summaryrefslogtreecommitdiffstats
path: root/base/kra/src/com
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-03-15 23:05:07 -0400
committerAde Lee <alee@redhat.com>2017-03-15 23:05:07 -0400
commit080f3d2a8bf36be407c79ddd71381450c8667b2e (patch)
tree58594f9c45e88c882579d9f6638ff6639e506729 /base/kra/src/com
parent764a17314e81cade8bf1192739b5a2fad11d18bd (diff)
parent07135b5906f97a8c68148a07484e63d6896f410b (diff)
downloadpki-080f3d2a8bf36be407c79ddd71381450c8667b2e.tar.gz
pki-080f3d2a8bf36be407c79ddd71381450c8667b2e.tar.xz
pki-080f3d2a8bf36be407c79ddd71381450c8667b2e.zip
Merge branch 'master' of github.com:dogtagpki/pki
Diffstat (limited to 'base/kra/src/com')
-rw-r--r--base/kra/src/com/netscape/kra/AsymKeyGenService.java8
-rw-r--r--base/kra/src/com/netscape/kra/EncryptionUnit.java467
-rw-r--r--base/kra/src/com/netscape/kra/EnrollmentService.java18
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java55
-rw-r--r--base/kra/src/com/netscape/kra/RecoveryService.java33
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataProcessor.java196
-rw-r--r--base/kra/src/com/netscape/kra/StorageKeyUnit.java254
-rw-r--r--base/kra/src/com/netscape/kra/SymKeyGenService.java30
-rw-r--r--base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java80
-rw-r--r--base/kra/src/com/netscape/kra/TransportKeyUnit.java126
10 files changed, 586 insertions, 681 deletions
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index 7b43548d5..ffd8b03cf 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -197,6 +197,14 @@ public class AsymKeyGenService implements IService {
record.set(KeyRecord.ATTR_REALM, realm);
}
+ try {
+ record.setWrappingParams(storageUnit.getOldWrappingParams());
+ } catch (Exception e) {
+ auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, "Failed to store wrapping params");
+ throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+ }
+
storage.addKeyRecord(record);
auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(),
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index af4c3ec19..6d101089d 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -19,25 +19,19 @@ package com.netscape.kra;
import java.security.PublicKey;
-import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
-import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.SymmetricKey;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.key.KeyRequestResource;
import com.netscape.certsrv.security.IEncryptionUnit;
import com.netscape.certsrv.security.WrappingParams;
-
-import netscape.security.util.DerInputStream;
-import netscape.security.util.DerOutputStream;
-import netscape.security.util.DerValue;
+import com.netscape.cmsutil.crypto.CryptoUtil;
/**
* A class represents the transport key pair. This key pair
@@ -51,13 +45,13 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
/* Establish one constant IV for base class, to be used for
internal operations. Constant IV acceptable for symmetric keys.
*/
- private byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
- protected IVParameterSpec IV = null;
+ public static final byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+ public static final byte[] iv2 = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+ public static final IVParameterSpec IV = new IVParameterSpec(iv);
+ public static final IVParameterSpec IV2 = new IVParameterSpec(iv2);
public EncryptionUnit() {
CMS.debug("EncryptionUnit.EncryptionUnit this: " + this.toString());
-
- IV = new IVParameterSpec(iv);
}
public abstract CryptoToken getToken();
@@ -72,343 +66,29 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert);
- /**
- * Protects the private key so that it can be stored in
- * internal database.
- */
- public byte[] encryptInternalPrivate(byte priKey[]) throws Exception {
- try (DerOutputStream out = new DerOutputStream()) {
- CMS.debug("EncryptionUnit.encryptInternalPrivate");
- CryptoToken internalToken = getInternalToken();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- // (1) generate session key
- SymmetricKey sk = generate_session_key(internalToken, false, params);
-
- // (2) wrap private key with session key
- byte[] pri = encrypt_private_key(internalToken, sk, priKey, params);
-
- // (3) wrap session with transport public
- byte[] session = wrap_session_key(internalToken, getPublicKey(), sk, params);
-
- // use MY own structure for now:
- // SEQUENCE {
- // encryptedSession OCTET STRING,
- // encryptedPrivate OCTET STRING
- // }
+ public abstract WrappingParams getWrappingParams() throws EBaseException;
- DerOutputStream tmp = new DerOutputStream();
-
- tmp.putOctetString(session);
- tmp.putOctetString(pri);
- out.write(DerValue.tag_Sequence, tmp);
-
- return out.toByteArray();
- }
- }
-
- public byte[] wrap(PrivateKey privKey) throws Exception {
- return _wrap(privKey,null);
- }
-
- public byte[] wrap(SymmetricKey symmKey) throws Exception {
- return _wrap(null,symmKey);
+ public WrappingParams getOldWrappingParams() {
+ return new WrappingParams(
+ SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD, IV, IV);
}
public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage,
- WrappingParams params) {
+ WrappingParams params) throws Exception {
PrivateKey wrappingKey = getPrivateKey();
String priKeyAlgo = wrappingKey.getAlgorithm();
if (priKeyAlgo.equals("EC"))
params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
- return unwrap_session_key(token, encSymmKey, usage, wrappingKey, params);
- }
-
- public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) {
- return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP, params);
- }
-
- /**
- * Decrypts the user private key.
- */
- public byte[] decryptExternalPrivate(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[], byte encValue[])
- throws Exception {
- return decryptExternalPrivate(encSymmKey, symmAlgOID, symmAlgParams,
- encValue, null);
- }
-
- /**
- * Decrypts the user private key.
- */
- public byte[] decryptExternalPrivate(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[], byte encValue[],
- org.mozilla.jss.crypto.X509Certificate transCert)
- throws Exception {
-
- CMS.debug("EncryptionUnit.decryptExternalPrivate");
- CryptoToken token = getToken(transCert);
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- PrivateKey wrappingKey = getPrivateKey(transCert);
- String priKeyAlgo = wrappingKey.getAlgorithm();
- if (priKeyAlgo.equals("EC"))
- params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
-
- SymmetricKey sk = unwrap_session_key(
+ return CryptoUtil.unwrap(
token,
+ params.getSkType(),
+ 0,
+ usage, wrappingKey,
encSymmKey,
- SymmetricKey.Usage.DECRYPT,
- wrappingKey,
- params);
-
- return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params);
- }
-
- /**
- * External unwrapping. Unwraps the symmetric key using
- * the transport private key.
- */
- public SymmetricKey unwrap_symmetric(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[],
- byte encValue[], SymmetricKey.Type algorithm, int strength)
- throws Exception {
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- CryptoToken token = getToken();
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params);
-
- // (2) unwrap the session-wrapped-symmetric-key
- SymmetricKey symKey = unwrap_symmetric_key(
- token,
- new IVParameterSpec(symmAlgParams),
- algorithm,
- strength,
- SymmetricKey.Usage.DECRYPT,
- sk,
- encValue,
- params);
-
- return symKey;
- }
-
- /**
- * External unwrapping. Unwraps the data using
- * the transport private key.
