summaryrefslogtreecommitdiffstats
path: root/base/kra
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-03-23 00:20:32 -0400
committerAde Lee <alee@redhat.com>2017-03-23 16:16:08 -0400
commit5b7ce994b8698dca62c23e653b7a1cfeebf959e4 (patch)
treef7673ab05610d8cc8444d4482a95b1949c9eb985 /base/kra
parent58bfe7d510126609969703325d7655175be5da62 (diff)
downloadpki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.gz
pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.xz
pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.zip
Refactor code that creates PKIArchiveOptions objects
* Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
Diffstat (limited to 'base/kra')
-rw-r--r--base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java779
-rw-r--r--base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java29
-rw-r--r--base/kra/src/com/netscape/kra/EncryptionUnit.java3
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java2
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataProcessor.java2
-rw-r--r--base/kra/src/com/netscape/kra/StorageKeyUnit.java2
-rw-r--r--base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java2
-rw-r--r--base/kra/src/com/netscape/kra/TransportKeyUnit.java3
8 files changed, 32 insertions, 790 deletions
diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java b/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
deleted file mode 100644
index 720bba2b9..000000000
--- a/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java
+++ /dev/null
@@ -1,779 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2012 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-package com.netscape.cms.servlet.test;
-
-import java.io.IOException;
-import java.security.InvalidKeyException;
-import java.security.KeyFactory;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.security.spec.X509EncodedKeySpec;
-import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Random;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.PosixParser;
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.AlreadyInitializedException;
-import org.mozilla.jss.crypto.IVParameterSpec;
-import org.mozilla.jss.crypto.KeyGenAlgorithm;
-import org.mozilla.jss.crypto.SymmetricKey;
-
-import com.netscape.certsrv.base.ResourceNotFoundException;
-import com.netscape.certsrv.cert.CertData;
-import com.netscape.certsrv.client.ClientConfig;
-import com.netscape.certsrv.client.PKIClient;
-import com.netscape.certsrv.dbs.keydb.KeyId;
-import com.netscape.certsrv.key.AsymKeyGenerationRequest;
-import com.netscape.certsrv.key.Key;
-import com.netscape.certsrv.key.KeyClient;
-import com.netscape.certsrv.key.KeyInfo;
-import com.netscape.certsrv.key.KeyRequestInfo;
-import com.netscape.certsrv.key.KeyRequestInfoCollection;
-import com.netscape.certsrv.key.KeyRequestResource;
-import com.netscape.certsrv.key.KeyRequestResponse;
-import com.netscape.certsrv.key.KeyResource;
-import com.netscape.certsrv.key.SymKeyGenerationRequest;
-import com.netscape.certsrv.kra.KRAClient;
-import com.netscape.certsrv.request.IRequest;
-import com.netscape.certsrv.request.RequestId;
-import com.netscape.certsrv.request.RequestNotFoundException;
-import com.netscape.certsrv.system.SystemCertClient;
-import com.netscape.certsrv.util.NSSCryptoProvider;
-import com.netscape.cmsutil.crypto.CryptoUtil;
-import com.netscape.cmsutil.util.Utils;
-
-public class DRMTest {
-
- public static void usage(Options options) {
- HelpFormatter formatter = new HelpFormatter();
- formatter.printHelp("DRMTest", options);
- System.exit(1);
- }
-
- public static void main(String args[]) throws InvalidKeyException, NoSuchAlgorithmException,
- InvalidKeySpecException, SignatureException, IOException {
- String host = null;
- String port = null;
- String token_pwd = null;
- String db_dir = "./";
- String protocol = "http";
