Add field to indicate if key was encrypted or wrapped

Whether a secret was encrypted or wrapped in the storage unit
depends on a parameter in CS.cfg.  If that parameter is changed,
the Storage unit may use the wrong mechanism to try to decrypt
the stored key.  Thats ok for encrypt/wrap using DES or AES-CBC,
but not for AES KeyWrap.

In this patch, we add a field in the Key record to specify whether
the secret was encrypted with stored (or keywrapped if false).

A subsequent patch will change the logic when decrypting to use
this field.

Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e

5 files changed, 15 insertions, 6 deletions

diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index bd2be704d..95289721a 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -30,6 +30,7 @@ import org.mozilla.jss.crypto.TokenException;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.dbs.keydb.IKeyRecord;
 import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.AsymKeyGenerationRequest;
@@ -72,7 +73,7 @@ public class AsymKeyGenService implements IService {
 
     @Override
     public boolean serviceRequest(IRequest request) throws EBaseException {
-
+        IConfigStore cs = CMS.getConfigStore();
         String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
         String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
 
@@ -81,6 +82,8 @@ public class AsymKeyGenService implements IService {
 
         String realm = request.getRealm();
 
+        boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+
         KeyPairGeneratorSpi.Usage[] usageList = null;
         String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
         if (usageStr != null) {
@@ -164,6 +167,7 @@ public class AsymKeyGenService implements IService {
         WrappingParams params = null;
 
         try {
+            // TODO(alee) What happens if key wrap algorithm is not supported?
             params = storageUnit.getWrappingParams();
             privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params);
         } catch (Exception e) {
@@ -201,7 +205,7 @@ public class AsymKeyGenService implements IService {
         }
 
         try {
-            record.setWrappingParams(params);
+            record.setWrappingParams(params, false);
         } catch (Exception e) {
             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
                     clientKeyId, null, "Failed to store wrapping params");
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 7c179d4bd..381fee8ea 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -502,7 +502,7 @@ public class EnrollmentService implements IService {
             }
 
             try {
-                rec.setWrappingParams(params);
+                rec.setWrappingParams(params, allowEncDecrypt_archival);
             } catch (Exception e) {
                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
                 // TODO(alee) Set correct audit message here
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 4926873e2..e09eb420c 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -584,6 +584,7 @@ public class NetkeyKeygenService implements IService {
                     WrappingParams params = null;
 
                     try {
+                        // TODO(alee)  What happens if key wrap algorithm is not supported?
                         params = mStorageUnit.getWrappingParams();
                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
                     } catch (Exception e) {
@@ -656,7 +657,7 @@ public class NetkeyKeygenService implements IService {
                         return false;
                     }
 
-                    rec.setWrappingParams(params);
+                    rec.setWrappingParams(params, false);
 
                     CMS.debug("NetkeyKeygenService: before addKeyRecord");
                     rec.set(KeyRecord.ATTR_ID, serialNo);
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 4659901ac..4261833c1 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -214,6 +214,7 @@ public class SecurityDataProcessor {
 
         byte[] publicKey = null;
         byte privateSecurityData[] = null;
+        boolean doEncrypt = false;
 
         try {
             params = storageUnit.getWrappingParams();
@@ -222,9 +223,11 @@ public class SecurityDataProcessor {
             } else if (unwrapped != null && allowEncDecrypt_archival == true) {
                 privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped, params);
                 Arrays.fill(unwrapped, (byte)0);
+                doEncrypt = true;
                 CMS.debug("allowEncDecrypt_archival of symmetric key.");
             } else if (securityData != null) {
                 privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params);
+                doEncrypt = true;
             } else { // We have no data.
                 auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
                         clientKeyId, null, "Failed to create security data to archive");
@@ -282,7 +285,7 @@ public class SecurityDataProcessor {
         }
 
         try {
-            rec.setWrappingParams(params);
+            rec.setWrappingParams(params, doEncrypt);
         } catch (Exception e) {
             kra.log(ILogger.LL_FAILURE,
                     "Failed to store wrapping parameters: " + e);
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 0dfd3a292..c1830ec6c 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -170,6 +170,7 @@ public class SymKeyGenService implements IService {
         }
 
         try {
+            // TODO(alee) what happens if key wrap algorithm is not supported?
             params = mStorageUnit.getWrappingParams();
             privateSecurityData = mStorageUnit.wrap(sk, params);
         } catch (Exception e) {
@@ -215,7 +216,7 @@ public class SymKeyGenService implements IService {
         }
 
         try {
-            rec.setWrappingParams(params);
+            rec.setWrappingParams(params, false);
         } catch (Exception e) {
             mKRA.log(ILogger.LL_FAILURE,
                     "Failed to store wrapping parameters: " + e);