Modify storage unit to generate a new IV

Currently, the storage unit reuses the same IV each time a record
is stored.  This works (probably) for DES3, but not for AES.

The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null

To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.

Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854

6 files changed, 58 insertions, 29 deletions

diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index ffd8b03cf..a731fb155 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -43,6 +43,8 @@ import com.netscape.certsrv.security.IStorageKeyUnit;
 import com.netscape.cms.servlet.key.KeyRequestDAO;
 import com.netscape.cmscore.dbs.KeyRecord;
 
+import netscape.security.util.WrappingParams;
+
 /**
  * Service class to handle asymmetric key generation requests.
  * A new asymmetric key is generated and archived the database as a key record.
@@ -160,9 +162,11 @@ public class AsymKeyGenService implements IService {
         }
 
         byte[] privateSecurityData = null;
+        WrappingParams params = null;
 
         try {
-            privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate());
+            params = storageUnit.getWrappingParams();
+            privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params);
         } catch (Exception e) {
             CMS.debug("Failed to generate security data to archive: " + e);
             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
@@ -198,7 +202,7 @@ public class AsymKeyGenService implements IService {
         }
 
         try {
-            record.setWrappingParams(storageUnit.getOldWrappingParams());
+            record.setWrappingParams(params);
         } catch (Exception e) {
             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
                     clientKeyId, null, "Failed to store wrapping params");
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 5aa35da57..36a809bc4 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -67,6 +67,7 @@ import netscape.security.util.BigInt;
 import netscape.security.util.DerInputStream;
 import netscape.security.util.DerOutputStream;
 import netscape.security.util.DerValue;
+import netscape.security.util.WrappingParams;
 import netscape.security.x509.CertificateSubjectName;
 import netscape.security.x509.CertificateX509Key;
 import netscape.security.x509.X509CertInfo;
@@ -397,12 +398,14 @@ public class EnrollmentService implements IService {
                 statsSub.startTiming("encrypt_user_key");
             }
             byte privateKeyData[] = null;
+            WrappingParams params =  null;
 
             try {
+                params = mStorageUnit.getWrappingParams();
                 if (allowEncDecrypt_archival == true) {
-                    privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped);
+                    privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped, params);
                 } else {
-                    privateKeyData = mStorageUnit.wrap(entityPrivKey);
+                    privateKeyData = mStorageUnit.wrap(entityPrivKey, params);
                 }
             } catch (Exception e) {
                 mKRA.log(ILogger.LL_DEBUG, e.getMessage());
@@ -503,7 +506,7 @@ public class EnrollmentService implements IService {
             }
 
             try {
-                rec.setWrappingParams(mStorageUnit.getWrappingParams());
+                rec.setWrappingParams(params);
             } catch (Exception e) {
                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
                 // TODO(alee) Set correct audit message here
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index d680445a2..3f5e32f45 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -596,9 +596,11 @@ public class NetkeyKeygenService implements IService {
 
                     CMS.debug("KRA encrypts private key to put on internal ldap db");
                     byte privateKeyData[] = null;
+                    WrappingParams params = null;
 
                     try {
-                        privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey);
+                        params = mStorageUnit.getWrappingParams();
+                        privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
                     } catch (Exception e) {
                         request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                         CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed");
@@ -669,7 +671,7 @@ public class NetkeyKeygenService implements IService {
                         return false;
                     }
 
-                    rec.setWrappingParams(mStorageUnit.getWrappingParams());
+                    rec.setWrappingParams(params);
 
                     CMS.debug("NetkeyKeygenService: before addKeyRecord");
                     rec.set(KeyRecord.ATTR_ID, serialNo);
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 55111c9b8..6c4851f13 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -216,19 +216,21 @@ public class SecurityDataProcessor {
             }
 
         }
+        WrappingParams params = null;
 
         byte[] publicKey = null;
         byte privateSecurityData[] = null;
 
         try {
+            params = storageUnit.getWrappingParams();
             if (securitySymKey != null && unwrapped == null) {
-                privateSecurityData = storageUnit.wrap(securitySymKey);
+                privateSecurityData = storageUnit.wrap(securitySymKey, params);
             } else if (unwrapped != null && allowEncDecrypt_archival == true) {
-                privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped);
+                privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped, params);
                 Arrays.fill(unwrapped, (byte)0);
                 CMS.debug("allowEncDecrypt_archival of symmetric key.");
             } else if (securityData != null) {
-                privateSecurityData = storageUnit.encryptInternalPrivate(securityData);
+                privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params);
             } else { // We have no data.
                 auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
                         clientKeyId, null, "Failed to create security data to archive");
@@ -286,7 +288,7 @@ public class SecurityDataProcessor {
         }
 
         try {
-            rec.setWrappingParams(storageUnit.getWrappingParams());
+            rec.setWrappingParams(params);
         } catch (Exception e) {
             kra.log(ILogger.LL_FAILURE,
                     "Failed to store wrapping parameters: " + e);
diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
index 295e4c7d1..3e7f1deb9 100644
--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
@@ -167,17 +167,33 @@ public class StorageKeyUnit extends EncryptionUnit implements
                 config.getInteger(KeyRecordParser.OUT_SK_LENGTH));
         }
 