- String clientCertNickname = "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID";
-
- // parse command line arguments
- Options options = new Options();
- options.addOption("h", true, "Hostname of the DRM");
- options.addOption("p", true, "Port of the DRM");
- options.addOption("w", true, "Token password");
- options.addOption("d", true, "Directory for tokendb");
- options.addOption("s", true, "Attempt Optional Secure SSL connection");
- options.addOption("c", true, "Optional SSL Client cert Nickname");
-
- try {
- CommandLineParser parser = new PosixParser();
- CommandLine cmd = parser.parse(options, args);
-
- if (cmd.hasOption("h")) {
- host = cmd.getOptionValue("h");
- } else {
- System.err.println("Error: no hostname provided.");
- usage(options);
- }
-
- if (cmd.hasOption("p")) {
- port = cmd.getOptionValue("p");
- } else {
- System.err.println("Error: no port provided");
- usage(options);
- }
-
- if (cmd.hasOption("w")) {
- token_pwd = cmd.getOptionValue("w");
- } else {
- System.err.println("Error: no token password provided");
- usage(options);
- }
-
- if (cmd.hasOption("d")) {
- db_dir = cmd.getOptionValue("d");
- }
-
- if (cmd.hasOption("s")) {
- if (cmd.getOptionValue("s") != null && cmd.getOptionValue("s").equals("true")) {
- protocol = "https";
- }
- }
-
- if (cmd.hasOption("c")) {
- String nick = cmd.getOptionValue("c");
-
- if (nick != null && protocol.equals("https")) {
- clientCertNickname = nick;
- }
- }
-
- } catch (ParseException e) {
- System.err.println("Error in parsing command line options: " + e.getMessage());
- usage(options);
- }
-
- // used for crypto operations
- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
-
- try {
- iv = genIV(8);
- } catch (Exception e) {
- log("Can't generate initialization vector use default: " + e.toString());
- }
-
- // used for wrapping to send data to DRM
- String transportCert = null;
-
- // Data to be archived
- SymmetricKey vek = null;
- String passphrase = null;
-
- // Session keys and passphrases for recovery
- SymmetricKey sessionKey = null;
- byte[] wrappedRecoveryKey = null;
- String recoveryPassphrase = null;
- byte[] wrappedRecoveryPassphrase = null;
-
- // retrieved data (should match archived data)
- byte[] encryptedData = null;
- String recoveredKey = null;
-
- // various ids used in recovery/archival operations
- KeyId keyId = null;
- String clientKeyId = null;
- RequestId recoveryRequestId = null;
-
- // Variables for data structures from calls
- KeyRequestResponse requestResponse = null;
- Key keyData = null;
- KeyInfo keyInfo = null;
-
- // Initialize token
- try {
- CryptoManager.initialize(db_dir);
- } catch (AlreadyInitializedException e) {
- // it is ok if it is already initialized
- } catch (Exception e) {
- log("INITIALIZATION ERROR: " + e.toString());
- System.exit(1);
- }
-
- // Set base URI and get client
-
- KRAClient client;
- SystemCertClient systemCertClient;
- KeyClient keyClient;
- NSSCryptoProvider nssCrypto;
- try {
- ClientConfig config = new ClientConfig();
- config.setServerURI(protocol + "://" + host + ":" + port + "/kra");
- config.setCertNickname(clientCertNickname);
- config.setCertDatabase(db_dir);
- config.setCertPassword(token_pwd);
- nssCrypto = new NSSCryptoProvider(config);
-
- client = new KRAClient(new PKIClient(config, nssCrypto));
- systemCertClient = (SystemCertClient) client.getClient("systemcert");
- keyClient = (KeyClient) client.getClient("key");
-
- } catch (Exception e) {
- e.printStackTrace();
- return;
- }
-
- // Test 1: Get transport certificate from DRM
- transportCert = systemCertClient.getTransportCert().getEncoded();
- transportCert = transportCert.substring(CertData.HEADER.length(),
- transportCert.indexOf(CertData.FOOTER));
- keyClient.setTransportCert(transportCert);
-
- log("Transport Cert retrieved from DRM: " + transportCert);
-
- // Test 2: Get list of completed key archival requests
