diff options
author | Abhishek Koneru <akoneru@redhat.com> | 2014-07-24 11:20:12 -0400 |
---|---|---|
committer | Abhishek Koneru <akoneru@redhat.com> | 2014-08-27 01:15:35 -0400 |
commit | 6444287caa2ad171086d0ce9d93761a897247e06 (patch) | |
tree | 86e13cafc3f7b866be86b21cf0d96e401d0b9f01 /base/kra/src/com/netscape/kra | |
parent | 8e464b6ba5d83d7915978db5841967f20672dfd0 (diff) | |
download | pki-6444287caa2ad171086d0ce9d93761a897247e06.tar.gz pki-6444287caa2ad171086d0ce9d93761a897247e06.tar.xz pki-6444287caa2ad171086d0ce9d93761a897247e06.zip |
Generate asymmetric keys in the DRM.
Adds methods to key client to generate asymmetric keys using
algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096.
The generated keys are archived in the database.
Using the CLI, the public key(base64 encoded) can be retrieved by using
the key-show command.
The private key(base64 encoded) can be retrieved using the key-retrieve
command.
Ticket #1023
Diffstat (limited to 'base/kra/src/com/netscape/kra')
7 files changed, 291 insertions, 33 deletions
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java new file mode 100644 index 000000000..f4f68ea01 --- /dev/null +++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java @@ -0,0 +1,210 @@ +//--- BEGIN COPYRIGHT BLOCK --- +//This program is free software; you can redistribute it and/or modify +//it under the terms of the GNU General Public License as published by +//the Free Software Foundation; version 2 of the License. +// +//This program is distributed in the hope that it will be useful, +//but WITHOUT ANY WARRANTY; without even the implied warranty of +//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +//GNU General Public License for more details. +// +//You should have received a copy of the GNU General Public License along +//with this program; if not, write to the Free Software Foundation, Inc., +//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +//(C) 2014 Red Hat, Inc. +//All rights reserved. +//--- END COPYRIGHT BLOCK --- +package com.netscape.kra; + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.NoSuchAlgorithmException; + +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.KeyPairAlgorithm; +import org.mozilla.jss.crypto.KeyPairGenerator; +import org.mozilla.jss.crypto.KeyPairGeneratorSpi; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.TokenException; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.dbs.keydb.IKeyRecord; +import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.key.AsymKeyGenerationRequest; +import com.netscape.certsrv.key.KeyRequestResource; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; +import com.netscape.certsrv.security.IStorageKeyUnit; +import com.netscape.cms.servlet.key.KeyRequestDAO; +import com.netscape.cmscore.dbs.KeyRecord; + +/** + * Service class to handle asymmetric key generation requests. + * A new asymmetric key is generated and archived the database as a key record. + * The private key is wrapped with the storage key and stored in the privateKeyData attribute of the + * ldap record. + * The public key is stored in the publicKeyData attribute of the record. + * + * @author akoneru + * + */ +public class AsymKeyGenService implements IService { + + private static final String ATTR_KEY_RECORD = "keyRecord"; + private static final String STATUS_ACTIVE = "active"; + + private IKeyRecoveryAuthority kra = null; + private IStorageKeyUnit storageUnit = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + private final static String LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; + + public AsymKeyGenService(IKeyRecoveryAuthority kra) { + this.kra = kra; + this.storageUnit = kra.getStorageKeyUnit(); + } + + @Override + public boolean serviceRequest(IRequest request) throws EBaseException { + + String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); + String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); + + String keySizeStr = request.getExtDataInString(IRequest.KEY_GEN_SIZE); + int keySize = Integer.valueOf(keySizeStr); + + KeyPairGeneratorSpi.Usage[] usageList = null; + String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); + if (usageStr != null) { + String[] usages = usageStr.split(","); + + if (usages.length > 0) { + usageList = new KeyPairGeneratorSpi.Usage[usages.length]; + for (int i = 0; i < usages.length; i++) { + switch (usages[i]) { + case AsymKeyGenerationRequest.DECRYPT: + usageList[i] = KeyPairGeneratorSpi.Usage.DECRYPT; + break; + case AsymKeyGenerationRequest.ENCRYPT: + usageList[i] = KeyPairGeneratorSpi.Usage.ENCRYPT; + break; + case AsymKeyGenerationRequest.WRAP: + usageList[i] = KeyPairGeneratorSpi.Usage.WRAP; + break; + case AsymKeyGenerationRequest.UNWRAP: + usageList[i] = KeyPairGeneratorSpi.Usage.UNWRAP; + break; + case AsymKeyGenerationRequest.DERIVE: + usageList[i] = KeyPairGeneratorSpi.Usage.DERIVE; + break; + case AsymKeyGenerationRequest.SIGN: + usageList[i] = KeyPairGeneratorSpi.Usage.SIGN; + break; + case AsymKeyGenerationRequest.SIGN_RECOVER: + usageList[i] = KeyPairGeneratorSpi.Usage.SIGN_RECOVER; + break; + case AsymKeyGenerationRequest.VERIFY: + usageList[i] = KeyPairGeneratorSpi.Usage.VERIFY; + break; + case AsymKeyGenerationRequest.VERIFY_RECOVER: + usageList[i] = KeyPairGeneratorSpi.Usage.VERIFY_RECOVER; + break; + } + } + } else { + usageList = new KeyPairGeneratorSpi.Usage[2]; + usageList[0] = KeyPairGeneratorSpi.Usage.DECRYPT; + usageList[1] = KeyPairGeneratorSpi.Usage.ENCRYPT; + } + } + + CMS.debug("AsymKeyGenService.serviceRequest. Request id: " + request.getRequestId()); + CMS.debug("AsymKeyGenService.serviceRequest algorithm: " + algorithm); + + KeyPairAlgorithm keyPairAlgorithm = KeyRequestDAO.ASYMKEY_GEN_ALGORITHMS.get(algorithm.toUpperCase()); + + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; + + // Get the token + CryptoToken token = kra.getKeygenToken(); + + // Generating the asymmetric keys + KeyPairGenerator keyPairGen = null; + KeyPair kp = null; + + try { + keyPairGen = token.getKeyPairGenerator(keyPairAlgorithm); + keyPairGen.initialize(keySize); + if (usageList != null) + keyPairGen.setKeyPairUsages(usageList, usageList); + kp = keyPairGen.genKeyPair(); + } catch (NoSuchAlgorithmException | TokenException e) { + CMS.debugStackTrace(); + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to generate Asymmetric key"); + throw new EBaseException("Errors in generating Asymmetric key: " + e); + } + + KeyRecord record = new KeyRecord(null, kp.getPublic().getEncoded(), storageUnit.wrap((PrivateKey) kp + .getPrivate()), owner, algorithm, owner); + + IKeyRepository storage = kra.getKeyRepository(); + BigInteger serialNo = storage.getNextSerialNumber(); + + if (serialNo == null) { + kra.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Failed to get next Key ID"); + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + } + + // Storing the public key and private key. + record.set(IKeyRecord.ATTR_CLIENT_ID, clientKeyId); + record.setSerialNumber(serialNo); + record.set(KeyRecord.ATTR_ID, serialNo); + record.set(KeyRecord.ATTR_DATA_TYPE, KeyRequestResource.ASYMMETRIC_KEY_TYPE); + record.set(KeyRecord.ATTR_STATUS, STATUS_ACTIVE); + record.set(KeyRecord.ATTR_KEY_SIZE, keySize); + request.setExtData(ATTR_KEY_RECORD, serialNo); + + storage.addKeyRecord(record); + + auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), + clientKeyId, serialNo.toString(), "None"); + request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); + kra.getRequestQueue().updateRequest(request); + return true; + } + + private void audit(String msg) { + if (signedAuditLogger == null) + return; + + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, + String clientKeyID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), + clientKeyID, + keyID != null ? keyID : "None", + reason); + audit(auditMessage); + } +} diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 71bd1d781..8eabe05ae 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -43,6 +43,7 @@ import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.IEncryptionUnit; import com.netscape.cmscore.util.Debug; @@ -600,6 +601,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { pubKey, boolean temporary) throws EBaseException { try { + DerValue val = new DerValue(wrappedKeyData); // val.tag == DerValue.tag_Sequence DerInputStream in = val.data; @@ -623,13 +625,23 @@ public abstract class EncryptionUnit implements IEncryptionUnit { wrapper.initUnwrap(sk, IV); + // Get the key type for unwrapping the private key. + PrivateKey.Type keyType = null; + if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.RSA_ALGORITHM)) { + keyType = PrivateKey.RSA; + } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.DSA_ALGORITHM)) { + keyType = PrivateKey.DSA; + } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.EC_ALGORITHM)) { + keyType = PrivateKey.EC; + } + PrivateKey pk = null; if (temporary) { pk = wrapper.unwrapTemporaryPrivate(pri, - PrivateKey.RSA, pubKey); + keyType, pubKey); } else { pk = wrapper.unwrapPrivate(pri, - PrivateKey.RSA, pubKey); + keyType, pubKey); } return pk; } catch (TokenException e) { diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index 3ce37d6ae..d1b716cf8 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -272,7 +272,7 @@ public class EnrollmentService implements IService { } */ - // retrieve pubic key + // retrieve public key X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos); byte publicKeyData[] = publicKey.getEncoded(); @@ -458,7 +458,7 @@ public class EnrollmentService implements IService { rec.setKeySize(-1); } - // if record alreay has a serial number, yell out. + // if record already has a serial number, yell out. if (rec.getSerialNumber() != null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", diff --git a/base/kra/src/com/netscape/kra/KRAService.java b/base/kra/src/com/netscape/kra/KRAService.java index f4768bd00..06c8ce1d5 100644 --- a/base/kra/src/com/netscape/kra/KRAService.java +++ b/base/kra/src/com/netscape/kra/KRAService.java @@ -50,6 +50,7 @@ public class KRAService implements IService { public final static String SECURITY_DATA_ENROLLMENT = IRequest.SECURITY_DATA_ENROLLMENT_REQUEST; public final static String SECURITY_DATA_RECOVERY = IRequest.SECURITY_DATA_RECOVERY_REQUEST; public final static String SYMKEY_GENERATION = IRequest.SYMKEY_GENERATION_REQUEST; + public final static String ASYMKEY_GENERATION = IRequest.ASYMKEY_GENERATION_REQUEST; // private variables @@ -68,6 +69,7 @@ public class KRAService implements IService { mServices.put(SECURITY_DATA_ENROLLMENT, new SecurityDataService(kra)); mServices.put(SECURITY_DATA_RECOVERY, new SecurityDataRecoveryService(kra)); mServices.put(SYMKEY_GENERATION, new SymKeyGenService(kra)); + mServices.put(ASYMKEY_GENERATION, new AsymKeyGenService(kra)); } /** diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java index a2d587318..752c8dff5 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java @@ -30,6 +30,9 @@ import java.util.Random; import javax.crypto.spec.RC2ParameterSpec; +import netscape.security.util.DerValue; +import netscape.security.x509.X509Key; + import org.dogtagpki.server.kra.rest.KeyRequestService; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.OCTET_STRING; @@ -42,6 +45,7 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.PBEAlgorithm; import org.mozilla.jss.crypto.PBEKeyGenParams; +import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.TokenException; import org.mozilla.jss.pkcs12.PasswordConverter; @@ -123,36 +127,29 @@ public class SecurityDataRecoveryService implements IService { Hashtable<String, Object> params = mKRA.getVolatileRequest( request.getRequestId()); - BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); request.setExtData(ATTR_KEY_RECORD, serialno); RequestId requestID = request.getRequestId(); - if (params == null) { CMS.debug("Can't get volatile params."); auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "cannot get volatile params"); throw new EBaseException("Can't obtain volatile params!"); } - byte[] wrappedPassPhrase = null; byte[] wrappedSessKey = null; - String transWrappedSessKeyStr = (String) params.get(IRequest.SECURITY_DATA_TRANS_SESS_KEY); if (transWrappedSessKeyStr != null) { wrappedSessKey = Utils.base64decode(transWrappedSessKeyStr); } - String sessWrappedPassPhraseStr = (String) params.get(IRequest.SECURITY_DATA_SESS_PASS_PHRASE); if (sessWrappedPassPhraseStr != null) { wrappedPassPhrase = Utils.base64decode(sessWrappedPassPhraseStr); } - String ivInStr = (String) params.get(IRequest.SECURITY_DATA_IV_STRING_IN); if (ivInStr != null) { iv_in = Utils.base64decode(ivInStr); } - if (transWrappedSessKeyStr == null && sessWrappedPassPhraseStr == null) { //We may be in recovery case where no params were initially submitted. return false; @@ -167,46 +164,56 @@ public class SecurityDataRecoveryService implements IService { } catch (Exception e) { iv = iv_default; } - String ivStr = Utils.base64encode(iv); KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno); SymmetricKey unwrappedSess = null; - String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE); SymmetricKey symKey = null; byte[] unwrappedSecData = null; + PrivateKey privateKey = null; if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { symKey = recoverSymKey(keyRecord); + } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { unwrappedSecData = recoverSecurityData(keyRecord); + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { + try { + privateKey = mStorageUnit.unwrap(keyRecord.getPrivateKeyData(), + X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData()))); + } catch (IOException e) { + e.printStackTrace(); + CMS.debug("Cannot unwrap stored private key."); + throw new EBaseException("Cannot fetch the private key from the database."); + } + } else { + throw new EBaseException("Invalid data type stored in the database."); } - CryptoToken ct = mTransportUnit.getToken(); byte[] key_data = null; String pbeWrappedData = null; - if (sessWrappedPassPhraseStr != null) { //We have a trans wrapped pass phrase, we will be doing PBE packaging byte[] unwrappedPass = null; Password pass = null; - try { unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.DECRYPT); Cipher decryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); decryptor.initDecrypt(unwrappedSess, new IVParameterSpec(iv_in)); unwrappedPass = decryptor.doFinal(wrappedPassPhrase); String passStr = new String(unwrappedPass, "UTF-8"); - pass = new Password(passStr.toCharArray()); passStr = null; if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { - pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, + pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, null, + pass); + } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)){ + pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass); - } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { - pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { + pbeWrappedData = createEncryptedContentInfo(ct, null, null, privateKey, pass); } @@ -258,6 +265,19 @@ public class SecurityDataRecoveryService implements IService { serialno.toString(), "Cannot wrap pass phrase"); throw new EBaseException("Can't wrap pass phrase!"); } + + } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) { + CMS.debug("Wrapping the private key with the session key"); + try { + unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.WRAP); + KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv)); + key_data = wrapper.wrap(privateKey); + } catch (Exception e) { + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), + "Cannot wrap private key"); + throw new EBaseException("Cannot wrap private key - " + e.toString()); + } } String wrappedKeyData = Utils.base64encode(key_data); @@ -319,10 +339,10 @@ public class SecurityDataRecoveryService implements IService { //ToDo: This might fit in JSS. private static EncryptedContentInfo - createEncryptedContentInfoPBEOfSymmKey(PBEAlgorithm keyGenAlg, Password password, byte[] salt, + createEncryptedContentInfoPBEOfKey(PBEAlgorithm keyGenAlg, Password password, byte[] salt, int iterationCount, KeyGenerator.CharToByteConverter charToByteConverter, - SymmetricKey symKey, CryptoToken token) + SymmetricKey symKey, PrivateKey privateKey, CryptoToken token) throws CryptoManager.NotInitializedException, NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException, TokenException, CharConversionException { @@ -354,8 +374,15 @@ public class SecurityDataRecoveryService implements IService { KeyWrapper wrapper = token.getKeyWrapper( KeyWrapAlgorithm.DES3_CBC_PAD); wrapper.initWrap(key, params); - byte encrypted[] = wrapper.wrap(symKey); - + byte[] encrypted = null; + if (symKey != null) { + encrypted = wrapper.wrap(symKey); + } else if (privateKey != null) { + encrypted = wrapper.wrap(privateKey); + } + if (encrypted == null) { + //TODO - think about the exception to be thrown + } PBEParameter pbeParam = new PBEParameter(salt, iterationCount); AlgorithmIdentifier encAlgID = new AlgorithmIdentifier( keyGenAlg.toOID(), pbeParam); @@ -369,7 +396,7 @@ public class SecurityDataRecoveryService implements IService { } - private static String createEncryptedContentInfo(CryptoToken ct, SymmetricKey symKey, byte[] securityData, + private static String createEncryptedContentInfo(CryptoToken ct, SymmetricKey symKey, byte[] securityData, PrivateKey privateKey, Password password) throws EBaseException { @@ -384,14 +411,19 @@ public class SecurityDataRecoveryService implements IService { byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; if (symKey != null) { - cInfo = createEncryptedContentInfoPBEOfSymmKey(keyGenAlg, password, salt, + cInfo = createEncryptedContentInfoPBEOfKey(keyGenAlg, password, salt, 1, passConverter, - symKey, ct); + symKey, null, ct); } else if (securityData != null) { cInfo = EncryptedContentInfo.createPBE(keyGenAlg, password, salt, 1, passConverter, securityData); + } else if (privateKey != null) { + cInfo = createEncryptedContentInfoPBEOfKey(keyGenAlg, password, salt, + 1, + passConverter, + null, privateKey, ct); } if(cInfo == null) { diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java index 4a2ebef34..25bb240e1 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataService.java @@ -182,9 +182,12 @@ public class SecurityDataService implements IService { // create key record // Note that in this case the owner is the same as the approving agent // because the archival request is made by the agent. + // The algorithm used to generate the symmetric key (being stored as the secret) + // is set in later in this method. (which is different from the algStr variable + // which is the algorithm used for encrypting the secret.) KeyRecord rec = new KeyRecord(null, publicKey, privateSecurityData, owner, - algStr, owner); + null, owner); rec.set(IKeyRecord.ATTR_CLIENT_ID, clientKeyId); diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index 46c8265f0..d308345d7 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -88,13 +88,13 @@ public class SymKeyGenService implements IService { throws EBaseException { String id = request.getRequestId().toString(); String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); - String algorithm = request.getExtDataInString(IRequest.SYMKEY_GEN_ALGORITHM); + String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); - String usageStr = request.getExtDataInString(IRequest.SYMKEY_GEN_USAGES); + String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); List<String> usages = new ArrayList<String>( Arrays.asList(StringUtils.split(usageStr, ","))); - String keySizeStr = request.getExtDataInString(IRequest.SYMKEY_GEN_SIZE); + String keySizeStr = request.getExtDataInString(IRequest.KEY_GEN_SIZE); int keySize = Integer.parseInt(keySizeStr); CMS.debug("SymKeyGenService.serviceRequest. Request id: " + id); @@ -111,7 +111,7 @@ public class SymKeyGenService implements IService { } CryptoToken token = mStorageUnit.getToken(); - KeyGenAlgorithm kgAlg = KeyRequestDAO.KEYGEN_ALGORITHMS.get(algorithm); + KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm); if (kgAlg == null) { throw new EBaseException("Invalid algorithm"); } @@ -209,7 +209,6 @@ public class SymKeyGenService implements IService { rec.set(KeyRecord.ATTR_ID, serialNo); rec.set(KeyRecord.ATTR_DATA_TYPE, KeyRequestResource.SYMMETRIC_KEY_TYPE); rec.set(KeyRecord.ATTR_STATUS, STATUS_ACTIVE); - rec.set(KeyRecord.ATTR_ALGORITHM, algorithm); rec.set(KeyRecord.ATTR_KEY_SIZE, keySize); request.setExtData(ATTR_KEY_RECORD, serialNo); |