summaryrefslogtreecommitdiffstats
path: root/base/kra/src/com
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-02-21 00:04:44 -0500
committerAde Lee <alee@redhat.com>2017-03-06 23:58:47 -0500
commitb445d327ce696cd7fbbe8ba3eafc87addf07ec54 (patch)
tree00c72b13b36ab216bfc8ba3cf929fe66c1a95e66 /base/kra/src/com
parent83fe6e6d8500f13f888e140100363b02eccb07fa (diff)
downloadpki-b445d327ce696cd7fbbe8ba3eafc87addf07ec54.tar.gz
pki-b445d327ce696cd7fbbe8ba3eafc87addf07ec54.tar.xz
pki-b445d327ce696cd7fbbe8ba3eafc87addf07ec54.zip
Parameterize crypto functions, part 3
The crypto functions to unwrap the session key have been parameterized.
Diffstat (limited to 'base/kra/src/com')
-rw-r--r--base/kra/src/com/netscape/kra/EncryptionUnit.java59
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java9
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataProcessor.java25
-rw-r--r--base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java9
4 files changed, 71 insertions, 31 deletions
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 17767b136..4971db88a 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -175,12 +175,18 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
return _wrap(null,symmKey);
}
- public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage) {
- return unwrap_session_key(token, encSymmKey, usage, getPrivateKey());
+ public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage,
+ WrappingParams params) {
+ PrivateKey wrappingKey = getPrivateKey();
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ if (priKeyAlgo.equals("EC"))
+ params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+
+ return unwrap_session_key(token, encSymmKey, usage, wrappingKey, params);
}
- public SymmetricKey unwrap_sym(byte encSymmKey[]) {
- return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP);
+ public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) {
+ return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP, params);
}
/**
@@ -210,11 +216,17 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
KeyWrapAlgorithm.DES3_CBC_PAD);
+ PrivateKey wrappingKey = getPrivateKey(transCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ if (priKeyAlgo.equals("EC"))
+ params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+
SymmetricKey sk = unwrap_session_key(
token,
encSymmKey,
SymmetricKey.Usage.DECRYPT,
- getPrivateKey(transCert));
+ wrappingKey,
+ params);
return decrypt_private_key(token, new IVParameterSpec(symmAlgParams), sk, encValue, params);
} catch (IllegalBlockSizeException e) {
@@ -271,7 +283,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
CryptoToken token = getToken();
// (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP);
+ SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params);
// (2) unwrap the session-wrapped-symmetric-key
SymmetricKey symKey = unwrap_symmetric_key(
@@ -340,12 +352,18 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
KeyWrapAlgorithm.DES3_CBC_PAD);
+ PrivateKey wrappingKey = getPrivateKey(transCert);
+ String priKeyAlgo = wrappingKey.getAlgorithm();
+ if (priKeyAlgo.equals("EC"))
+ params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+
// (1) unwrap the session key
SymmetricKey sk = unwrap_session_key(
token,
encSymmKey,
SymmetricKey.Usage.UNWRAP,
- getPrivateKey(transCert));
+ wrappingKey,
+ params);
// (2) unwrap the session-wrapped-private key
return unwrap_private_key(
@@ -408,7 +426,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
// (1) unwrap the session key
CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName());
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT);
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.DECRYPT, params);
// (2) decrypt the private key
return decrypt_private_key(token, IV, sk, pri, params);
@@ -476,7 +494,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
CryptoToken token = getToken();
// (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP);
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
// (2) unwrap the session-wrapped-symmetric key
return unwrap_symmetric_key(token, IV, algorithm, keySize, SymmetricKey.Usage.UNWRAP, sk, pri, params);
@@ -551,7 +569,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
CryptoToken token = getToken();
// (1) unwrap the session key
- SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP);
+ SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params);
// (2) unwrap the private key
return unwrap_private_key(token, pubKey, IV, temporary, sk, pri, params);
@@ -713,20 +731,15 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
}
public SymmetricKey unwrap_session_key(CryptoToken token, byte[] wrappedSessionKey, SymmetricKey.Usage usage,
- PrivateKey wrappingKey) {
+ PrivateKey wrappingKey, WrappingParams params) {
try {
- String priKeyAlgo = wrappingKey.getAlgorithm();
- CMS.debug("EncryptionUnit::unwrap_sym() private key algo: " + priKeyAlgo);
- KeyWrapper keyWrapper = null;
- if (priKeyAlgo.equals("EC")) {
- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB);
- keyWrapper.initUnwrap(wrappingKey, null);
- } else {
- keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
- keyWrapper.initUnwrap(wrappingKey, null);
- }
- SymmetricKey sk = keyWrapper.unwrapSymmetric(wrappedSessionKey,
