diff options
author | Ade Lee <alee@redhat.com> | 2014-02-24 15:31:12 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2014-02-26 01:18:56 -0500 |
commit | 62d4b2b3934507b1ddf699bcea4a6295565bb008 (patch) | |
tree | 624b07de5aa7dc1b824f4094f3b3a1fb4fab2320 /base/kra | |
parent | 4488bb70e2b762d5282fcf88f1c4a349300dd6ea (diff) | |
download | pki-62d4b2b3934507b1ddf699bcea4a6295565bb008.tar.gz pki-62d4b2b3934507b1ddf699bcea4a6295565bb008.tar.xz pki-62d4b2b3934507b1ddf699bcea4a6295565bb008.zip |
Add ability to archive without sending pkiArchiveOptions object.
With this patch, you can now either send a pkiArchiveOptions object
or the exploded parameters. This reduces the processing required on
the client side.
Diffstat (limited to 'base/kra')
-rw-r--r-- | base/kra/functional/drmtest.py | 15 | ||||
-rw-r--r-- | base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java | 12 | ||||
-rw-r--r-- | base/kra/src/com/netscape/kra/SecurityDataService.java | 81 |
3 files changed, 79 insertions, 29 deletions
diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py index dd7abbf53..08baf5011 100644 --- a/base/kra/functional/drmtest.py +++ b/base/kra/functional/drmtest.py @@ -106,7 +106,7 @@ def main(): # Test 4: generate symkey -- same as barbican_encode() print "Now generating symkey on KRA" #client_key_id = "Vek #1" + time.strftime('%X %x %Z') - client_key_id = "veka6" + client_key_id = "veka9" algorithm = "AES" key_size = 128 usages = [key.SymKeyGenerationRequest.DECRYPT_USAGE, key.SymKeyGenerationRequest.ENCRYPT_USAGE] @@ -132,6 +132,7 @@ def main(): # Test 6: Barbican_decode() - Retrieve while providing trans_wrapped_session_key session_key = crypto.generate_session_key() wrapped_session_key = crypto.asymmetric_wrap(session_key, keyclient.transport_cert) + print "My key id is " + str(key_id) key_data, _unwrapped_key = keyclient.retrieve_key(key_id, trans_wrapped_session_key=wrapped_session_key) print_key_data(key_data) unwrapped_key = crypto.symmetric_unwrap(base64.decodestring(key_data.wrappedPrivateData), @@ -211,5 +212,17 @@ def main(): response = keyclient.generate_symmetric_key(client_key_id) print_key_request(response.requestInfo) + # Test 19: Try to archive key + print "try to archive key" + print "key to archive: " + key1 + client_key_id = "Vek #4" + time.strftime('%X %x %Z') + + # this test is not quite working yet + #response = keyclient.archive_key(client_key_id, keyclient.SYMMETRIC_KEY_TYPE, + # private_data=base64.decodestring(key1), + # key_algorithm=keyclient.AES_ALGORITHM, + # key_size=128) + #print_key_request(response.requestInfo) + if __name__ == "__main__": main() diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java b/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java index 5681c1114..899c78a66 100644 --- a/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java +++ b/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java @@ -263,8 +263,8 @@ public class DRMTest { byte[] encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, vek, null, KeyGenAlgorithm.DES3, ivps); - KeyRequestResponse info = keyClient.archiveSecurityData(encoded, clientKeyId, - KeyRequestResource.SYMMETRIC_KEY_TYPE, KeyRequestResource.DES3_ALGORITHM, 0); + KeyRequestResponse info = keyClient.archiveSecurityData(clientKeyId, KeyRequestResource.SYMMETRIC_KEY_TYPE, + KeyRequestResource.DES3_ALGORITHM, 0, encoded); log("Archival Results:"); printRequestInfo(info.getRequestInfo()); keyId = info.getRequestInfo().getKeyId(); @@ -375,8 +375,8 @@ public class DRMTest { try { byte[] encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, null, passphrase, KeyGenAlgorithm.DES3, ivps); - requestResponse = keyClient.archiveSecurityData(encoded, clientKeyId, - KeyRequestResource.PASS_PHRASE_TYPE, null, 0); + requestResponse = keyClient.archiveSecurityData(clientKeyId, KeyRequestResource.PASS_PHRASE_TYPE, + null, 0, encoded); log("Archival Results:"); printRequestInfo(requestResponse.getRequestInfo()); keyId = requestResponse.getRequestInfo().getKeyId(); @@ -661,8 +661,8 @@ public class DRMTest { byte[] encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, vek, null, KeyGenAlgorithm.DES3, ivps); - KeyRequestResponse response = keyClient.archiveSecurityData(encoded, clientKeyId, - KeyRequestResource.SYMMETRIC_KEY_TYPE, KeyRequestResource.AES_ALGORITHM, 128); + KeyRequestResponse response = keyClient.archiveSecurityData(clientKeyId, KeyRequestResource.SYMMETRIC_KEY_TYPE, + KeyRequestResource.AES_ALGORITHM, 128, encoded); log("Archival Results:"); printRequestInfo(response.getRequestInfo()); keyId = response.getRequestInfo().getKeyId(); diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java