summaryrefslogtreecommitdiffstats
path: root/base/kra/src/com
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-02-21 13:17:57 -0500
committerAde Lee <alee@redhat.com>2017-02-28 12:20:12 -0500
commit7ea4774b5b9dbf2ba4410d0db58f76bbfd71ba55 (patch)
tree20f54d7a3c2993152d8224abd1ec01ec2ead5b14 /base/kra/src/com
parentaa742e5feb0342fa49a272afc81537d6b1f5a12e (diff)
Refactor exception handling in the EncryptionUnit
Exceptions should be bubbled up and not swallowed at the EncryptionUnit level. This will help in diagnosing issues.
Diffstat (limited to 'base/kra/src/com')
-rw-r--r--base/kra/src/com/netscape/kra/AsymKeyGenService.java21
-rw-r--r--base/kra/src/com/netscape/kra/EncryptionUnit.java347
-rw-r--r--base/kra/src/com/netscape/kra/EnrollmentService.java150
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java13
-rw-r--r--base/kra/src/com/netscape/kra/RecoveryService.java48
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataProcessor.java99
-rw-r--r--base/kra/src/com/netscape/kra/SymKeyGenService.java13
-rw-r--r--base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java36
8 files changed, 358 insertions, 369 deletions
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index 26a284fd0..7b43548d5 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -153,8 +153,25 @@ public class AsymKeyGenService implements IService {
throw new EBaseException("Errors in generating Asymmetric key: " + e);
}
- KeyRecord record = new KeyRecord(null, kp.getPublic().getEncoded(), storageUnit.wrap((PrivateKey) kp
- .getPrivate()), owner, algorithm, owner);
+ if (kp == null) {
+ auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, "Failed to generate asymmetric key");
+ throw new EBaseException("Failed to generate asymmetric key!");
+ }
+
+ byte[] privateSecurityData = null;
+
+ try {
+ privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate());
+ } catch (Exception e) {
+ CMS.debug("Failed to generate security data to archive: " + e);
+ auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+ throw new EBaseException("Failed to generate security data to archive!", e);
+ }
+
+ KeyRecord record = new KeyRecord(null, kp.getPublic().getEncoded(), privateSecurityData,
+ owner, algorithm, owner);
IKeyRepository storage = kra.getKeyRepository();
BigInteger serialNo = storage.getNextSerialNumber();
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 817ae7ffc..af4c3ec19 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -32,10 +32,8 @@ import org.mozilla.jss.crypto.SymmetricKey;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.key.KeyRequestResource;
-import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.IEncryptionUnit;
import com.netscape.certsrv.security.WrappingParams;
-import com.netscape.cmscore.util.Debug;
import netscape.security.util.DerInputStream;
import netscape.security.util.DerOutputStream;
@@ -78,8 +76,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
* Protects the private key so that it can be stored in
* internal database.