- log("\n\nList of completed archival requests");
- KeyRequestInfoCollection list = keyClient.listRequests("complete", "securityDataEnrollment");
- if (list.getTotal() == 0) {
- log("No requests found");
- } else {
- Iterator<KeyRequestInfo> iter = list.getEntries().iterator();
- while (iter.hasNext()) {
- KeyRequestInfo info = iter.next();
- printRequestInfo(info);
- }
- }
-
- // Test 3: Get list of key recovery requests
- log("\n\nList of completed recovery requests");
- KeyRequestInfoCollection list2 = keyClient.listRequests("complete", "securityDataRecovery");
- if (list2.getTotal() == 0) {
- log("No requests found");
- } else {
- Iterator<KeyRequestInfo> iter2 = list2.getEntries().iterator();
- while (iter2.hasNext()) {
- KeyRequestInfo info = iter2.next();
- printRequestInfo(info);
- }
- }
-
- // Test 4: Generate and archive a symmetric key
- log("Archiving symmetric key");
- clientKeyId = "UUID: 123-45-6789 VEK " + Calendar.getInstance().getTime().toString();
- try {
- vek = nssCrypto.generateSessionKey();
- byte[] encoded = nssCrypto.createPKIArchiveOptions(transportCert, vek, null,
- KeyRequestResource.DES3_ALGORITHM, 0, iv);
-
- KeyRequestResponse info = keyClient.archivePKIOptions(clientKeyId, KeyRequestResource.SYMMETRIC_KEY_TYPE,
- KeyRequestResource.DES3_ALGORITHM, 0, encoded);
- log("Archival Results:");
- printRequestInfo(info.getRequestInfo());
- keyId = info.getKeyId();
- } catch (Exception e) {
- log("Exception in archiving symmetric key:" + e.getMessage());
- e.printStackTrace();
- }
-
- //Test 5: Get keyId for active key with client ID
-
- log("Getting key ID for symmetric key");
- keyInfo = keyClient.getActiveKeyInfo(clientKeyId);
- printKeyInfo(keyInfo);
- KeyId keyId2 = keyInfo.getKeyId();
- if (keyId2 == null) {
- log("No archived key found");
- } else {
- log("Archived Key found: " + keyId);
- }
-
- if (!keyId.equals(keyId2)) {
- log("Error: key ids from search and archival do not match");
- } else {
- log("Success: keyids from search and archival match.");
- }
-
- // Test 6: Submit a recovery request for the symmetric key using a session key
- log("Submitting a recovery request for the symmetric key using session key");
- try {
- sessionKey = nssCrypto.generateSessionKey();
- wrappedRecoveryKey = CryptoUtil.wrapSymmetricKey(nssCrypto.getManager(), nssCrypto.getToken(),
- transportCert, sessionKey);
- keyData = keyClient.retrieveKey(keyId, wrappedRecoveryKey);
- } catch (Exception e) {
- log("Exception in recovering symmetric key using session key: " + e.getMessage());
- }
-
- encryptedData = keyData.getEncryptedData();
-
- try {
- recoveredKey = Utils.base64encode(nssCrypto.unwrapWithSessionKey(
- encryptedData, sessionKey,
- KeyRequestResource.DES3_ALGORITHM, keyData.getNonceData()));
- } catch (Exception e) {
- log("Exception in unwrapping key: " + e.toString());
- e.printStackTrace();
- }
-
- if (!recoveredKey.equals(Utils.base64encode(vek.getEncoded()))) {
- log("Error: recovered and archived keys do not match!");
- } else {
- log("Success: recoverd and archived keys match!");
- }
-
- // Test 7: Submit a recovery request for the symmetric key using a passphrase
- log("Submitting a recovery request for the symmetric key using a passphrase");
- recoveryPassphrase = "Gimme me keys please";
-
- try {
- sessionKey = nssCrypto.generateSessionKey();
- wrappedRecoveryPassphrase = nssCrypto.wrapWithSessionKey(recoveryPassphrase, iv, sessionKey,
- KeyRequestResource.DES3_ALGORITHM);
- wrappedRecoveryKey = nssCrypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert);
-
- keyData = keyClient.retrieveKeyUsingWrappedPassphrase(keyId, wrappedRecoveryKey, wrappedRecoveryPassphrase,
- iv);
- } catch (Exception e) {
- log("Exception in recovering symmetric key using passphrase" + e.toString());
- e.printStackTrace();
- }
-
- encryptedData = keyData.getEncryptedData();
