+ break;
+ case AsymKeyGenerationRequest.VERIFY:
+ usageList[i] = KeyPairGeneratorSpi.Usage.VERIFY;
+ break;
+ case AsymKeyGenerationRequest.VERIFY_RECOVER:
+ usageList[i] = KeyPairGeneratorSpi.Usage.VERIFY_RECOVER;
+ break;
+ }
+ }
+ } else {
+ usageList = new KeyPairGeneratorSpi.Usage[2];
+ usageList[0] = KeyPairGeneratorSpi.Usage.DECRYPT;
+ usageList[1] = KeyPairGeneratorSpi.Usage.ENCRYPT;
+ }
+ }
+
+ CMS.debug("AsymKeyGenService.serviceRequest. Request id: " + request.getRequestId());
+ CMS.debug("AsymKeyGenService.serviceRequest algorithm: " + algorithm);
+
+ KeyPairAlgorithm keyPairAlgorithm = KeyRequestDAO.ASYMKEY_GEN_ALGORITHMS.get(algorithm.toUpperCase());
+
+ String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
+ String auditSubjectID = owner;
+
+ // Get the token
+ CryptoToken token = kra.getKeygenToken();
+
+ // Generating the asymmetric keys
+ KeyPairGenerator keyPairGen = null;
+ KeyPair kp = null;
+
+ try {
+ keyPairGen = token.getKeyPairGenerator(keyPairAlgorithm);
+ keyPairGen.initialize(keySize);
+ if (usageList != null)
+ keyPairGen.setKeyPairUsages(usageList, usageList);
+ kp = keyPairGen.genKeyPair();
+ } catch (NoSuchAlgorithmException | TokenException e) {
+ CMS.debugStackTrace();
+ auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, "Failed to generate Asymmetric key");
+ throw new EBaseException("Errors in generating Asymmetric key: " + e);
+ }
+
+ KeyRecord record = new KeyRecord(null, kp.getPublic().getEncoded(), storageUnit.wrap((PrivateKey) kp
+ .getPrivate()), owner, algorithm, owner);
+
+ IKeyRepository storage = kra.getKeyRepository();
+ BigInteger serialNo = storage.getNextSerialNumber();
+
+ if (serialNo == null) {
+ kra.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
+ auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, "Failed to get next Key ID");
+ throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+ }
+
+ // Storing the public key and private key.
+ record.set(IKeyRecord.ATTR_CLIENT_ID, clientKeyId);
+ record.setSerialNumber(serialNo);
+ record.set(KeyRecord.ATTR_ID, serialNo);
+ record.set(KeyRecord.ATTR_DATA_TYPE, KeyRequestResource.ASYMMETRIC_KEY_TYPE);
+ record.set(KeyRecord.ATTR_STATUS, STATUS_ACTIVE);
+ record.set(KeyRecord.ATTR_KEY_SIZE, keySize);
+ request.setExtData(ATTR_KEY_RECORD, serialNo);
+
+ storage.addKeyRecord(record);
+
+ auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(),
+ clientKeyId, serialNo.toString(), "None");
+ request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
+ kra.getRequestQueue().updateRequest(request);
+ return true;
+ }
+
+ private void audit(String msg) {
+ if (signedAuditLogger == null)
+ return;
+
+ signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+ null,
+ ILogger.S_SIGNED_AUDIT,
+ ILogger.LL_SECURITY,
+ msg);
+ }
+
+ private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID,
+ String clientKeyID,
+ String keyID, String reason) {
+ String auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED,
+ subjectID,
+ status,
+ requestID.toString(),
+ clientKeyID,
+ keyID != null ? keyID : "None",
+ reason);
+ audit(auditMessage);
+ }
+}
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 71bd1d781..8eabe05ae 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -43,6 +43,7 @@ import org.mozilla.jss.crypto.TokenException;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.key.KeyRequestResource;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.IEncryptionUnit;
import com.netscape.cmscore.util.Debug;
@@ -600,6 +601,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
pubKey, boolean temporary)
throws EBaseException {
try {
+
DerValue val = new DerValue(wrappedKeyData);
// val.tag == DerValue.tag_Sequence
DerInputStream in = val.data;
@@ -623,13 +625,23 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
wrapper.initUnwrap(sk, IV);
+ // Get the key type for unwrapping the private key.