*/
- public byte[] encryptInternalPrivate(byte priKey[])
- throws EBaseException {
+ public byte[] encryptInternalPrivate(byte priKey[]) throws Exception {
try (DerOutputStream out = new DerOutputStream()) {
CMS.debug("EncryptionUnit.encryptInternalPrivate");
CryptoToken internalToken = getInternalToken();
@@ -111,19 +108,14 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
out.write(DerValue.tag_Sequence, tmp);
return out.toByteArray();
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString()));
- Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString());
- return null;
}
}
- public byte[] wrap(PrivateKey privKey) throws EBaseException {
+ public byte[] wrap(PrivateKey privKey) throws Exception {
return _wrap(privKey,null);
}
- public byte[] wrap(SymmetricKey symmKey) throws EBaseException {
+ public byte[] wrap(SymmetricKey symmKey) throws Exception {
return _wrap(null,symmKey);
}
@@ -146,7 +138,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
*/
public byte[] decryptExternalPrivate(byte encSymmKey[],
String symmAlgOID, byte symmAlgParams[], byte encValue[])
- throws EBaseException {
+ throws Exception {
return decryptExternalPrivate(encSymmKey, symmAlgOID, symmAlgParams,
encValue, null);
}
@@ -157,36 +149,29 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
public byte[] decryptExternalPrivate(byte encSymmKey[],
String symmAlgOID, byte symmAlgParams[], byte encValue[],
org.mozilla.jss.crypto.X509Certificate transCert)
- throws EBaseException {
- try {
+ throws Exception {
- CMS.debug("EncryptionUnit.decryptExternalPrivate");
- CryptoToken token = getToken(transCert);
+ CMS.debug("EncryptionUnit.decryptExternalPrivate");
+ CryptoToken token = getToken(transCert);
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
- PrivateKey wrappingKey = getPrivateKey(transCert);
- String priKeyAlgo = wrappingKey.getAlgorithm();
- if (priKeyAlgo.equals("EC"))
- params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+ PrivateKey wrappingKey = getPrivateKey(transCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ if (priKeyAlgo.equals("EC"))
+ params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
- SymmetricKey sk = unwrap_session_key(
- token,
- encSymmKey,
- SymmetricKey.Usage.DECRYPT,
- wrappingKey,
- params);
+ SymmetricKey sk = unwrap_session_key(
+ token,
+ encSymmKey,
+ SymmetricKey.Usage.DECRYPT,
+ wrappingKey,
+ params);
- return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params);
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString()));
- Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString());
- return null;
- }
+ return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params);
}
/**
@@ -194,37 +179,30 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
* the transport private key.
*/
public SymmetricKey unwrap_symmetric(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[],
- byte encValue[], SymmetricKey.Type algorithm, int strength)
- throws EBaseException {
- try {
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ String symmAlgOID, byte symmAlgParams[],
+ byte encValue[], SymmetricKey.Type algorithm, int strength)
+ throws Exception {
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
+ CryptoToken token = getToken();
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params);
+
+ // (2) unwrap the session-wrapped-symmetric-key
+ SymmetricKey symKey = unwrap_symmetric_key(
+ token,
+ new IVParameterSpec(symmAlgParams),
+ algorithm,
+ strength,
+ SymmetricKey.Usage.DECRYPT,
+ sk,
+ encValue,
+ params);
- CryptoToken token = getToken();
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params);
-
- // (2) unwrap the session-wrapped-symmetric-key
- SymmetricKey symKey = unwrap_symmetric_key(
- token,
- new IVParameterSpec(symmAlgParams),
- algorithm,
- strength,
- SymmetricKey.Usage.DECRYPT,
- sk,
- encValue,
- params);
-
- return symKey;
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
- Debug.trace("EncryptionUnit::unwrap " + e.toString());
- return null;
- }
+ return symKey;
}
/**
@@ -234,7 +212,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
public PrivateKey unwrap(byte encSymmKey[],
String symmAlgOID, byte symmAlgParams[],
byte encValue[], PublicKey pubKey)
- throws EBaseException {
+ throws Exception {
return unwrap (encSymmKey, symmAlgOID, symmAlgParams,
encValue, pubKey, null);
}
@@ -244,46 +222,39 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
* the transport private key.