- */
- public PrivateKey unwrap(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[],
- byte encValue[], PublicKey pubKey)
- throws Exception {
- return unwrap (encSymmKey, symmAlgOID, symmAlgParams,
- encValue, pubKey, null);
- }
-
- /**
- * External unwrapping. Unwraps the data using
- * the transport private key.
- */
- public PrivateKey unwrap(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[],
- byte encValue[], PublicKey pubKey,
- org.mozilla.jss.crypto.X509Certificate transCert)
- throws Exception {
- CryptoToken token = getToken(transCert);
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- PrivateKey wrappingKey = getPrivateKey(transCert);
- String priKeyAlgo = wrappingKey.getAlgorithm();
- if (priKeyAlgo.equals("EC"))
- params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
-
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(
- token,
- encSymmKey,
- SymmetricKey.Usage.UNWRAP,
- wrappingKey,
- params);
-
- // (2) unwrap the session-wrapped-private key
- return unwrap_private_key(
- token,
- pubKey,
- new IVParameterSpec(symmAlgParams),
- true /*temporary*/,
- sk,
- encValue,
- params);
- }
-
- /**
- * External unwrapping. Unwraps the data using
- * the transport private key.
- */
-
- public byte[] decryptInternalPrivate(byte wrappedKeyData[])
- throws Exception {
- CMS.debug("EncryptionUnit.decryptInternalPrivate");
- DerValue val = new DerValue(wrappedKeyData);
- // val.tag == DerValue.tag_Sequence
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- CryptoToken token = getToken();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- // (1) unwrap the session key
- CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName());
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params);
-
- // (2) decrypt the private key
- return decrypt_private_key(token, IV, sk, pri, params);
- }
-
- /**
- * External unwrapping of stored symmetric key.
- */
- public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize)
- throws Exception {
- DerValue val = new DerValue(wrappedKeyData);
- // val.tag == DerValue.tag_Sequence
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- CryptoToken token = getToken();
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
-
- // (2) unwrap the session-wrapped-symmetric key
- return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params);
- }
-
- /**
- * Internal unwrapping.
- */
- public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey)
- throws Exception {
- return _unwrap(wrappedKeyData, pubKey, true);
- }
-
- /**
- * Internal unwrapping.
- */
- public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey)
- throws Exception {
- return _unwrap(wrappedKeyData, pubKey, false);
- }
-
- /**
- * Internal unwrapping.
- */
- private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary)
- throws Exception {
- DerValue val = new DerValue(wrappedKeyData);
- // val.tag == DerValue.tag_Sequence
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- CryptoToken token = getToken();
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
-
- // (2) unwrap the private key
- return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params);
- }
-
- /***
- * Internal wrap, accounts for either private or symmetric key
- */
- private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception {
- try (DerOutputStream out = new DerOutputStream()) {
- if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) {
- return null;
- }
- CMS.debug("EncryptionUnit.wrap interal.");
- CryptoToken token = getToken();
-
- SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2];
- usages[0] = SymmetricKey.Usage.WRAP;
- usages[1] = SymmetricKey.Usage.UNWRAP;
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, usages, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- // (1) generate session key
- SymmetricKey sk = generate_session_key(token, true, params);
-
- // (2) wrap private key with session key
- // KeyWrapper wrapper = internalToken.getKeyWrapper(
-
- byte pri[] = null;
-
- if (priKey != null) {
- pri = wrap_private_key(token, sk, priKey, params);
- } else if (symmKey != null) {
- pri = wrap_symmetric_key(token, sk, symmKey, params);
- }
-
- CMS.debug("EncryptionUnit:wrap() privKey wrapped");
-
- byte[] session = wrap_session_key(token, getPublicKey(), sk, params);
- CMS.debug("EncryptionUnit:wrap() session key wrapped");
-
- // use MY own structure for now:
- // SEQUENCE {
- // encryptedSession OCTET STRING,
- // encryptedPrivate OCTET STRING
- // }
-
- DerOutputStream tmp = new DerOutputStream();
-
- tmp.putOctetString(session);
- tmp.putOctetString(pri);
- out.write(DerValue.tag_Sequence, tmp);
-
- return out.toByteArray();
- }
+ params.getSkWrapAlgorithm());
}
/**
@@ -418,117 +98,4 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
EBaseException {
}
- //////////////////////////////////////////////////////////////////////////////////////////////////////////////
- // Crypto specific methods below here ...
- //////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
- private SymmetricKey generate_session_key(CryptoToken token, boolean temporary, WrappingParams params)
- throws Exception{
- org.mozilla.jss.crypto.KeyGenerator kg = token.getKeyGenerator(params.getSkKeyGenAlgorithm());
- SymmetricKey.Usage[] usages = params.getSkUsages();
- if (usages != null)
- kg.setKeyUsages(usages);
- kg.temporaryKeys(temporary);
- if (params.getSkLength() > 0)
- kg.initialize(params.getSkLength());
- SymmetricKey sk = kg.generate();
- CMS.debug("EncryptionUnit:generate_session_key() session key generated on slot: " + token.getName());
- return sk;
- }
-
- private byte[] wrap_session_key(CryptoToken token, PublicKey wrappingKey, SymmetricKey sessionKey,
- WrappingParams params) throws Exception {
- KeyWrapper rsaWrap = token.getKeyWrapper(params.getSkWrapAlgorithm());
- rsaWrap.initWrap(wrappingKey, null);
- byte session[] = rsaWrap.wrap(sessionKey);
- return session;
- }
-
- public SymmetricKey unwrap_session_key(CryptoToken token, byte[] wrappedSessionKey, SymmetricKey.Usage usage,
- PrivateKey wrappingKey, WrappingParams params) {
- try {
- KeyWrapper keyWrapper = token.getKeyWrapper(params.getSkWrapAlgorithm());
- keyWrapper.initUnwrap(wrappingKey, null);
-
- SymmetricKey sk = keyWrapper.unwrapSymmetric(
- wrappedSessionKey,
- params.getSkTyoe(),
- usage,
- 0);
- CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: "
- + token.getName());
- return sk;
- } catch (Exception e) {
- CMS.debug("EncryptionUnit::unwrap_session_key() error:" + e.toString());
- return null;
- }
- }
-
- private byte[] wrap_symmetric_key(CryptoToken token, SymmetricKey sessionKey, SymmetricKey data,
- WrappingParams params) throws Exception {
- KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm());
-
- wrapper.initWrap(sessionKey, IV);
- return wrapper.wrap(data);
- }
-
- private SymmetricKey unwrap_symmetric_key(CryptoToken token, IVParameterSpec iv, SymmetricKey.Type algorithm,
- int strength, SymmetricKey.Usage usage, SymmetricKey sessionKey, byte[] wrappedData,
- WrappingParams params) throws Exception {
- KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm());
- wrapper.initUnwrap(sessionKey, iv);
- SymmetricKey symKey = wrapper.unwrapSymmetric(wrappedData, algorithm, usage, strength);
- return symKey;
- }
-
- private byte[] wrap_private_key(CryptoToken token, SymmetricKey sessionKey, PrivateKey data,
- WrappingParams params) throws Exception {
- KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm());
- wrapper.initWrap(sessionKey, IV);
- return wrapper.wrap(data);
- }
-
- private PrivateKey unwrap_private_key(CryptoToken token, PublicKey pubKey, IVParameterSpec iv,
- boolean temporary, SymmetricKey sessionKey, byte[] wrappedData, WrappingParams params)
- throws Exception {
- KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm());
- wrapper.initUnwrap(sessionKey, iv);
-
- // Get the key type for unwrapping the private key.