-        if (config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_IV, null) != null) {
-            byte[] iv = Base64.decodeBase64(config.getString(KeyRecordParser.OUT_PL_ENCRYPTION_IV));
-            params.setPayloadEncryptionIV(new IVParameterSpec(iv));
+        byte [] iv = getConfigIV(
+                config, KeyRecordParser.OUT_PL_ENCRYPTION_IV,
+                KeyRecordParser.OUT_PL_ENCRYPTION_IV_LEN);
+        if (iv != null) params.setPayloadEncryptionIV(new IVParameterSpec(iv));
+
+        iv = getConfigIV(
+                config, KeyRecordParser.OUT_PL_WRAP_IV,
+                KeyRecordParser.OUT_PL_WRAP_IV_LEN);
+        if (iv != null) params.setPayloadWrappingIV(new IVParameterSpec(iv));
+
+        return params;
+    }
+
+    private byte[] getConfigIV(IConfigStore config, String iv_label, String len_label)
+            throws Exception{
+        String iv_string = config.getString(iv_label, null);
+        String iv_len = config.getString(len_label, null);
+
+        if (iv_string != null) {
+            return Base64.decodeBase64(iv_string);
         }
 
-        if (config.getString(KeyRecordParser.OUT_PL_WRAP_IV, null) != null) {
-            byte[] iv = Base64.decodeBase64(config.getString(KeyRecordParser.OUT_PL_WRAP_IV));
-            params.setPayloadWrappingIV(new IVParameterSpec(iv));
+        if (iv_len != null) {
+            return CryptoUtil.getNonceData(Integer.parseInt(iv_len));
         }
 
-        return params;
+        return null;
     }
 
     /**
@@ -1048,13 +1064,11 @@ public class StorageKeyUnit extends EncryptionUnit implements
      * Methods to encrypt and store secrets in the database
      ***************************************************************************************/
 
-    public byte[] encryptInternalPrivate(byte priKey[]) throws Exception {
+    public byte[] encryptInternalPrivate(byte priKey[], WrappingParams params) throws Exception {
         try (DerOutputStream out = new DerOutputStream()) {
             CMS.debug("EncryptionUnit.encryptInternalPrivate");
             CryptoToken internalToken = getInternalToken();
 
-            WrappingParams params = getWrappingParams();
-
             // (1) generate session key
             SymmetricKey sk = CryptoUtil.generateKey(
                     internalToken,
@@ -1094,24 +1108,24 @@ public class StorageKeyUnit extends EncryptionUnit implements
         }
     }
 
-    public byte[] wrap(PrivateKey privKey) throws Exception {
-        return _wrap(privKey,null);
+    public byte[] wrap(PrivateKey privKey, WrappingParams params) throws Exception {
+        return _wrap(privKey,null, params);
     }
 
-    public byte[] wrap(SymmetricKey symmKey) throws Exception {
-        return _wrap(null,symmKey);
+    public byte[] wrap(SymmetricKey symmKey, WrappingParams params) throws Exception {
+        return _wrap(null,symmKey, params);
     }
 
     /***
      * Internal wrap, accounts for either private or symmetric key
+     * @param params TODO
      */
-    private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey) throws Exception {
+    private byte[] _wrap(PrivateKey priKey, SymmetricKey symmKey, WrappingParams params) throws Exception {
         try (DerOutputStream out = new DerOutputStream()) {
             if ((priKey == null && symmKey == null) || (priKey != null && symmKey != null)) {
                 return null;
             }
             CMS.debug("EncryptionUnit.wrap interal.");
-            WrappingParams params = getWrappingParams();
             CryptoToken token = getToken();
 
             SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2];
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 94301b662..9c50eb377 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -43,6 +43,8 @@ import com.netscape.cms.servlet.key.KeyRequestDAO;
 import com.netscape.cmscore.dbs.KeyRecord;
 import com.netscape.cmsutil.crypto.CryptoUtil;
 
+import netscape.security.util.WrappingParams;
+
 /**
  * This implementation implements SecurityData archival operations.
  * <p>
@@ -161,6 +163,7 @@ public class SymKeyGenService implements IService {
 
         byte[] publicKey = null;
         byte privateSecurityData[] = null;
+        WrappingParams params = null;
 
         if (sk == null) {
             auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
@@ -169,7 +172,8 @@ public class SymKeyGenService implements IService {
         }
 
         try {
-            privateSecurityData = mStorageUnit.wrap(sk);
+            params = mStorageUnit.getWrappingParams();
+            privateSecurityData = mStorageUnit.wrap(sk, params);
         } catch (Exception e) {
             CMS.debug("Failed to generate security data to archive: " + e);
             auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
@@ -213,7 +217,7 @@ public class SymKeyGenService implements IService {
         }
 
         try {
-            rec.setWrappingParams(mStorageUnit.getWrappingParams());
+            rec.setWrappingParams(params);
         } catch (Exception e) {
             mKRA.log(ILogger.LL_FAILURE,
                     "Failed to store wrapping parameters: " + e);