*/
public PrivateKey unwrap(byte encSymmKey[],
- String symmAlgOID, byte symmAlgParams[],
- byte encValue[], PublicKey pubKey,
- org.mozilla.jss.crypto.X509Certificate transCert)
- throws EBaseException {
- try {
- CryptoToken token = getToken(transCert);
+ String symmAlgOID, byte symmAlgParams[],
+ byte encValue[], PublicKey pubKey,
+ org.mozilla.jss.crypto.X509Certificate transCert)
+ throws Exception {
+ CryptoToken token = getToken(transCert);
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
- PrivateKey wrappingKey = getPrivateKey(transCert);
- String priKeyAlgo = wrappingKey.getAlgorithm();
- if (priKeyAlgo.equals("EC"))
- params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
-
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(
- token,
- encSymmKey,
- SymmetricKey.Usage.UNWRAP,
- wrappingKey,
- params);
-
- // (2) unwrap the session-wrapped-private key
- return unwrap_private_key(
- token,
- pubKey,
- new IVParameterSpec(symmAlgParams),
- true /*temporary*/,
- sk,
- encValue,
- params);
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
- Debug.trace("EncryptionUnit::unwrap " + e.toString());
- CMS.debug("EncryptionUnit.unwrap "+ e.toString());
- return null;
- }
+ PrivateKey wrappingKey = getPrivateKey(transCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ if (priKeyAlgo.equals("EC"))
+ params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(
+ token,
+ encSymmKey,
+ SymmetricKey.Usage.UNWRAP,
+ wrappingKey,
+ params);
+
+ // (2) unwrap the session-wrapped-private key
+ return unwrap_private_key(
+ token,
+ pubKey,
+ new IVParameterSpec(symmAlgParams),
+ true /*temporary*/,
+ sk,
+ encValue,
+ params);
}
/**
@@ -292,77 +263,62 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
*/
public byte[] decryptInternalPrivate(byte wrappedKeyData[])
- throws EBaseException {
- try {
- CMS.debug("EncryptionUnit.decryptInternalPrivate");
- DerValue val = new DerValue(wrappedKeyData);
- // val.tag == DerValue.tag_Sequence
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- CryptoToken token = getToken();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- // (1) unwrap the session key
- CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName());
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params);
-
- // (2) decrypt the private key
- return decrypt_private_key(token, IV, sk, pri, params);
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString()));
- Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString());
- return null;
- }
+ throws Exception {
+ CMS.debug("EncryptionUnit.decryptInternalPrivate");
+ DerValue val = new DerValue(wrappedKeyData);
+ // val.tag == DerValue.tag_Sequence
+ DerInputStream in = val.data;
+ DerValue dSession = in.getDerValue();
+ byte session[] = dSession.getOctetString();
+ DerValue dPri = in.getDerValue();
+ byte pri[] = dPri.getOctetString();
+
+ CryptoToken token = getToken();
+
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
+ // (1) unwrap the session key
+ CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName());
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params);
+
+ // (2) decrypt the private key
+ return decrypt_private_key(token, IV, sk, pri, params);
}
/**
* External unwrapping of stored symmetric key.
*/
public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize)
- throws EBaseException {
- try {
- DerValue val = new DerValue(wrappedKeyData);
- // val.tag == DerValue.tag_Sequence
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- CryptoToken token = getToken();
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
-
- // (2) unwrap the session-wrapped-symmetric key
- return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params);
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
- Debug.trace("EncryptionUnit::unwrap " + e.toString());
- CMS.debug(e);
- return null;
- }
+ throws Exception {
+ DerValue val = new DerValue(wrappedKeyData);
+ // val.tag == DerValue.tag_Sequence
+ DerInputStream in = val.data;
+ DerValue dSession = in.getDerValue();
+ byte session[] = dSession.getOctetString();
+ DerValue dPri = in.getDerValue();
+ byte pri[] = dPri.getOctetString();
+
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
+ CryptoToken token = getToken();
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
+
+ // (2) unwrap the session-wrapped-symmetric key
+ return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params);
}
/**
* Internal unwrapping.
*/
public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey)
- throws EBaseException {
+ throws Exception {
return _unwrap(wrappedKeyData, pubKey, true);
}
@@ -370,50 +326,40 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
* Internal unwrapping.
*/
public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey)
- throws EBaseException {
+ throws Exception {
return _unwrap(wrappedKeyData, pubKey, false);
}
/**
* Internal unwrapping.
