summaryrefslogtreecommitdiffstats
path: root/base/kra/src
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2012-05-02 16:02:02 -0700
committerChristina Fu <cfu@redhat.com>2012-05-02 16:24:42 -0700
commit786ebf45b0aae29323de68e6b40856b8799c6a20 (patch)
tree4c0628f6a12680aa948a691562d3f8a7ad73b166 /base/kra/src
parent29f10d8050e2e401780ec4642f9ea1a4837b4a2d (diff)
downloadpki-786ebf45b0aae29323de68e6b40856b8799c6a20.tar.gz
pki-786ebf45b0aae29323de68e6b40856b8799c6a20.tar.xz
pki-786ebf45b0aae29323de68e6b40856b8799c6a20.zip
Bug 744207 - Key archival fails when KRA is configured with lunasa
- The real fix is in JSS alone; This patch only adds better error handling and non-static salt.
Diffstat (limited to 'base/kra/src')
-rw-r--r--base/kra/src/com/netscape/kra/RecoveryService.java16
1 files changed, 15 insertions, 1 deletions
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index 135f55b59..7fbefd776 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -20,12 +20,14 @@ package com.netscape.kra;
import java.io.ByteArrayOutputStream;
import java.io.CharConversionException;
import java.math.BigInteger;
+import java.security.SecureRandom;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Hashtable;
+import java.util.Random;
import netscape.security.util.BigInt;
import netscape.security.util.DerInputStream;
@@ -477,11 +479,20 @@ public class RecoveryService implements IService {
SEQUENCE safeContents = new SEQUENCE();
PasswordConverter passConverter = new
PasswordConverter();
- byte salt[] = { 0x01, 0x01, 0x01, 0x01 };
+ Random ran = new SecureRandom();
+ byte[] salt = new byte[20];
+ ran.nextBytes(salt);
ASN1Value key = EncryptedPrivateKeyInfo.createPBE(
PBEAlgorithm.PBE_SHA1_DES3_CBC,
pass, salt, 1, passConverter, priKey, ct);
+ CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned");
+ if (key == null) {
+ CMS.debug("RecoverService: createPFX() key null");
+ throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed");
+ } else {
+ CMS.debug("RecoverService: createPFX() key not null");
+ }
SET keyAttrs = createBagAttrs(
x509cert.getSubjectDN().toString(),
@@ -519,8 +530,11 @@ public class RecoveryService implements IService {
// put final PKCS12 into volatile request
params.put(ATTR_PKCS12, fos.toByteArray());
+ CMS.debug("RecoverService: createPFX() completed.");
} catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString()));
+ CMS.debug("RecoverService: createPFX() exception caught:"+
+ e.toString());
throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString()));
}