- PrivateKey.Type keyType = null;
- if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.RSA_ALGORITHM)) {
- keyType = PrivateKey.RSA;
- } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.DSA_ALGORITHM)) {
- keyType = PrivateKey.DSA;
- } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.EC_ALGORITHM)) {
- keyType = PrivateKey.EC;
- }
-
- PrivateKey pk = null;
- if (temporary) {
- pk = wrapper.unwrapTemporaryPrivate(wrappedData,
- keyType, pubKey);
- } else {
- pk = wrapper.unwrapPrivate(wrappedData,
- keyType, pubKey);
- }
- return pk;
- }
-
- private byte[] encrypt_private_key(CryptoToken token, SymmetricKey sessionKey, byte[] data, WrappingParams params)
- throws Exception {
- Cipher cipher = token.getCipherContext(params.getPayloadEncryptionAlgorithm());
-
- cipher.initEncrypt(sessionKey, IV);
- byte pri[] = cipher.doFinal(data);
- return pri;
- }
-
- private byte[] decrypt_private_key(CryptoToken token, IVParameterSpec iv, SymmetricKey sessionKey,
- byte[] encryptedData, WrappingParams params) throws Exception {
- Cipher cipher = token.getCipherContext(params.getPayloadEncryptionAlgorithm());
- cipher.initDecrypt(sessionKey, iv);
- return cipher.doFinal(encryptedData);
- }
-
}
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index fbefc549e..5aa35da57 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -169,7 +169,7 @@ public class EnrollmentService implements IService {
if (CMS.debugOn())
CMS.debug("EnrollmentServlet: KRA services enrollment request");
- // the request reocrd field delayLDAPCommit == "true" will cause
+ // the request record field delayLDAPCommit == "true" will cause
// updateRequest() to delay actual write to ldap
request.setExtData("delayLDAPCommit", "true");
@@ -502,6 +502,22 @@ public class EnrollmentService implements IService {
rec.set(KeyRecord.ATTR_REALM, realm);
}
+ try {
+ rec.setWrappingParams(mStorageUnit.getWrappingParams());
+ } catch (Exception e) {
+ mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
+ // TODO(alee) Set correct audit message here
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+ }
+
IKeyRepository storage = mKRA.getKeyRepository();
BigInteger serialNo = storage.getNextSerialNumber();
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index d3937915b..4dec837a0 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -31,7 +31,6 @@ import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import org.mozilla.jss.asn1.ASN1Util;
-import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
@@ -39,7 +38,6 @@ import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyPairAlgorithm;
import org.mozilla.jss.crypto.KeyPairGenerator;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
-import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.PQGParamGenException;
import org.mozilla.jss.crypto.PQGParams;
import org.mozilla.jss.crypto.PrivateKey;
@@ -326,23 +324,6 @@ public class NetkeyKeygenService implements IService {
}
}
- // this encrypts bytes with a symmetric key
- public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token,
- IVParameterSpec IV) {
- try {
- Cipher cipher = token.getCipherContext(
- EncryptionAlgorithm.DES3_CBC_PAD);
-
- cipher.initEncrypt(symKey, IV);
- byte pri[] = cipher.doFinal(toBeEncrypted);
- return pri;
- } catch (Exception e) {
- CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: " + e.toString());
- return null;
- }
-
- }
-
/**
* Services an archival request from netkey.
* <P>
@@ -371,7 +352,6 @@ public class NetkeyKeygenService implements IService {
wrapped_des_key = null;
boolean archive = true;
- PK11SymKey sk = null;
byte[] publicKeyData = null;
;
String PubKey = "";
@@ -456,12 +436,9 @@ public class NetkeyKeygenService implements IService {
(wrapped_des_key.length > 0)) {
WrappingParams wrapParams = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0,
KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- // unwrap the DES key
- sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams);
+ KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV);
/* XXX could be done in HSM*/
KeyPair keypair = null;
@@ -530,24 +507,29 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService: got private key");
}
- if (sk == null) {
- CMS.debug("NetkeyKeygenService: no DES key");
+ // unwrap the DES key
+ PK11SymKey sk = null;
+ try {
+ sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams);
+ CMS.debug("NetkeyKeygenService: received DES key");
+ } catch (Exception e) {
+ CMS.debug("NetkeyKeygenService: no DES key: " + e);
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
return false;
- } else {
- CMS.debug("NetkeyKeygenService: received DES key");
}
// 3 wrapping should be done in HSM
// wrap private key with DES
- KeyWrapper symWrap =
- keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName());
- CMS.debug("NetkeyKeygenService: got key wrapper");
-
CMS.debug("NetkeyKeygenService: key transport key is on slot: " + sk.getOwningToken().getName());
- symWrap.initWrap(sk, algParam);
- byte wrapped[] = symWrap.wrap((PrivateKey) privKey);
+
+ byte[] wrapped = CryptoUtil.wrapUsingSymmetricKey(
+ keygenToken,
+ sk,
+ (PrivateKey) privKey,
+ algParam,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
/*
CMS.debug("NetkeyKeygenService: wrap called");
CMS.debug(wrapped);
@@ -686,6 +668,9 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService: serialNo null");
return false;
}
+
+ rec.setWrappingParams(mStorageUnit.getWrappingParams());
+
CMS.debug("NetkeyKeygenService: before addKeyRecord");
rec.set(KeyRecord.ATTR_ID, serialNo);
request.setExtData(ATTR_KEY_RECORD, serialNo);
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index 70b5e57a7..c89e2f388 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -274,7 +274,10 @@ public class RecoveryService implements IService {
try {
mKRA.getStorageKeyUnit().unwrap(
- keyRecord.getPrivateKeyData(), null);
+ keyRecord.getPrivateKeyData(),
+ null,
+ false,
+ keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
} catch (Exception e) {
throw new EBaseException("Failed to unwrap private key", e);
}
@@ -393,33 +396,21 @@ public class RecoveryService implements IService {
mStorageUnit.login(creds);
}
- /* wrapped retrieve session key and private key */
- DerValue val = new DerValue(keyRecord.getPrivateKeyData());
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- /* debug */
- byte publicKeyData[] = keyRecord.getPublicKeyData();
PublicKey pubkey = null;
try {
- pubkey = X509Key.parsePublicKey(new DerValue(publicKeyData));
+ pubkey = X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData()));
} catch (Exception e) {
CMS.debug("RecoverService: after parsePublicKey:" + e.toString());
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure"));
}
- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+
PrivateKey privKey = null;