-
- try {
- recoveredKey = Utils.base64encode(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase));
- } catch (Exception e) {
- log("Error: unable to unwrap key using passphrase");
- e.printStackTrace();
- }
-
- if (recoveredKey == null || !recoveredKey.equals(Utils.base64encode(vek.getEncoded()))) {
- log("Error: recovered and archived keys do not match!");
- } else {
- log("Success: recovered and archived keys do match!");
- }
-
- passphrase = "secret12345";
- // Test 8: Generate and archive a passphrase
- clientKeyId = "UUID: 123-45-6789 RKEK " + Calendar.getInstance().getTime().toString();
- try {
- requestResponse = keyClient.archivePassphrase(clientKeyId, passphrase);
-
- log("Archival Results:");
- printRequestInfo(requestResponse.getRequestInfo());
- keyId = requestResponse.getKeyId();
- } catch (Exception e) {
- log("Exception in archiving symmetric key:" + e.toString());
- e.printStackTrace();
- }
-
- //Test 9: Get keyId for active passphrase with client ID
- log("Getting key ID for passphrase");
- keyInfo = keyClient.getActiveKeyInfo(clientKeyId);
- printKeyInfo(keyInfo);
- keyId2 = keyInfo.getKeyId();
- if (keyId2 == null) {
- log("No archived key found");
- } else {
- log("Archived Key found: " + keyId);
- }
-
- if (!keyId.equals(keyId2)) {
- log("Error: key ids from search and archival do not match");
- } else {
- log("Success: key ids from search and archival do match!");
- }
-
- // Test 10: Submit a recovery request for the passphrase using a session key
- log("Submitting a recovery request for the passphrase using session key");
- sessionKey = null;
- wrappedRecoveryKey = null;
- try {
- keyData = keyClient.retrieveKeyByPassphrase(keyId, recoveryPassphrase);
- } catch (Exception e) {
- log("Exception in recovering passphrase using session key: " + e.getMessage());
- }
- encryptedData = keyData.getEncryptedData();
- try {
- recoveredKey = new String(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase), "UTF-8");
- } catch (Exception e) {
- log("Exception in unwrapping key: " + e.toString());
- e.printStackTrace();
- }
-
- if (recoveredKey == null || !recoveredKey.equals(passphrase)) {
- log("Error: recovered and archived passphrases do not match!");
- } else {
- log("Success: recovered and archived passphrases do match!");
- }
-
- // Test 11: Submit a recovery request for the passphrase using a passphrase
- try {
- sessionKey = nssCrypto.generateSessionKey();
- wrappedRecoveryKey = nssCrypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert);
- wrappedRecoveryPassphrase = nssCrypto.wrapWithSessionKey(recoveryPassphrase, iv, sessionKey,
- KeyRequestResource.DES3_ALGORITHM);
- keyData = keyClient.retrieveKeyUsingWrappedPassphrase(keyId, wrappedRecoveryKey, wrappedRecoveryPassphrase,
- iv);
- } catch (Exception e1) {
- e1.printStackTrace();
- System.out.println("Test 17: " + e1.getMessage());
- System.exit(-1);
- }
- encryptedData = keyData.getEncryptedData();
- try {
- recoveredKey = new String(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase), "UTF-8");
- } catch (Exception e) {
- log("Error: cannot unwrap key using passphrase");
- e.printStackTrace();
- }
-
- if (recoveredKey == null || !recoveredKey.equals(passphrase)) {
- log("Error: recovered and archived passphrases do not match!");
- } else {
- log("Success: recovered and archived passphrases do match!");
- }
-
- // Test 12: Get key
- log("Getting passphrase: " + keyId);
- try {
- keyData = keyClient.retrieveKeyByPassphrase(keyId, recoveryPassphrase);
- } catch (Exception e1) {
- e1.printStackTrace();
- }
- encryptedData = keyData.getEncryptedData();
- try {
- recoveredKey = new String(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase), "UTF-8");
- } catch (Exception e) {
- log("Error: Can't unwrap recovered key using passphrase");
- e.printStackTrace();
- }
-
- if (recoveredKey == null || !recoveredKey.equals(passphrase)) {