+ PrivateKey.Type keyType = null;
+ if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.RSA_ALGORITHM)) {
+ keyType = PrivateKey.RSA;
+ } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.DSA_ALGORITHM)) {
+ keyType = PrivateKey.DSA;
+ } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.EC_ALGORITHM)) {
+ keyType = PrivateKey.EC;
+ }
+
PrivateKey pk = null;
if (temporary) {
pk = wrapper.unwrapTemporaryPrivate(pri,
- PrivateKey.RSA, pubKey);
+ keyType, pubKey);
} else {
pk = wrapper.unwrapPrivate(pri,
- PrivateKey.RSA, pubKey);
+ keyType, pubKey);
}
return pk;
} catch (TokenException e) {
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 3ce37d6ae..d1b716cf8 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -272,7 +272,7 @@ public class EnrollmentService implements IService {
}
*/
- // retrieve pubic key
+ // retrieve public key
X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos);
byte publicKeyData[] = publicKey.getEncoded();
@@ -458,7 +458,7 @@ public class EnrollmentService implements IService {
rec.setKeySize(-1);
}
- // if record alreay has a serial number, yell out.
+ // if record already has a serial number, yell out.
if (rec.getSerialNumber() != null) {
mKRA.log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER",
diff --git a/base/kra/src/com/netscape/kra/KRAService.java b/base/kra/src/com/netscape/kra/KRAService.java
index f4768bd00..06c8ce1d5 100644
--- a/base/kra/src/com/netscape/kra/KRAService.java
+++ b/base/kra/src/com/netscape/kra/KRAService.java
@@ -50,6 +50,7 @@ public class KRAService implements IService {
public final static String SECURITY_DATA_ENROLLMENT = IRequest.SECURITY_DATA_ENROLLMENT_REQUEST;
public final static String SECURITY_DATA_RECOVERY = IRequest.SECURITY_DATA_RECOVERY_REQUEST;
public final static String SYMKEY_GENERATION = IRequest.SYMKEY_GENERATION_REQUEST;
+ public final static String ASYMKEY_GENERATION = IRequest.ASYMKEY_GENERATION_REQUEST;
// private variables
@@ -68,6 +69,7 @@ public class KRAService implements IService {
mServices.put(SECURITY_DATA_ENROLLMENT, new SecurityDataService(kra));
mServices.put(SECURITY_DATA_RECOVERY, new SecurityDataRecoveryService(kra));
mServices.put(SYMKEY_GENERATION, new SymKeyGenService(kra));
+ mServices.put(ASYMKEY_GENERATION, new AsymKeyGenService(kra));
}
/**
diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
index a2d587318..752c8dff5 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
@@ -30,6 +30,9 @@ import java.util.Random;
import javax.crypto.spec.RC2ParameterSpec;
+import netscape.security.util.DerValue;
+import netscape.security.x509.X509Key;
+
import org.dogtagpki.server.kra.rest.KeyRequestService;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.asn1.OCTET_STRING;
@@ -42,6 +45,7 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.PBEAlgorithm;
import org.mozilla.jss.crypto.PBEKeyGenParams;
+import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.SymmetricKey;
import org.mozilla.jss.crypto.TokenException;
import org.mozilla.jss.pkcs12.PasswordConverter;
@@ -123,36 +127,29 @@ public class SecurityDataRecoveryService implements IService {
Hashtable<String, Object> params = mKRA.getVolatileRequest(
request.getRequestId());
-
BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO);
request.setExtData(ATTR_KEY_RECORD, serialno);
RequestId requestID = request.getRequestId();
-
if (params == null) {
CMS.debug("Can't get volatile params.");
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
"cannot get volatile params");
throw new EBaseException("Can't obtain volatile params!");
}
-
byte[] wrappedPassPhrase = null;
byte[] wrappedSessKey = null;
-
String transWrappedSessKeyStr = (String) params.get(IRequest.SECURITY_DATA_TRANS_SESS_KEY);
if (transWrappedSessKeyStr != null) {
wrappedSessKey = Utils.base64decode(transWrappedSessKeyStr);
}
-
String sessWrappedPassPhraseStr = (String) params.get(IRequest.SECURITY_DATA_SESS_PASS_PHRASE);
if (sessWrappedPassPhraseStr != null) {
wrappedPassPhrase = Utils.base64decode(sessWrappedPassPhraseStr);
}
-
String ivInStr = (String) params.get(IRequest.SECURITY_DATA_IV_STRING_IN);
if (ivInStr != null) {
iv_in = Utils.base64decode(ivInStr);
}
-
if (transWrappedSessKeyStr == null && sessWrappedPassPhraseStr == null) {
//We may be in recovery case where no params were initially submitted.