*/
- private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey
- pubKey, boolean temporary)
- throws EBaseException {
- try {
-
- DerValue val = new DerValue(wrappedKeyData);
- // val.tag == DerValue.tag_Sequence
- DerInputStream in = val.data;
- DerValue dSession = in.getDerValue();
- byte session[] = dSession.getOctetString();
- DerValue dPri = in.getDerValue();
- byte pri[] = dPri.getOctetString();
-
- WrappingParams params = new WrappingParams(
- SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
- KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
- KeyWrapAlgorithm.DES3_CBC_PAD);
-
- CryptoToken token = getToken();
- // (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
-
- // (2) unwrap the private key
- return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params);
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
- Debug.trace("EncryptionUnit::unwrap " + e.toString());
- CMS.debug(e);
- return null;
- }
+ private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary)
+ throws Exception {
+ DerValue val = new DerValue(wrappedKeyData);
+ // val.tag == DerValue.tag_Sequence
+ DerInputStream in = val.data;
+ DerValue dSession = in.getDerValue();
+ byte session[] = dSession.getOctetString();
+ DerValue dPri = in.getDerValue();
+ byte pri[] = dPri.getOctetString();
+
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
+ CryptoToken token = getToken();
+ // (1) unwrap the session key
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
+
+ // (2) unwrap the private key
+ return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params);
}
/***
* Internal wrap, accounts for either private or symmetric key
*/
- private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) {
+ private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception {
try (DerOutputStream out = new DerOutputStream()) {
if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) {
return null;
@@ -462,11 +408,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
out.write(DerValue.tag_Sequence, tmp);
return out.toByteArray();
- } catch (Exception e) {
- CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString()));
- Debug.trace("EncryptionUnit::wrap " + e.toString());
- return null;
}
}
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index f901b5767..fbefc549e 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -229,53 +229,55 @@ public class EnrollmentService implements IService {
for (int i = 0; i < aOpts.length; i++) {
ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO);
- if (allowEncDecrypt_archival == true) {
- if (tCert == null) {
- CMS.debug("EnrollmentService: Invalid transport certificate: "+transportCert);
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"));
- }
- if (statsSub != null) {
- statsSub.startTiming("decrypt_user_key");
- }
- mKRA.log(ILogger.LL_INFO, "KRA decrypts external private");
- if (CMS.debugOn())
- CMS.debug("EnrollmentService::about to decryptExternalPrivate");
- tmp_unwrapped = mTransportUnit.decryptExternalPrivate(
- opts.getEncSymmKey(),
- opts.getSymmAlgOID(),
- opts.getSymmAlgParams(),
- opts.getEncValue(),
- tCert);
- if (statsSub != null) {
- statsSub.endTiming("decrypt_user_key");
- }
- if (CMS.debugOn())
- CMS.debug("EnrollmentService::finished decryptExternalPrivate");
- if (tmp_unwrapped == null) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
+ if (allowEncDecrypt_archival == true) {
+ if (tCert == null) {
+ CMS.debug("EnrollmentService: Invalid transport certificate: " + transportCert);
+ throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"));
+ }
+ if (statsSub != null) {
+ statsSub.startTiming("decrypt_user_key");
+ }
+ mKRA.log(ILogger.LL_INFO, "KRA decrypts external private");
+ if (CMS.debugOn())
+ CMS.debug("EnrollmentService::about to decryptExternalPrivate");
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ try {
+ tmp_unwrapped = mTransportUnit.decryptExternalPrivate(
+ opts.getEncSymmKey(),
+ opts.getSymmAlgOID(),
+ opts.getSymmAlgParams(),
+ opts.getEncValue(),
+ tCert);
+ } catch (Exception e) {
+ mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
- audit(auditMessage);
- throw new EKRAException(
- CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
- }