- log("Error: recovered and archived passphrases do not match!");
- } else {
- log("Success: recovered and archived passphrases do match!");
- }
-
- // Test 13: Get non-existent request
- RequestId requestId = new RequestId("0xabcdef");
- log("Getting non-existent request: " + requestId.toHexString());
- try {
- keyClient.getRequestInfo(requestId);
- log("Error: getting non-existent request does not throw an exception");
- } catch (RequestNotFoundException e) {
- log("Success: getting non-existent request throws an exception: " + e.getMessage() + " ("
- + e.getRequestId().toHexString() + ")");
- }
-
- // Test 14: Request x509 key recovery
- // This test requires to retrieve keyId and matching certificate
- // from installed instances of CA and DRM
- String keyID = "1";
- String b64Certificate = "MIIC+TCCAeGgAwIBAgIBDDANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy" +
- "c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu" +
- "aW5nIENlcnRpZmljYXRlMB4XDTEzMTAyNTE5MzQwM1oXDTE0MDQyMzE5MzQwM1ow" +
- "EzERMA8GCgmSJomT8ixkAQEMAXgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB" +
- "ALhLfGmKvxFsKXPh49q1QsluXU3WlyS1XnpDLgOAhgTNgO4sG6CpPdv6hZYIvQBb" +
- "ZQ5bhuML+NXK+Q+EIiNk1cUTxgL3a30sPzy6QaFWxwM8i4uXm4nCBYv7T+n4V6/O" +
- "xHIM2Ch/dviAb3vz+M9trErv9t+d2H8jNXT3sHuDb/kvAgMBAAGjgaAwgZ0wHwYD" +
- "VR0jBBgwFoAUh1cxWFRY+nMsx4odQQI1GqyFxP8wSwYIKwYBBQUHAQEEPzA9MDsG" +
- "CCsGAQUFBzABhi9odHRwOi8vZG9ndGFnMjAudXNlcnN5cy5yZWRoYXQuY29tOjgw" +
- "ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG" +
- "CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQCvmbUzQOouE2LgQQcKfmgwwJMJ" +
- "9tMrPwDUtyFdaIFoPL4uZaujSscaN4IWK2r5vIMJ65jwYCI7sI9En2ZfO28J9dQj" +
- "lpqu6TaJ+xtaMk7OvXpVB7lJk73HAttMGjETlkoq/6EjxcugmJsDqVD0b2tO7Vd0" +
- "hroBe2uPDHM2ASewZF415lUcRh0URtmxSazTInbyxpmy1wgSJQ0C6fMCeT+hUFlA" +
- "0P4k1TIprapGVq7FpKcqlhK2gTBfTSnoO7gmXG/9MxJiYpb/Aph8ptXq6quHz1Mj" +
- "greWr3xTsy6gF2yphUEkGHh4v22XvK+FLx9Jb6zloMWA2GG9gpUpvMnl1fH4";
-
- log("Requesting X509 key recovery.");
- recoveryRequestId = keyClient.recoverKey(new KeyId(keyID), null, null, null, b64Certificate).getRequestInfo()
- .getRequestId();
- log("Requesting X509 key recovery request: " + recoveryRequestId);
-
- // Test 55: Approve x509 key recovery
- log("Approving X509 key recovery request: " + recoveryRequestId);
- keyClient.approveRequest(recoveryRequestId);
-
- // Test 16: Recover x509 key
- log("Recovering X509 key based on request: " + recoveryRequestId);
- try {
- // KeyData recoveredX509Key = client.recoverKey(recoveryRequestId, "netscape");
- // log("Success: X509Key recovered: "+ recoveredX509Key.getP12Data());
- } catch (RequestNotFoundException e) {
- log("Error: recovering X509Key");
- }
-
- // Test 1: Get transport certificate from DRM
- transportCert = systemCertClient.getTransportCert().getEncoded();
- transportCert = transportCert.substring(CertData.HEADER.length(),
- transportCert.indexOf(CertData.FOOTER));
-
- log("Transport Cert retrieved from DRM: " + transportCert);
-
- // Test 17: Get list of completed key archival requests
- log("\n\nList of completed archival requests");
- list = keyClient.listRequests("complete", IRequest.SYMKEY_GENERATION_REQUEST);
- if (list.getTotal() == 0) {
- log("No requests found");
- } else {
- Iterator<KeyRequestInfo> iter = list.getEntries().iterator();
- while (iter.hasNext()) {
- KeyRequestInfo info = iter.next();
- printRequestInfo(info);
- }
- }
-
- // test 18: Generate symmetric key
- clientKeyId = "Symmetric Key #1234f " + Calendar.getInstance().getTime().toString();
- List<String> usages = new ArrayList<String>();
- usages.add(SymKeyGenerationRequest.DECRYPT_USAGE);
- usages.add(SymKeyGenerationRequest.ENCRYPT_USAGE);
- KeyRequestResponse genKeyResponse = keyClient.generateSymmetricKey(clientKeyId,
- KeyRequestResource.AES_ALGORITHM,