- SymmetricKey.DES3, usage,
+ KeyWrapper keyWrapper = token.getKeyWrapper(params.getSkWrapAlgorithm());
+ keyWrapper.initUnwrap(wrappingKey, null);
+
+ SymmetricKey sk = keyWrapper.unwrapSymmetric(
+ wrappedSessionKey,
+ params.getSkTyoe(),
+ usage,
0);
CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: "
+ token.getName());
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index a4f6c087c..d48f9ffa2 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -35,6 +35,7 @@ import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyPairAlgorithm;
import org.mozilla.jss.crypto.KeyPairGenerator;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
@@ -61,6 +62,7 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cms.servlet.key.KeyRecordParser;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmscore.util.Debug;
@@ -453,8 +455,13 @@ public class NetkeyKeygenService implements IService {
if ((wrapped_des_key != null) &&
(wrapped_des_key.length > 0)) {
+ WrappingParams wrapParams = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
// unwrap the DES key
- sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key);
+ sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams);
/* XXX could be done in HSM*/
KeyPair keypair = null;
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index c3f92255f..2a373344a 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -22,6 +22,7 @@ import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyGenerator;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.KeyWrapper;
@@ -51,6 +52,7 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmsutil.util.Utils;
@@ -400,6 +402,11 @@ public class SecurityDataProcessor {
CryptoToken ct = transportUnit.getToken();
+ WrappingParams wrapParams = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
byte[] key_data = null;
String pbeWrappedData = null;
@@ -409,7 +416,8 @@ public class SecurityDataProcessor {
Password pass = null;
try {
- unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.DECRYPT);
+ unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+ SymmetricKey.Usage.DECRYPT, wrapParams);
Cipher decryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
decryptor.initDecrypt(unwrappedSess, new IVParameterSpec(iv_in));
unwrappedPass = decryptor.doFinal(wrappedPassPhrase);
@@ -473,7 +481,8 @@ public class SecurityDataProcessor {
try {
if (allowEncDecrypt_recovery == true) {
CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
- unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
+ unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+ SymmetricKey.Usage.ENCRYPT, wrapParams);
Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
if (encryptor != null) {
@@ -487,7 +496,8 @@ public class SecurityDataProcessor {
}
} else {
- unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.WRAP);
+ unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+ SymmetricKey.Usage.WRAP, wrapParams);
KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv));
key_data = wrapper.wrap(symKey);
@@ -502,7 +512,8 @@ public class SecurityDataProcessor {
} else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
CMS.debug("SecurityDataProcessor.recover(): encrypt stored passphrase with session key");
try {
- unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
+ unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+ SymmetricKey.Usage.ENCRYPT, wrapParams);
Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
if (encryptor != null) {
encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
@@ -525,7 +536,8 @@ public class SecurityDataProcessor {
try {
if (allowEncDecrypt_recovery == true) {
CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
- unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
+ unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+ SymmetricKey.Usage.ENCRYPT, wrapParams);
Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
if (encryptor != null) {
@@ -539,7 +551,8 @@ public class SecurityDataProcessor {
}
} else {
- unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey, SymmetricKey.Usage.WRAP);
+ unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
+ SymmetricKey.Usage.WRAP, wrapParams);
KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv));
key_data = wrapper.wrap(privateKey);
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index 219390606..d1196b6e4 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -31,6 +31,7 @@ import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.KeyWrapper;
import org.mozilla.jss.crypto.PrivateKey;
@@ -51,6 +52,7 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
+import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmsutil.util.Cert;
@@ -270,8 +272,13 @@ public class TokenKeyRecoveryService implements IService {
if ((wrapped_des_key != null) &&
(wrapped_des_key.length > 0)) {
+ WrappingParams wrapParams = new WrappingParams(
+ SymmetricKey.DES3, null, KeyGenAlgorithm.DES3, 0,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD);
+
// unwrap the des key
- sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key);
+ sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams);
if (sk == null) {
CMS.debug("TokenKeyRecoveryService: no des key");
generated by cgit (git 2.34.1) at 2026-01-07 20:38:02 +0000