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
- /* making sure leading 0's are removed */
- int first=0;
- for (int j=0; (j< tmp_unwrapped.length) && (tmp_unwrapped[j]==0); j++) {
- first++;
- }
- unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length);
- } /*else { allowEncDecrypt_archival != true
- this is done below with unwrap()
- }
- */
+ audit(auditMessage);
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+ }
+ if (statsSub != null) {
+ statsSub.endTiming("decrypt_user_key");
+ }
+ if (CMS.debugOn())
+ CMS.debug("EnrollmentService::finished decryptExternalPrivate");
+
+ /* making sure leading 0's are removed */
+ int first = 0;
+ for (int j = 0; (j < tmp_unwrapped.length) && (tmp_unwrapped[j] == 0); j++) {
+ first++;
+ }
+ unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length);
+ } /*else { allowEncDecrypt_archival != true
+ this is done below with unwrap()
+ }
+ */
// retrieve public key
X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos);
@@ -312,16 +314,31 @@ public class EnrollmentService implements IService {
} catch (Exception e) {
CMS.debug("EnrollmentService: parsePublicKey:"+e.toString());
throw new EKRAException(
- CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+ CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"), e);
+ }
+
+ try {
+ entityPrivKey = mTransportUnit.unwrap(
+ opts.getEncSymmKey(),
+ opts.getSymmAlgOID(),
+ opts.getSymmAlgParams(),
+ opts.getEncValue(),
+ pubkey,
+ tCert);
+ } catch (Exception e) {
+ mKRA.log(ILogger.LL_DEBUG, e.getMessage());
+ mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e);
}
- entityPrivKey =
- mTransportUnit.unwrap(
- opts.getEncSymmKey(),
- opts.getSymmAlgOID(),
- opts.getSymmAlgParams(),
- opts.getEncValue(),
- pubkey,
- tCert);
} // !allowEncDecrypt_archival
/* Bugscape #54948 - verify public and private key before archiving key */
@@ -381,18 +398,14 @@ public class EnrollmentService implements IService {
}
byte privateKeyData[] = null;
- if (allowEncDecrypt_archival == true) {
- privateKeyData = mStorageUnit.encryptInternalPrivate(
- unwrapped);
- } else {
- privateKeyData = mStorageUnit.wrap(entityPrivKey);
- }
-
- if (statsSub != null) {
- statsSub.endTiming("encrypt_user_key");
- }
-
- if (privateKeyData == null) {
+ try {
+ if (allowEncDecrypt_archival == true) {
+ privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped);
+ } else {
+ privateKeyData = mStorageUnit.wrap(entityPrivKey);
+ }
+ } catch (Exception e) {
+ mKRA.log(ILogger.LL_DEBUG, e.getMessage());
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
auditMessage = CMS.getLogMessage(
@@ -403,8 +416,11 @@ public class EnrollmentService implements IService {
auditArchiveID);
audit(auditMessage);
- throw new EKRAException(
- CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+ throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+ }
+
+ if (statsSub != null) {
+ statsSub.endTiming("encrypt_user_key");
}
// create key record
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index d48f9ffa2..d3937915b 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -611,16 +611,19 @@ public class NetkeyKeygenService implements IService {
auditArchiveID);
audit(auditMessage);
+
CMS.debug("KRA encrypts private key to put on internal ldap db");
- byte privateKeyData[] =
- mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey);
+ byte privateKeyData[] = null;
- if (privateKeyData == null) {
+ try {
+ privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey);
+ } catch (Exception e) {
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed");
return false;
- } else
- CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful");
+ }
+
+ CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful");
// create key record
KeyRecord rec = new KeyRecord(null, publicKeyData,
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index 7bcceb833..70b5e57a7 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -271,8 +271,14 @@ public class RecoveryService implements IService {
if (statsSub != null) {
statsSub.startTiming("unwrap_key");
}
- mKRA.getStorageKeyUnit().unwrap(
- keyRecord.getPrivateKeyData(), null); // throw exception on error
+
+ try {
+ mKRA.getStorageKeyUnit().unwrap(