- 128, usages, null);
- printRequestInfo(genKeyResponse.getRequestInfo());
- keyId = genKeyResponse.getKeyId();
-
- // test 19: Get keyId for active key with client ID
- log("Getting key ID for symmetric key");
- keyInfo = keyClient.getActiveKeyInfo(clientKeyId);
- printKeyInfo(keyInfo);
- keyId2 = keyInfo.getKeyId();
- if (keyId2 == null) {
- log("No archived key found");
- } else {
- log("Archived Key found: " + keyId);
- }
-
- if (!keyId.equals(keyId2)) {
- log("Error: key ids from search and archival do not match");
- } else {
- log("Success: keyids from search and archival match.");
- }
-
- // Test 20: Submit a recovery request for the symmetric key using a session key
- log("Submitting a recovery request for the symmetric key using session key");
- try {
- sessionKey = nssCrypto.generateSessionKey();
- wrappedRecoveryKey = nssCrypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert);
- keyData = keyClient.retrieveKey(keyId, wrappedRecoveryKey);
- } catch (Exception e) {
- log("Exception in recovering symmetric key using session key: " + e.getMessage());
- }
-
- encryptedData = keyData.getEncryptedData();
-
- try {
- recoveredKey = new String(nssCrypto.unwrapWithSessionKey(
- encryptedData, sessionKey, KeyRequestResource.DES3_ALGORITHM,
- keyData.getNonceData()));
- } catch (Exception e) {
- log("Exception in unwrapping key: " + e.toString());
- e.printStackTrace();
- }
-
- // test 21: Generate symmetric key - invalid algorithm
- try {
- genKeyResponse = keyClient.generateSymmetricKey("Symmetric Key #1235", "AFS", 128, usages, null);
- } catch (Exception e) {
- log("Exception: " + e);
- }
-
- // test 22: Generate symmetric key - invalid key size
- try {
- genKeyResponse = keyClient.generateSymmetricKey("Symmetric Key #1236", "AES", 0, usages, null);
- } catch (Exception e) {
- log("Exception: " + e);
- }
-
- // test 23: Generate symmetric key - usages not defined
- try {
- genKeyResponse = keyClient.generateSymmetricKey("Symmetric Key #1236", "DES", 56, null, null);
- } catch (Exception e) {
- log("Exception: " + e);
- }
-
- // Test 24: Generate and archive a symmetric key of type AES
- log("Archiving symmetric key");
- clientKeyId = "UUID: 123-45-6789 VEK " + Calendar.getInstance().getTime().toString();
- try {
- vek = nssCrypto.generateSymmetricKey(KeyRequestResource.AES_ALGORITHM, 128);
-
- byte[] encoded = CryptoUtil.createPKIArchiveOptions(nssCrypto.getManager(), nssCrypto.getToken(),
- transportCert, vek, null,
- KeyGenAlgorithm.DES3, 0, new IVParameterSpec(iv));
-
- KeyRequestResponse response = keyClient.archivePKIOptions(clientKeyId,
- KeyRequestResource.SYMMETRIC_KEY_TYPE, KeyRequestResource.AES_ALGORITHM, 128, encoded);
- log("Archival Results:");
- printRequestInfo(response.getRequestInfo());
- keyId = response.getKeyId();
- } catch (Exception e) {
- log("Exception in archiving symmetric key:" + e.getMessage());
- e.printStackTrace();
- }
-
- //Test 25: Get keyId for active key with client ID
- log("Getting key ID for symmetric key");
- keyInfo = keyClient.getActiveKeyInfo(clientKeyId);
- printKeyInfo(keyInfo);
- keyId2 = keyInfo.getKeyId();
- if (keyId2 == null) {
- log("No archived key found");
- } else {
- log("Archived Key found: " + keyId);
- }
-
- if (!keyId.equals(keyId2)) {
- log("Error: key ids from search and archival do not match");
- } else {
- log("Success: keyids from search and archival match.");
- }
-
- // Test 26: Submit a recovery request for the symmetric key
- log("Submitting a recovery request for the symmetric key without using session key");
- try {
- keyData = keyClient.retrieveKey(keyId);
- } catch (Exception e) {
- log("Exception in recovering symmetric key using session key: " + e.getMessage());
- }
-
- // Since no session key is provided externally, the retrieveKey method
- // generates a session key, wraps it with transport cert and completes the request.