try {
privKey = mStorageUnit.unwrap(
- session,
- keyRecord.getAlgorithm(),
- iv,
- pri,
- pubkey);
-
+ keyRecord.getPrivateKeyData(),
+ pubkey,
+ false,
+ keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
} catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
@@ -564,7 +555,9 @@ public class RecoveryService implements IService {
mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private");
try {
- byte[] privateKeyData = mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData());
+ byte[] privateKeyData = mStorageUnit.decryptInternalPrivate(
+ keyRecord.getPrivateKeyData(),
+ keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
if (CMS.getConfigStore().getBoolean("kra.keySplitting")) {
mStorageUnit.logout();
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 1c94bca6e..598ed0232 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -1,11 +1,7 @@
package com.netscape.kra;
import java.io.ByteArrayOutputStream;
-import java.io.CharConversionException;
-import java.io.IOException;
import java.math.BigInteger;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.AlgorithmParameterSpec;
@@ -16,21 +12,17 @@ import java.util.Random;
import javax.crypto.spec.RC2ParameterSpec;
import org.dogtagpki.server.kra.rest.KeyRequestService;
-import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.asn1.OCTET_STRING;
-import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyGenerator;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
-import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.PBEAlgorithm;
import org.mozilla.jss.crypto.PBEKeyGenParams;
import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.SymmetricKey;
-import org.mozilla.jss.crypto.TokenException;
import org.mozilla.jss.pkcs12.PasswordConverter;
import org.mozilla.jss.pkcs7.ContentInfo;
import org.mozilla.jss.pkcs7.EncryptedContentInfo;
@@ -54,6 +46,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmscore.dbs.KeyRecord;
+import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
import netscape.security.util.DerValue;
@@ -179,7 +172,8 @@ public class SecurityDataProcessor {
wrappedSessionKey,
algStr,
sparams,
- secdata);
+ secdata,
+ null);
} catch (Exception e) {
throw new EBaseException("Can't decrypt symm key using allEncDecrypt_archival : true .");
@@ -215,7 +209,8 @@ public class SecurityDataProcessor {
wrappedSessionKey,
algStr,
sparams,
- secdata);
+ secdata,
+ null);
} catch (Exception e) {
throw new EBaseException("Can't decrypt passphrase.", e);
}
@@ -290,6 +285,16 @@ public class SecurityDataProcessor {
rec.set(KeyRecord.ATTR_REALM, realm);
}
+ try {
+ rec.setWrappingParams(storageUnit.getWrappingParams());
+ } catch (Exception e) {
+ kra.log(ILogger.LL_FAILURE,
+ "Failed to store wrapping parameters: " + e);
+ auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
+ clientKeyId, null, "Failed to store wrapping parameters");
+ throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e);
+ }
+
CMS.debug("KRA adding Security Data key record " + serialNo);
keyRepository.addKeyRecord(rec);
@@ -307,11 +312,7 @@ public class SecurityDataProcessor {
CMS.debug("SecurityDataService.recover(): start");
- //Pave the way for allowing generated IV vector
- byte iv[]= null;
- byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
byte iv_in[] = null;
-
IConfigStore config = null;
try {
@@ -360,18 +361,6 @@ public class SecurityDataProcessor {
return false;
}
- //Create the return IV if needed.
- iv = new byte[8];
-
- try {
- Random rnd = new Random();
- rnd.nextBytes(iv);
- } catch (Exception e) {
- iv = iv_default;
- }
-
- String ivStr = Utils.base64encode(iv);
-
KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(serialno);
String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE);
@@ -406,7 +395,11 @@ public class SecurityDataProcessor {
byte[] privateKeyData = keyRecord.getPrivateKeyData();
PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData));
- privateKey = storageUnit.unwrap_temp(privateKeyData, publicKey);
+ privateKey = storageUnit.unwrap(
+ privateKeyData,
+ publicKey,
+ true,
+ keyRecord.getWrappingParams(storageUnit.getOldWrappingParams()));
}
} catch (Exception e) {
@@ -419,10 +412,32 @@ public class SecurityDataProcessor {
CryptoToken ct = transportUnit.getToken();
- WrappingParams wrapParams = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ String payloadEncryptOID = (String) params.get(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID);
+ String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME);
+ String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm();
+
+ byte[] iv = generate_iv();
+ String ivStr = Utils.base64encode(iv);
+
+ WrappingParams wrapParams = null;
+ if (payloadEncryptOID == null) {
+ wrapParams = transportUnit.getOldWrappingParams();
+ wrapParams.setPayloadEncryptionIV(new IVParameterSpec(iv));
+ wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv));
+ } else {
+ try {
+ wrapParams = new WrappingParams(
+ payloadEncryptOID,
+ payloadWrapName,
+ transportKeyAlgo,
+ new IVParameterSpec(iv),
+ null);
+ } catch (Exception e) {
+ auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
+ "Cannot generate wrapping params");
+ throw new EBaseException("Cannot generate wrapping params: " + e, e);
+ }
+ }
byte[] key_data = null;
String pbeWrappedData = null;
@@ -435,8 +450,14 @@ public class SecurityDataProcessor {
try {
unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
SymmetricKey.Usage.DECRYPT, wrapParams);
- unwrappedPass = decryptWithSymmetricKey(ct, unwrappedSess, wrappedPassPhrase,
- new IVParameterSpec(iv_in), wrapParams);
+
+ unwrappedPass = CryptoUtil.decryptUsingSymmetricKey(
+ ct,
+ wrapParams.getPayloadEncryptionIV(),
+ wrappedPassPhrase,
+ unwrappedSess,
+ wrapParams.getPayloadEncryptionAlgorithm());
+
String passStr = new String(unwrappedPass, "UTF-8");
pass = new Password(passStr.toCharArray());
passStr = null;
@@ -499,13 +520,21 @@ public class SecurityDataProcessor {
CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
SymmetricKey.Usage.ENCRYPT, wrapParams);
- key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData,
- new IVParameterSpec(iv), wrapParams);
-
+ key_data = CryptoUtil.encryptUsingSymmetricKey(
+ ct,
+ unwrappedSess,
+ unwrappedSecData,
+ wrapParams.getPayloadEncryptionAlgorithm(),
+ wrapParams.getPayloadEncryptionIV());
} else {
unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
SymmetricKey.Usage.WRAP, wrapParams);
- key_data = wrapWithSymmetricKey(ct, unwrappedSess, symKey, new IVParameterSpec(iv), wrapParams);
+ key_data = CryptoUtil.wrapUsingSymmetricKey(
+ ct,
+ unwrappedSess,
+ symKey,
+ wrapParams.getPayloadWrappingIV(),
+ wrapParams.getPayloadWrapAlgorithm());
}
} catch (Exception e) {
@@ -520,8 +549,12 @@ public class SecurityDataProcessor {
unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