return false;
@@ -167,46 +164,56 @@ public class SecurityDataRecoveryService implements IService {
} catch (Exception e) {
iv = iv_default;
}
-
String ivStr = Utils.base64encode(iv);
KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno);
SymmetricKey unwrappedSess = null;
-
String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE);
SymmetricKey symKey = null;
byte[] unwrappedSecData = null;
+ PrivateKey privateKey = null;
if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
symKey = recoverSymKey(keyRecord);
+
} else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
unwrappedSecData = recoverSecurityData(keyRecord);
+ } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+ try {
+ privateKey = mStorageUnit.unwrap(keyRecord.getPrivateKeyData(),
+ X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData())));
+ } catch (IOException e) {
+ e.printStackTrace();
+ CMS.debug("Cannot unwrap stored private key.");
+ throw new EBaseException("Cannot fetch the private key from the database.");
+ }
+ } else {
+ throw new EBaseException("Invalid data type stored in the database.");
}
-
CryptoToken ct = mTransportUnit.getToken();
byte[] key_data = null;
String pbeWrappedData = null;
-
if (sessWrappedPassPhraseStr != null) { //We have a trans wrapped pass phrase, we will be doing PBE packaging
byte[] unwrappedPass = null;
Password pass = null;
-
try {
unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.DECRYPT);
Cipher decryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
decryptor.initDecrypt(unwrappedSess, new IVParameterSpec(iv_in));
unwrappedPass = decryptor.doFinal(wrappedPassPhrase);
String passStr = new String(unwrappedPass, "UTF-8");
-
pass = new Password(passStr.toCharArray());
passStr = null;
if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
- pbeWrappedData = createEncryptedContentInfo(ct, symKey, null,
+ pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, null,
+ pass);
+ } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)){
+ pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null,
pass);
- } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
- pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData,
+ } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+ pbeWrappedData = createEncryptedContentInfo(ct, null, null, privateKey,
pass);
}
@@ -258,6 +265,19 @@ public class SecurityDataRecoveryService implements IService {
serialno.toString(), "Cannot wrap pass phrase");
throw new EBaseException("Can't wrap pass phrase!");
}
+
+ } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+ CMS.debug("Wrapping the private key with the session key");
+ try {
+ unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.WRAP);
+ KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+ wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv));
+ key_data = wrapper.wrap(privateKey);
+ } catch (Exception e) {
+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+ "Cannot wrap private key");
+ throw new EBaseException("Cannot wrap private key - " + e.toString());
+ }
}
String wrappedKeyData = Utils.base64encode(key_data);
@@ -319,10 +339,10 @@ public class SecurityDataRecoveryService implements IService {
//ToDo: This might fit in JSS.
