diff options
author | Christina Fu <cfu@redhat.com> | 2012-05-02 16:02:02 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2012-05-02 16:24:42 -0700 |
commit | 786ebf45b0aae29323de68e6b40856b8799c6a20 (patch) | |
tree | 4c0628f6a12680aa948a691562d3f8a7ad73b166 /base/kra/src | |
parent | 29f10d8050e2e401780ec4642f9ea1a4837b4a2d (diff) | |
download | pki-786ebf45b0aae29323de68e6b40856b8799c6a20.tar.gz pki-786ebf45b0aae29323de68e6b40856b8799c6a20.tar.xz pki-786ebf45b0aae29323de68e6b40856b8799c6a20.zip |
Bug 744207 - Key archival fails when KRA is configured with lunasa
- The real fix is in JSS alone; This patch only adds better error handling and non-static salt.
Diffstat (limited to 'base/kra/src')
-rw-r--r-- | base/kra/src/com/netscape/kra/RecoveryService.java | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index 135f55b59..7fbefd776 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -20,12 +20,14 @@ package com.netscape.kra; import java.io.ByteArrayOutputStream; import java.io.CharConversionException; import java.math.BigInteger; +import java.security.SecureRandom; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.cert.CertificateEncodingException; import java.security.cert.X509Certificate; import java.util.Hashtable; +import java.util.Random; import netscape.security.util.BigInt; import netscape.security.util.DerInputStream; @@ -477,11 +479,20 @@ public class RecoveryService implements IService { SEQUENCE safeContents = new SEQUENCE(); PasswordConverter passConverter = new PasswordConverter(); - byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + Random ran = new SecureRandom(); + byte[] salt = new byte[20]; + ran.nextBytes(salt); ASN1Value key = EncryptedPrivateKeyInfo.createPBE( PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, passConverter, priKey, ct); + CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned"); + if (key == null) { + CMS.debug("RecoverService: createPFX() key null"); + throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed"); + } else { + CMS.debug("RecoverService: createPFX() key not null"); + } SET keyAttrs = createBagAttrs( x509cert.getSubjectDN().toString(), @@ -519,8 +530,11 @@ public class RecoveryService implements IService { // put final PKCS12 into volatile request params.put(ATTR_PKCS12, fos.toByteArray()); + CMS.debug("RecoverService: createPFX() completed."); } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + CMS.debug("RecoverService: createPFX() exception caught:"+ + e.toString()); throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); } |