SymmetricKey.Usage.ENCRYPT, wrapParams);
- key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData,
- new IVParameterSpec(iv), wrapParams);
+ key_data = CryptoUtil.encryptUsingSymmetricKey(
+ ct,
+ unwrappedSess,
+ unwrappedSecData,
+ wrapParams.getPayloadEncryptionAlgorithm(),
+ wrapParams.getPayloadEncryptionIV());
} catch (Exception e) {
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
serialno.toString(), "Cannot encrypt passphrase");
@@ -535,12 +568,23 @@ public class SecurityDataProcessor {
CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key.");
unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
SymmetricKey.Usage.ENCRYPT, wrapParams);
- key_data = encryptWithSymmetricKey(ct, unwrappedSess, unwrappedSecData,
- new IVParameterSpec(iv), wrapParams);
+
+ key_data = CryptoUtil.encryptUsingSymmetricKey(
+ ct,
+ unwrappedSess,
+ unwrappedSecData,
+ wrapParams.getPayloadEncryptionAlgorithm(),
+ wrapParams.getPayloadEncryptionIV());
+
} else {
unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
SymmetricKey.Usage.WRAP, wrapParams);
- key_data = wrapWithSymmetricKey(ct, unwrappedSess, privateKey, new IVParameterSpec(iv), wrapParams);
+ key_data = CryptoUtil.wrapUsingSymmetricKey(
+ ct,
+ unwrappedSess,
+ privateKey,
+ wrapParams.getPayloadWrappingIV(),
+ wrapParams.getPayloadWrapAlgorithm());
}
} catch (Exception e) {
@@ -566,42 +610,20 @@ public class SecurityDataProcessor {
return false; //return true ? TODO
}
- private byte[] decryptWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, byte[] data, IVParameterSpec iv,
- WrappingParams params) throws Exception {
- Cipher decryptor = ct.getCipherContext(params.getPayloadEncryptionAlgorithm());
- if (decryptor == null)
- throw new IOException("Failed to create decryptor");
- decryptor.initDecrypt(wrappingKey, iv);
- return decryptor.doFinal(data);
- }
-
- private byte[] wrapWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, SymmetricKey data,
- IVParameterSpec iv, WrappingParams params) throws Exception {
- KeyWrapper wrapper = ct.getKeyWrapper(params.getPayloadWrapAlgorithm());
- if (wrapper == null)
- throw new IOException("Failed to create key wrapper");
- wrapper.initWrap(wrappingKey, iv);
- return wrapper.wrap(data);
- }
-
- private byte[] wrapWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, PrivateKey data,
- IVParameterSpec iv, WrappingParams params) throws Exception {
- KeyWrapper wrapper = ct.getKeyWrapper(params.getPayloadWrapAlgorithm());
- if (wrapper == null)
- throw new IOException("Failed to create key wrapper");
- wrapper.initWrap(wrappingKey, iv);
- return wrapper.wrap(data);
- }
-
- private byte[] encryptWithSymmetricKey(CryptoToken ct, SymmetricKey wrappingKey, byte[] data, IVParameterSpec iv,
- WrappingParams params) throws Exception {
- Cipher encryptor = ct.getCipherContext(params.getPayloadEncryptionAlgorithm());
-
- if (encryptor == null)
- throw new IOException("Failed to create cipher");
+ private byte[] generate_iv() {
+ //TODO(alee) Fix this -- this will only work for DES3. Needs to be based on algorithm.
+ // Is there a function in JSS for this? Also note that the iv generated here is actually
+ // used for both encryption and wrapping algorithms above.
+ byte[] iv = new byte[8];
+ byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
- encryptor.initEncrypt(wrappingKey, iv);
- return encryptor.doFinal(data);
+ try {
+ Random rnd = new Random();
+ rnd.nextBytes(iv);
+ } catch (Exception e) {
+ iv = iv_default;
+ }
+ return iv;
}
public SymmetricKey recoverSymKey(KeyRecord keyRecord)
@@ -612,7 +634,8 @@ public class SecurityDataProcessor {
storageUnit.unwrap(
keyRecord.getPrivateKeyData(),
KeyRequestService.SYMKEY_TYPES.get(keyRecord.getAlgorithm()),
- keyRecord.getKeySize());
+ keyRecord.getKeySize(),
+ keyRecord.getWrappingParams(storageUnit.getOldWrappingParams()));
return symKey;
} catch (Exception e) {
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
@@ -623,7 +646,9 @@ public class SecurityDataProcessor {
public byte[] recoverSecurityData(KeyRecord keyRecord)
throws EBaseException {
try {
- return storageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData());
+ return storageUnit.decryptInternalPrivate(
+ keyRecord.getPrivateKeyData(),
+ keyRecord.getWrappingParams(storageUnit.getOldWrappingParams()));
} catch (Exception e) {
CMS.debug("Failed to recover security data: " + e);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
@@ -637,9 +662,7 @@ public class SecurityDataProcessor {
int iterationCount,
KeyGenerator.CharToByteConverter charToByteConverter,
SymmetricKey symKey, PrivateKey privateKey, CryptoToken token)
- throws CryptoManager.NotInitializedException, NoSuchAlgorithmException,
- InvalidKeyException, InvalidAlgorithmParameterException, TokenException,
- CharConversionException {
+ throws Exception {
if (keyGenAlg == null) {
throw new NoSuchAlgorithmException("Key generation algorithm is NULL");
@@ -665,14 +688,13 @@ public class SecurityDataProcessor {
kg.generatePBE_IV());
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
- wrapper.initWrap(key, params);
byte[] encrypted = null;
if (symKey != null) {
- encrypted = wrapper.wrap(symKey);
+ encrypted = CryptoUtil.wrapUsingSymmetricKey(token, key, symKey, (IVParameterSpec) params,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
} else if (privateKey != null) {
- encrypted = wrapper.wrap(privateKey);
+ encrypted = CryptoUtil.wrapUsingSymmetricKey(token, key, privateKey, (IVParameterSpec) params,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
}
if (encrypted == null) {
//TODO - think about the exception to be thrown
diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
index 83f3e2a79..8b4c801fb 100644
--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
@@ -36,6 +36,7 @@ import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IllegalBlockSizeException;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyGenerator;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.KeyWrapper;
@@ -60,9 +61,14 @@ import com.netscape.certsrv.kra.IShare;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.Credential;
import com.netscape.certsrv.security.IStorageKeyUnit;
+import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.util.DerInputStream;
+import netscape.security.util.DerOutputStream;
+import netscape.security.util.DerValue;
+
/**
* A class represents a storage key unit. Currently, this
* is implemented with cryptix, the final implementation
@@ -99,6 +105,7 @@ public class StorageKeyUnit extends EncryptionUnit implements
public static final String PROP_KEYDB = "keydb";
public static final String PROP_CERTDB = "certdb";
public static final String PROP_MN = "mn";
+ public static final String PROP_OLD_WRAPPING = "useOldWrapping";
/**
* Constructs this token.