index 388079f32..37229f09a 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataService.java @@ -84,7 +84,17 @@ public class SecurityDataService implements IService { throws EBaseException { String id = request.getRequestId().toString(); String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); - String wrappedSecurityData = request.getExtDataInString(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS); + + // one way to get data - unexploded pkiArchiveOptions + String pkiArchiveOptions = request.getExtDataInString(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS); + + // another way - exploded pkiArchiveOptions + String transWrappedSessionKey = request.getExtDataInString(IEnrollProfile.REQUEST_SESSION_KEY); + String wrappedSecurityData = request.getExtDataInString(IEnrollProfile.REQUEST_SECURITY_DATA); + String algParams = request.getExtDataInString(IEnrollProfile.REQUEST_ALGORITHM_PARAMS); + String algStr = request.getExtDataInString(IEnrollProfile.REQUEST_ALGORITHM_OID); + + // prameters if the secret is a symkey String dataType = request.getExtDataInString(IRequest.SECURITY_DATA_TYPE); String algorithm = request.getExtDataInString(IRequest.SECURITY_DATA_ALGORITHM); int strength = request.getExtDataInInteger(IRequest.SECURITY_DATA_STRENGTH); @@ -96,25 +106,50 @@ public class SecurityDataService implements IService { String subjectID = auditSubjectID(); //Check here even though restful layer checks for this. - if(wrappedSecurityData == null || clientKeyId == null || dataType == null) { + if (clientKeyId == null || dataType == null) { auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Bad data in request"); throw new EBaseException("Bad data in SecurityDataService.serviceRequest"); } - //We need some info from the PKIArchiveOptions wrapped security data - byte[] encoded = Utils.base64decode(wrappedSecurityData); + if (wrappedSecurityData != null) { + if (transWrappedSessionKey == null || algStr == null || algParams == null) { + throw new EBaseException( + "Bad data in SecurityDataService.serviceRequest, no session key"); - ArchiveOptions options = ArchiveOptions.toArchiveOptions(encoded); - - //Check here just in case a null ArchiveOptions makes it this far - if(options == null) { - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), - clientKeyId, null, "Problem decoding PKIArchiveOptions"); - throw new EBaseException("Problem decoding PKIArchiveOptions."); + } + } else if (pkiArchiveOptions == null) { + throw new EBaseException("No data to archive in SecurityDataService.serviceRequest"); } - String algStr = options.getSymmAlgOID(); + byte[] wrappedSessionKey = null; + byte[] secdata = null; + byte[] sparams = null; + + if (wrappedSecurityData == null) { + // We have PKIArchiveOptions data + + //We need some info from the PKIArchiveOptions wrapped security data + byte[] encoded = Utils.base64decode(pkiArchiveOptions); + + ArchiveOptions options = ArchiveOptions.toArchiveOptions(encoded); + + //Check here just in case a null ArchiveOptions makes it this far + if (options == null) { + auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + clientKeyId, null, "Problem decoding PKIArchiveOptions"); + throw new EBaseException("Problem decoding PKIArchiveOptions."); + } + algStr = options.getSymmAlgOID(); + wrappedSessionKey = options.getEncSymmKey(); + secdata = options.getEncValue(); + sparams = options.getSymmAlgParams(); + + } else { + wrappedSessionKey = Utils.base64decode(transWrappedSessionKey); + secdata = Utils.base64decode(wrappedSecurityData); + sparams = Utils.base64decode(algParams); + } SymmetricKey securitySymKey = null; byte[] securityData = null; @@ -123,19 +158,21 @@ public class SecurityDataService implements IService { if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { // Symmetric Key keyType = KeyRequestResource.SYMMETRIC_KEY_TYPE; - securitySymKey = mTransportUnit.unwrap_symmetric(options.getEncSymmKey(), - options.getSymmAlgOID(), - options.getSymmAlgParams(), - options.getEncValue(), - KeyRequestService.SYMKEY_TYPES.get(algorithm), - strength); + securitySymKey = mTransportUnit.unwrap_symmetric( + wrappedSessionKey, + algStr, + sparams, + secdata, + KeyRequestService.SYMKEY_TYPES.get(algorithm), + strength); } else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) { keyType = KeyRequestResource.PASS_PHRASE_TYPE; - securityData = mTransportUnit.decryptExternalPrivate(options.getEncSymmKey(), - options.getSymmAlgOID(), - options.getSymmAlgParams(), - options.getEncValue()); + securityData = mTransportUnit.decryptExternalPrivate( + wrappedSessionKey, + algStr, + sparams, + secdata); } |