+ keyRecord.getPrivateKeyData(), null);
+ } catch (Exception e) {
+ throw new EBaseException("Failed to unwrap private key", e);
+ }
+
if (statsSub != null) {
statsSub.endTiming("unwrap_key");
}
@@ -405,18 +411,19 @@ public class RecoveryService implements IService {
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure"));
}
byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
- PrivateKey privKey =
- mStorageUnit.unwrap(
- session,
- keyRecord.getAlgorithm(),
- iv,
- pri,
- pubkey);
-
- if (privKey == null) {
+ PrivateKey privKey = null;
+ try {
+ privKey = mStorageUnit.unwrap(
+ session,
+ keyRecord.getAlgorithm(),
+ iv,
+ pri,
+ pubkey);
+
+ } catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
- "private key unwrapping failure"));
+ "private key unwrapping failure"), e);
}
if (CMS.getConfigStore().getBoolean("kra.keySplitting")) {
mStorageUnit.logout();
@@ -555,18 +562,19 @@ public class RecoveryService implements IService {
mStorageUnit.login(creds);
}
mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private");
- byte privateKeyData[] =
- mStorageUnit.decryptInternalPrivate(
- keyRecord.getPrivateKeyData());
- if (CMS.getConfigStore().getBoolean("kra.keySplitting")) {
- mStorageUnit.logout();
- }
- if (privateKeyData == null) {
+ try {
+ byte[] privateKeyData = mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData());
+
+ if (CMS.getConfigStore().getBoolean("kra.keySplitting")) {
+ mStorageUnit.logout();
+ }
+
+ return privateKeyData;
+ } catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key"));
}
- return privateKeyData;
}
/**
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 2a373344a..5f815a4b6 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -174,13 +174,14 @@ public class SecurityDataProcessor {
keyType = KeyRequestResource.SYMMETRIC_KEY_TYPE;
if (allowEncDecrypt_archival == true) {
- tmp_unwrapped = transportUnit.decryptExternalPrivate(
- wrappedSessionKey,
- algStr,
- sparams,
- secdata);
+ try {
+ tmp_unwrapped = transportUnit.decryptExternalPrivate(
+ wrappedSessionKey,
+ algStr,
+ sparams,
+ secdata);
- if(tmp_unwrapped == null ) {
+ } catch (Exception e) {
throw new EBaseException("Can't decrypt symm key using allEncDecrypt_archival : true .");
}
@@ -194,42 +195,58 @@ public class SecurityDataProcessor {
} else {
+ try {
+ securitySymKey = transportUnit.unwrap_symmetric(
+ wrappedSessionKey,
+ algStr,
+ sparams,
+ secdata,
+ KeyRequestService.SYMKEY_TYPES.get(algorithm),
+ strength);
+ } catch (Exception e) {
+ throw new EBaseException("Can't decrypt symmetric key.", e);
+ }
+ }
- securitySymKey = transportUnit.unwrap_symmetric(
+ } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
+ keyType = KeyRequestResource.PASS_PHRASE_TYPE;
+ try {
+ securityData = transportUnit.decryptExternalPrivate(
wrappedSessionKey,
algStr,
sparams,
- secdata,
- KeyRequestService.SYMKEY_TYPES.get(algorithm),
- strength);
+ secdata);
+ } catch (Exception e) {
+ throw new EBaseException("Can't decrypt passphrase.", e);
}
- } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
- keyType = KeyRequestResource.PASS_PHRASE_TYPE;
- securityData = transportUnit.decryptExternalPrivate(
- wrappedSessionKey,
- algStr,
- sparams,
- secdata);
-
}
byte[] publicKey = null;
byte privateSecurityData[] = null;
- if (securitySymKey != null && unwrapped == null) {
- privateSecurityData = storageUnit.wrap(securitySymKey);
- } else if (unwrapped != null && allowEncDecrypt_archival == true) {
- privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped);
- Arrays.fill(unwrapped, (byte)0);
- CMS.debug("allowEncDecrypt_archival of symmetric key.");
- }else if (securityData != null) {
- privateSecurityData = storageUnit.encryptInternalPrivate(securityData);
- } else { // We have no data.
+ try {
+ if (securitySymKey != null && unwrapped == null) {
+ privateSecurityData = storageUnit.wrap(securitySymKey);
+ } else if (unwrapped != null && allowEncDecrypt_archival == true) {
+ privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped);
+ Arrays.fill(unwrapped, (byte)0);
+ CMS.debug("allowEncDecrypt_archival of symmetric key.");
+ } else if (securityData != null) {
+ privateSecurityData = storageUnit.encryptInternalPrivate(securityData);
+ } else { // We have no data.
+ auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
+ clientKeyId, null, "Failed to create security data to archive");
+ throw new EBaseException("Failed to create security data to archive!");
+ }
+ } catch (Exception e) {
+ CMS.debug("Failed to create security data to archive: " + e.getMessage());
auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
- clientKeyId, null, "Failed to create security data to archive");
- throw new EBaseException("Failed to create security data to archive!");
+ clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+
+ throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
+
// create key record
// Note that in this case the owner is the same as the approving agent
// because the archival request is made by the agent.
@@ -392,7 +409,7 @@ public class SecurityDataProcessor {
privateKey = storageUnit.unwrap_temp(privateKeyData, publicKey);
}
- } catch (IOException e) {
+ } catch (Exception e) {
throw new EBaseException("Cannot fetch the private key from the database.", e);
}
@@ -590,15 +607,8 @@ public class SecurityDataProcessor {
keyRecord.getPrivateKeyData(),
KeyRequestService.SYMKEY_TYPES.get(keyRecord.getAlgorithm()),
keyRecord.getKeySize());
-
- if (symKey == null) {
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
- "symmetric key unwrapping failure"));
- }
-
return symKey;
} catch (Exception e) {
-
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
"recoverSymKey() " + e.toString()));
}
@@ -606,21 +616,10 @@ public class SecurityDataProcessor {
public byte[] recoverSecurityData(KeyRecord keyRecord)
throws EBaseException {
-
- byte[] decodedData = null;
-
try {
- decodedData = storageUnit.decryptInternalPrivate(
- keyRecord.getPrivateKeyData());
-
- if (decodedData == null) {
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
- "security data unwrapping failure"));
- }
-
- return decodedData;
+ return storageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData());
} catch (Exception e) {
-
+ CMS.debug("Failed to recover security data: " + e);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
"recoverSecurityData() " + e.toString()));
}
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 89c776d75..7d42cb45b 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -174,14 +174,21 @@ public class SymKeyGenService implements IService {
byte[] publicKey = null;
byte privateSecurityData[] = null;
- if (sk != null) {
- privateSecurityData = mStorageUnit.wrap(sk);
- } else { // We have no data.
+ if (sk == null) {
auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
clientKeyId, null, "Failed to create security data to archive");
throw new EBaseException("Failed to create security data to archive!");
}
+ try {
+ privateSecurityData = mStorageUnit.wrap(sk);
+ } catch (Exception e) {
+ CMS.debug("Failed to generate security data to archive: " + e);
+ auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
+ clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
+ throw new EBaseException("Failed to generate security data to archive!");
+ }
+
// create key record
KeyRecord rec = new KeyRecord(null, publicKey,
privateSecurityData, owner,
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index d1196b6e4..5ad8044d7 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -693,16 +693,19 @@ public class TokenKeyRecoveryService implements IService {
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "public key parsing failure"));
}
byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1};
- PrivateKey privKey =
- mStorageUnit.unwrap(
- session,
- keyRecord.getAlgorithm(),
- iv,
- pri,
- pubkey);
- if (privKey == null) {
- CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery failure");
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key recovery/unwrapping failure"));
+ PrivateKey privKey = null;
+ try {
+ privKey = mStorageUnit.unwrap(
+ session,
+ keyRecord.getAlgorithm(),
+ iv,
+ pri,
+ pubkey);
+ } catch (Exception e) {
+ CMS.debug("TokenKeyRecoveryService: recoverKey() - recovery failure");
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1",
+ "private key recovery/unwrapping failure"), e);
}
CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery completed, returning privKey");
return privKey;
@@ -724,18 +727,13 @@ public class TokenKeyRecoveryService implements IService {
mStorageUnit.login(creds);
*/
- CMS.debug("KRA decrypts internal private");
- byte privateKeyData[] =
- mStorageUnit.decryptInternalPrivate(
- keyRecord.getPrivateKeyData());
- /*
- mStorageUnit.logout();
- */
- if (privateKeyData == null) {
+ try {
+ return mStorageUnit.decryptInternalPrivate(keyRecord.getPrivateKeyData());
+ /* mStorageUnit.logout();*/
+ } catch (Exception e){
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key"));
}
- return privateKeyData;
}
/**
generated by cgit (git 2.34.1) at 2026-03-23 16:25:14 +0000