@@ -123,6 +130,17 @@ public class StorageKeyUnit extends EncryptionUnit implements
throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION"));
}
+ public WrappingParams getWrappingParams() throws EBaseException {
+ if (mConfig.getBoolean(PROP_OLD_WRAPPING, false)) {
+ return this.getOldWrappingParams();
+ }
+
+ return new WrappingParams(
+ SymmetricKey.AES, KeyGenAlgorithm.AES, 256,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_256_CBC_PAD,
+ KeyWrapAlgorithm.AES_KEY_WRAP_PAD, IV2, null);
+ }
+
/**
* return true if byte arrays are equal, false otherwise
*/
@@ -448,30 +466,16 @@ public class StorageKeyUnit extends EncryptionUnit implements
try {
// move public & private to config/storage.dat
// delete private key
- KeyWrapper wrapper = token.getKeyWrapper(
+ return CryptoUtil.wrapUsingSymmetricKey(
+ token,
+ sk,
+ pri,
+ IV,
KeyWrapAlgorithm.DES3_CBC_PAD);
-
- // next to randomly generate a symmetric
- // password
-
- wrapper.initWrap(sk, IV);
- return wrapper.wrap(pri);
- } catch (TokenException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1",
- "wrapStorageKey:" +
- e.toString()));
- } catch (NoSuchAlgorithmException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1",
- "wrapStorageKey:" +
- e.toString()));
- } catch (InvalidKeyException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1",
- "wrapStorageKey:" +
- e.toString()));
- } catch (InvalidAlgorithmParameterException e) {
+ } catch (Exception e) {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1",
"wrapStorageKey:" +
- e.toString()));
+ e.toString()), e);
}
}
@@ -1001,4 +1005,212 @@ public class StorageKeyUnit extends EncryptionUnit implements
return true;
}
+ /****************************************************************************************
+ * Methods to encrypt and store secrets in the database
+ ***************************************************************************************/
+
+ public byte[] encryptInternalPrivate(byte priKey[]) throws Exception {
+ try (DerOutputStream out = new DerOutputStream()) {
+ CMS.debug("EncryptionUnit.encryptInternalPrivate");
+ CryptoToken internalToken = getInternalToken();
+
+ WrappingParams params = getWrappingParams();
+
+ // (1) generate session key
+ SymmetricKey sk = CryptoUtil.generateKey(
+ internalToken,
+ params.getSkKeyGenAlgorithm(),
+ params.getSkLength(),
+ null,
+ false);
+
+ // (2) wrap private key with session key
+ byte[] pri = CryptoUtil.encryptUsingSymmetricKey(
+ internalToken,
+ sk,
+ priKey,
+ params.getPayloadEncryptionAlgorithm(),
+ params.getPayloadEncryptionIV());
+
+ // (3) wrap session with storage public
+ byte[] session = CryptoUtil.wrapUsingPublicKey(
+ internalToken,
+ getPublicKey(),
+ sk,
+ params.getSkWrapAlgorithm());
+
+ // use MY own structure for now:
+ // SEQUENCE {
+ // encryptedSession OCTET STRING,
+ // encryptedPrivate OCTET STRING
+ // }
+
+ DerOutputStream tmp = new DerOutputStream();
+
+ tmp.putOctetString(session);
+ tmp.putOctetString(pri);
+ out.write(DerValue.tag_Sequence, tmp);
+
+ return out.toByteArray();
+ }
+ }
+
+ public byte[] wrap(PrivateKey privKey) throws Exception {
+ return _wrap(privKey,null);
+ }
+
+ public byte[] wrap(SymmetricKey symmKey) throws Exception {
+ return _wrap(null,symmKey);
+ }
+
+ /***
+ * Internal wrap, accounts for either private or symmetric key
+ */
+ private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception {
+ try (DerOutputStream out = new DerOutputStream()) {
+ if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) {
+ return null;
+ }
+ CMS.debug("EncryptionUnit.wrap interal.");
+ WrappingParams params = getWrappingParams();
+ CryptoToken token = getToken();
+
+ SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2];
+ usages[0] = SymmetricKey.Usage.WRAP;
+ usages[1] = SymmetricKey.Usage.UNWRAP;
+
+ // (1) generate session key
+ SymmetricKey sk = CryptoUtil.generateKey(
+ token,
+ params.getSkKeyGenAlgorithm(),
+ params.getSkLength(),
+ usages,
+ true);
+
+ // (2) wrap private key with session key
+ // KeyWrapper wrapper = internalToken.getKeyWrapper(
+
+ byte pri[] = null;
+
+ if (priKey != null) {
+ pri = CryptoUtil.wrapUsingSymmetricKey(
+ token,
+ sk,
+ priKey,
+ params.getPayloadWrappingIV(),
+ params.getPayloadWrapAlgorithm());
+ } else if (symmKey != null) {
+ pri = CryptoUtil.wrapUsingSymmetricKey(
+ token,
+ sk,
+ symmKey,
+ params.getPayloadWrappingIV(),
+ params.getPayloadWrapAlgorithm());
+ }
+
+ CMS.debug("EncryptionUnit:wrap() privKey wrapped");
+
+ byte[] session = CryptoUtil.wrapUsingPublicKey(
+ token,
+ getPublicKey(),
+ sk,
+ params.getSkWrapAlgorithm());
+ CMS.debug("EncryptionUnit:wrap() session key wrapped");
+
+ // use MY own structure for now:
+ // SEQUENCE {
+ // encryptedSession OCTET STRING,
+ // encryptedPrivate OCTET STRING
+ // }
+
+ DerOutputStream tmp = new DerOutputStream();
+
+ tmp.putOctetString(session);
+ tmp.putOctetString(pri);
+ out.write(DerValue.tag_Sequence, tmp);
+
+ return out.toByteArray();
+ }
+ }
+
+ /****************************************************************************************
+ * Methods to decrypt and retrieve secrets from the database
+ ***************************************************************************************/
+
+ public byte[] decryptInternalPrivate(byte wrappedKeyData[], WrappingParams params)
+ throws Exception {
+ CMS.debug("EncryptionUnit.decryptInternalPrivate");
+ DerValue val = new DerValue(wrappedKeyData);
+ // val.tag == DerValue.tag_Sequence
+ DerInputStream in = val.data;
+ DerValue dSession = in.getDerValue();
+ byte session[] = dSession.getOctetString();
+ DerValue dPri = in.getDerValue();
+ byte pri[] = dPri.getOctetString();
+
+ CryptoToken token = getToken();
+
+ // (1) unwrap the session key
+ CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName());
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params);
+
+ // (2) decrypt the private key
+ return CryptoUtil.decryptUsingSymmetricKey(
+ token,
+ params.getPayloadEncryptionIV(),
+ pri,
+ sk,
+ params.getPayloadEncryptionAlgorithm());
+ }
+
+ public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize,
+ WrappingParams params) throws Exception {
+ DerValue val = new DerValue(wrappedKeyData);
+ // val.tag == DerValue.tag_Sequence