private static EncryptedContentInfo
- createEncryptedContentInfoPBEOfSymmKey(PBEAlgorithm keyGenAlg, Password password, byte[] salt,
+ createEncryptedContentInfoPBEOfKey(PBEAlgorithm keyGenAlg, Password password, byte[] salt,
int iterationCount,
KeyGenerator.CharToByteConverter charToByteConverter,
- SymmetricKey symKey, CryptoToken token)
+ SymmetricKey symKey, PrivateKey privateKey, CryptoToken token)
throws CryptoManager.NotInitializedException, NoSuchAlgorithmException,
InvalidKeyException, InvalidAlgorithmParameterException, TokenException,
CharConversionException {
@@ -354,8 +374,15 @@ public class SecurityDataRecoveryService implements IService {
KeyWrapper wrapper = token.getKeyWrapper(
KeyWrapAlgorithm.DES3_CBC_PAD);
wrapper.initWrap(key, params);
- byte encrypted[] = wrapper.wrap(symKey);
-
+ byte[] encrypted = null;
+ if (symKey != null) {
+ encrypted = wrapper.wrap(symKey);
+ } else if (privateKey != null) {
+ encrypted = wrapper.wrap(privateKey);
+ }
+ if (encrypted == null) {
+ //TODO - think about the exception to be thrown
+ }
PBEParameter pbeParam = new PBEParameter(salt, iterationCount);
AlgorithmIdentifier encAlgID = new AlgorithmIdentifier(
keyGenAlg.toOID(), pbeParam);
@@ -369,7 +396,7 @@ public class SecurityDataRecoveryService implements IService {
}
- private static String createEncryptedContentInfo(CryptoToken ct, SymmetricKey symKey, byte[] securityData,
+ private static String createEncryptedContentInfo(CryptoToken ct, SymmetricKey symKey, byte[] securityData, PrivateKey privateKey,
Password password)
throws EBaseException {
@@ -384,14 +411,19 @@ public class SecurityDataRecoveryService implements IService {
byte salt[] = { 0x01, 0x01, 0x01, 0x01 };
if (symKey != null) {
- cInfo = createEncryptedContentInfoPBEOfSymmKey(keyGenAlg, password, salt,
+ cInfo = createEncryptedContentInfoPBEOfKey(keyGenAlg, password, salt,
1,
passConverter,
- symKey, ct);
+ symKey, null, ct);
} else if (securityData != null) {
cInfo = EncryptedContentInfo.createPBE(keyGenAlg, password, salt, 1, passConverter, securityData);
+ } else if (privateKey != null) {
+ cInfo = createEncryptedContentInfoPBEOfKey(keyGenAlg, password, salt,
+ 1,
+ passConverter,
+ null, privateKey, ct);
}
if(cInfo == null) {
diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java
index 4a2ebef34..25bb240e1 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataService.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataService.java
@@ -182,9 +182,12 @@ public class SecurityDataService implements IService {
// create key record
// Note that in this case the owner is the same as the approving agent
// because the archival request is made by the agent.
+ // The algorithm used to generate the symmetric key (being stored as the secret)
+ // is set in later in this method. (which is different from the algStr variable
+ // which is the algorithm used for encrypting the secret.)
KeyRecord rec = new KeyRecord(null, publicKey,
privateSecurityData, owner,
- algStr, owner);
+ null, owner);
rec.set(IKeyRecord.ATTR_CLIENT_ID, clientKeyId);
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 46c8265f0..d308345d7 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -88,13 +88,13 @@ public class SymKeyGenService implements IService {
throws EBaseException {
String id = request.getRequestId().toString();
String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
- String algorithm = request.getExtDataInString(IRequest.SYMKEY_GEN_ALGORITHM);
+ String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
- String usageStr = request.getExtDataInString(IRequest.SYMKEY_GEN_USAGES);
+ String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
List<String> usages = new ArrayList<String>(
Arrays.asList(StringUtils.split(usageStr, ",")));
- String keySizeStr = request.getExtDataInString(IRequest.SYMKEY_GEN_SIZE);
+ String keySizeStr = request.getExtDataInString(IRequest.KEY_GEN_SIZE);
int keySize = Integer.parseInt(keySizeStr);
CMS.debug("SymKeyGenService.serviceRequest. Request id: " + id);
@@ -111,7 +111,7 @@ public class SymKeyGenService implements IService {
}
CryptoToken token = mStorageUnit.getToken();
- KeyGenAlgorithm kgAlg = KeyRequestDAO.KEYGEN_ALGORITHMS.get(algorithm);
+ KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm);
if (kgAlg == null) {
throw new EBaseException("Invalid algorithm");
}
@@ -209,7 +209,6 @@ public class SymKeyGenService implements IService {
rec.set(KeyRecord.ATTR_ID, serialNo);
rec.set(KeyRecord.ATTR_DATA_TYPE, KeyRequestResource.SYMMETRIC_KEY_TYPE);
rec.set(KeyRecord.ATTR_STATUS, STATUS_ACTIVE);
- rec.set(KeyRecord.ATTR_ALGORITHM, algorithm);
rec.set(KeyRecord.ATTR_KEY_SIZE, keySize);
request.setExtData(ATTR_KEY_RECORD, serialNo);
generated by cgit (git 2.34.1) at 2024-06-14 08:28:23 +0000