+ DerInputStream in = val.data;
+ DerValue dSession = in.getDerValue();
+ byte session[] = dSession.getOctetString();
+ DerValue dPri = in.getDerValue();
+ byte pri[] = dPri.getOctetString();
+
+ CryptoToken token = getToken();
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
+
+ // (2) unwrap the session-wrapped-symmetric key
+ return CryptoUtil.unwrap(
+ token,
+ algorithm,
+ keySize,
+ SymmetricKey.Usage.UNWRAP,
+ sk,
+ pri,
+ params.getPayloadWrapAlgorithm(),
+ params.getPayloadWrappingIV());
+ }
+
+ public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary, WrappingParams params)
+ throws Exception {
+ DerValue val = new DerValue(wrappedKeyData);
+ // val.tag == DerValue.tag_Sequence
+ DerInputStream in = val.data;
+ DerValue dSession = in.getDerValue();
+ byte session[] = dSession.getOctetString();
+ DerValue dPri = in.getDerValue();
+ byte pri[] = dPri.getOctetString();
+
+ CryptoToken token = getToken();
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
+
+ // (2) unwrap the private key
+ return CryptoUtil.unwrap(
+ token,
+ pubKey,
+ temporary,
+ sk,
+ pri,
+ params.getPayloadWrapAlgorithm(),
+ params.getPayloadWrappingIV());
+ }
}
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 7d42cb45b..94301b662 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -17,10 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.kra;
-import java.io.CharConversionException;
import java.math.BigInteger;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -28,9 +25,7 @@ import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.KeyGenAlgorithm;
-import org.mozilla.jss.crypto.KeyGenerator;
import org.mozilla.jss.crypto.SymmetricKey;
-import org.mozilla.jss.crypto.TokenException;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
@@ -46,6 +41,7 @@ import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.cms.servlet.key.KeyRequestDAO;
import com.netscape.cmscore.dbs.KeyRecord;
+import com.netscape.cmsutil.crypto.CryptoUtil;
/**
* This implementation implements SecurityData archival operations.
@@ -154,21 +150,13 @@ public class SymKeyGenService implements IService {
SymmetricKey sk = null;
try {
- KeyGenerator kg = token.getKeyGenerator(kgAlg);
- kg.setKeyUsages(keyUsages);
- kg.temporaryKeys(true);
- if (kgAlg == KeyGenAlgorithm.AES || kgAlg == KeyGenAlgorithm.RC4
- || kgAlg == KeyGenAlgorithm.RC2) {
- kg.initialize(keySize);
- }
- sk = kg.generate();
+ sk = CryptoUtil.generateKey(token, kgAlg, keySize, keyUsages, true);
CMS.debug("SymKeyGenService:wrap() session key generated on slot: " + token.getName());
- } catch (TokenException | IllegalStateException | CharConversionException | NoSuchAlgorithmException
- | InvalidAlgorithmParameterException e) {
+ } catch (Exception e) {
CMS.debugStackTrace();
auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
clientKeyId, null, "Failed to generate symmetric key");
- throw new EBaseException("Errors in generating symmetric key: " + e);
+ throw new EBaseException("Errors in generating symmetric key: " + e, e);
}
byte[] publicKey = null;
@@ -224,6 +212,16 @@ public class SymKeyGenService implements IService {
rec.set(KeyRecord.ATTR_REALM, realm);
}
+ try {
+ rec.setWrappingParams(mStorageUnit.getWrappingParams());
+ } catch (Exception e) {
+ mKRA.log(ILogger.LL_FAILURE,
+ "Failed to store wrapping parameters: " + e);
+ auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, "Failed to store wraping parameters.");
+ throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e);
+ }
+
CMS.debug("KRA adding Security Data key record " + serialNo);
storage.addKeyRecord(rec);
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index 5ad8044d7..8abf92046 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -27,13 +27,11 @@ import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.Hashtable;
-import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
-import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.PrivateKey.Type;
import org.mozilla.jss.crypto.SymmetricKey;
@@ -54,6 +52,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmscore.dbs.KeyRecord;
+import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Cert;
import netscape.security.util.BigInt;
@@ -170,23 +169,6 @@ public class TokenKeyRecoveryService implements IService {
}
}
- // this encrypts bytes with a symmetric key
- public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token,
- IVParameterSpec IV) {
- try {
- Cipher cipher = token.getCipherContext(
- EncryptionAlgorithm.DES3_CBC_PAD);
-
- cipher.initEncrypt(symKey, IV);
- byte pri[] = cipher.doFinal(toBeEncrypted);
- return pri;
- } catch (Exception e) {
- CMS.debug("initEncrypt() threw exception: " + e.toString());
- return null;
- }
-
- }
-
/**
* Processes a recovery request. The method reads
* the key record from the database, and tries to recover the
@@ -273,18 +255,17 @@ public class TokenKeyRecoveryService implements IService {
(wrapped_des_key.length > 0)) {
WrappingParams wrapParams = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0,
KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV);
// unwrap the des key
- sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams);
-
- if (sk == null) {
+ try {
+ sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams);
+ CMS.debug("TokenKeyRecoveryService: received des key");
+ } catch (Exception e) {
CMS.debug("TokenKeyRecoveryService: no des key");
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- } else {
- CMS.debug("TokenKeyRecoveryService: received des key");
}
} else {
CMS.debug("TokenKeyRecoveryService: not receive des key");
@@ -364,8 +345,6 @@ public class TokenKeyRecoveryService implements IService {
CMS.debug("TokenKeyRecoveryService: got token slot:" + token.getName());
IVParameterSpec algParam = new IVParameterSpec(iv);
- Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
-
KeyRecord keyRecord = null;
CMS.debug("KRA reading key record");
try {
@@ -512,8 +491,12 @@ public class TokenKeyRecoveryService implements IService {
}
//encrypt and put in private key
- cipher.initEncrypt(sk, algParam);
- wrapped = cipher.doFinal(privateKeyData);
+ wrapped = CryptoUtil.encryptUsingSymmetricKey(
+ token,
+ sk,
+ privateKeyData,
+ EncryptionAlgorithm.DES3_CBC_PAD,
+ algParam);
} else { //allowEncDecrypt_recovery == false
PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery);
if (privKey == null) {
@@ -531,11 +514,14 @@ public class TokenKeyRecoveryService implements IService {
}
CMS.debug("TokenKeyRecoveryService: about to wrap...");
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
- wrapper.initWrap(sk, algParam);
- wrapped = wrapper.wrap(privKey);
+ wrapped = CryptoUtil.wrapUsingSymmetricKey(
+ token,
+ sk,
+ privKey,
+ algParam,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
request.setExtData("iv_s", iv_s);
}
@@ -676,31 +662,21 @@ public class TokenKeyRecoveryService implements IService {
}
try {
- /* wrapped retrieve session key and private key */
- DerValue val = new DerValue(keyRecord.getPrivateKeyData());
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- byte publicKeyData[] = keyRecord.getPublicKeyData();
PublicKey pubkey = null;
try {
- pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData));
+ pubkey = X509Key.parsePublicKey (new DerValue(keyRecord.getPublicKeyData()));
} catch (Exception e) {
CMS.debug("TokenKeyRecoverService: after parsePublicKey:"+e.toString());
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure"));
}
- byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1};
+
PrivateKey privKey = null;
try {
privKey = mStorageUnit.unwrap(
- session,
- keyRecord.getAlgorithm(),
- iv,
- pri,
- pubkey);
+ keyRecord.getPrivateKeyData(),
+ pubkey,
+ false,
+ keyRecord.getWrappingParams(mStorageUnit.getOldWrappingParams()));
} catch (Exception e) {
CMS.debug("TokenKeyRecoveryService: recoverKey() - recovery failure");
throw new EKRAException(
@@ -728,7 +704,9 @@ public class TokenKeyRecoveryService implements IService {
mStorageUnit.login(creds);
*/
try {
- return mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData());
+ return mStorageUnit.decryptInternalPrivate(
+ keyRecord.getPrivateKeyData(),
+ keyRecord.getWrappingParams(mStorageUnit.getOldWrappingParams()));
/* mStorageUnit.logout();*/
} catch (Exception e){
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
index 2efdac7ad..672cb857a 100644
--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
@@ -21,10 +21,12 @@ import java.security.PublicKey;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.IVParameterSpec;
import org.mozilla.jss.crypto.ObjectNotFoundException;
import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.Signature;
import org.mozilla.jss.crypto.SignatureAlgorithm;
+import org.mozilla.jss.crypto.SymmetricKey;
import org.mozilla.jss.crypto.TokenException;
import com.netscape.certsrv.apps.CMS;
@@ -32,6 +34,8 @@ import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.ISubsystem;
import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.certsrv.security.WrappingParams;
+import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Cert;
/**
@@ -110,6 +114,10 @@ public class TransportKeyUnit extends EncryptionUnit implements
}
}
+ public WrappingParams getWrappingParams() {
+ return getOldWrappingParams();
+ }
+
public CryptoToken getInternalToken() {
try {
return CryptoManager.getInstance().getInternalKeyStorageToken();
@@ -253,4 +261,122 @@ public class TransportKeyUnit extends EncryptionUnit implements
throws EBaseException {
// XXX
}
+
+ public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) throws Exception {
+ return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP, params);
+ }
+
+ /**
+ * Decrypts the user private key. This is called on the transport unit.
+ */
+ public byte[] decryptExternalPrivate(byte encSymmKey[],
+ String symmAlgOID, byte symmAlgParams[], byte encValue[],
+ org.mozilla.jss.crypto.X509Certificate transCert)
+ throws Exception {
+
+ CMS.debug("EncryptionUnit.decryptExternalPrivate");
+
+ if (transCert == null) {
+ transCert = mCert;
+ }
+ CryptoToken token = getToken(transCert);
+ PrivateKey wrappingKey = getPrivateKey(transCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ WrappingParams params = new WrappingParams(
+ symmAlgOID,
+ null,
+ priKeyAlgo,
+ new IVParameterSpec(symmAlgParams),
+ null);
+
+ SymmetricKey sk = CryptoUtil.unwrap(
+ token,
+ params.getSkType(),
+ 0,
+ SymmetricKey.Usage.DECRYPT,
+ wrappingKey,
+ encSymmKey,
+ params.getSkWrapAlgorithm());
+
+ return CryptoUtil.decryptUsingSymmetricKey(
+ token,
+ params.getPayloadEncryptionIV(),
+ encValue,
+ sk,
+ params.getPayloadEncryptionAlgorithm());
+ }
+
+ /**
+ * External unwrapping. Unwraps the symmetric key using
+ * the transport private key.
+ */
+ public SymmetricKey unwrap_symmetric(byte encSymmKey[],
+ String symmAlgOID, byte symmAlgParams[],
+ byte encValue[], SymmetricKey.Type algorithm, int strength)
+ throws Exception {
+
+ CryptoToken token = getToken();
+ PrivateKey wrappingKey = getPrivateKey(mCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ WrappingParams params = new WrappingParams(
+ symmAlgOID,
+ null,
+ priKeyAlgo,
+ new IVParameterSpec(symmAlgParams),
+ null);
+
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params);
+
+ // (2) unwrap the session-wrapped-symmetric-key
+ return CryptoUtil.unwrap(
+ token,
+ algorithm,
+ strength,
+ SymmetricKey.Usage.DECRYPT,
+ sk,
+ encValue,
+ params.getPayloadWrapAlgorithm(),
+ params.getPayloadEncryptionIV());
+ }
+
+ /**
+ * External unwrapping. Unwraps the data using
+ * the transport private key.
+ */
+ public PrivateKey unwrap(byte encSymmKey[],
+ String symmAlgOID, byte symmAlgParams[],
+ byte encValue[], PublicKey pubKey,
+ org.mozilla.jss.crypto.X509Certificate transCert)
+ throws Exception {
+ CryptoToken token = getToken(transCert);
+ PrivateKey wrappingKey = getPrivateKey(transCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ WrappingParams params = new WrappingParams(
+ symmAlgOID,
+ null,
+ priKeyAlgo,
+ new IVParameterSpec(symmAlgParams),
+ new IVParameterSpec(symmAlgParams));
+
+ // (1) unwrap the session key
+ SymmetricKey sk = CryptoUtil.unwrap(
+ token,
+ params.getSkType(),
+ 0,
+ SymmetricKey.Usage.UNWRAP,
+ wrappingKey,
+ encSymmKey,
+ params.getSkWrapAlgorithm());
+
+ // (2) unwrap the session-wrapped-private key
+ return CryptoUtil.unwrap(
+ token,
+ pubKey,
+ true,
+ sk,
+ encValue,
+ params.getPayloadWrapAlgorithm(),
+ params.getPayloadWrappingIV());
+ }
}
generated by cgit (git 2.34.1) at 2026-01-08 04:42:05 +0000