- // The encrypted data is then unwrapped using the temporary session key and set to
- // the attribute privateData.
- recoveredKey = Utils.base64encode(keyData.getData());
-
- if (!recoveredKey.equals(Utils.base64encode(vek.getEncoded()))) {
- log("Error: recovered and archived keys do not match!");
- } else {
- log("Success: recoverd and archived keys match!");
- }
-
- // Test 27: Get key info
- log("getting key info for existing key");
- printKeyInfo(keyClient.getKeyInfo(keyId));
-
- //Test 28: Modify status
- log("modify the key status");
- keyClient.modifyKeyStatus(keyId, KeyResource.KEY_STATUS_INACTIVE);
- keyInfo = keyClient.getKeyInfo(keyId);
- printKeyInfo(keyInfo);
-
- //Test 29: Confirm no more active keys with this ID
- log("look for active keys with this id");
- clientKeyId = keyInfo.getClientKeyID();
- try {
- keyInfo = keyClient.getActiveKeyInfo(clientKeyId);
- printKeyInfo(keyInfo);
- } catch (ResourceNotFoundException e) {
- log("Success: ResourceNotFound exception thrown: " + e);
- }
-
- // Test asymmetric key generation.
-
- String[] algs = { "RSA", "DSA" };
- for (int i = 0; i < algs.length; i++) {
- // Test 30: Generate Asymmetric keys - RSA key
- System.out.println("\nTesting asymmetric key generation for algorithm " + algs[i]);
- clientKeyId = "AsymKey #" + Calendar.getInstance().getTimeInMillis();
- usages.clear();
- usages.add(AsymKeyGenerationRequest.SIGN);
- usages.add(AsymKeyGenerationRequest.VERIFY);
- KeyRequestResponse response = keyClient.generateAsymmetricKey(clientKeyId, algs[i], 1024, usages, null);
- printRequestInfo(response.getRequestInfo());
- System.out.println();
-
- // Test 31: Get information of the newly generated asymmetric keys
- System.out.println("Fetch information of the newly generated asymmetric keys.");
- System.out.println();
- KeyInfo info = keyClient.getKeyInfo(response.getKeyId());
- printKeyInfo(info);
- System.out.println();
-
- // Test 32: Retrieve private key data
- System.out.println("Retrieving and verifying the generated private key.");
- try {
- keyData = keyClient.retrieveKey(response.getKeyId());
- } catch (Exception e) {
- log("Exception retrieving the private key data.");
- e.printStackTrace();
- }
-
- // Test 33: Verify the generated key pair.
- if (isKeyPairValid(algs[i], keyData.getData(), info.getPublicKey())) {
- log("The key pair generated using " + algs[i] + " algorithm is valid.");
- } else {
- log("The key pair generated using " + algs[i] + " algorithm is invalid.");
- }
- System.out.println();
- }
-
- // Test 34:
- }
-
- /**
- * Verify the generated asymmetric key pair.
- *
- * @param keyAlgorithm - Algorithm used to generate keys.
- * @param privateKey - binary data of the private key.
- * @param publicKey - binary data of he public key.
- * @return
- * @throws NoSuchAlgorithmException
- * @throws InvalidKeySpecException
- * @throws InvalidKeyException
- * @throws SignatureException
- * @throws IOException
- */
- public static boolean isKeyPairValid(String keyAlgorithm, byte[] privateKey, byte[] publicKey)
- throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException,
- IOException {
- String algorithm = keyAlgorithm.toUpperCase();
- String signingAlgorithm = "SHA1with" + algorithm;
- KeyFactory factory = KeyFactory.getInstance(algorithm);
- PrivateKey priKey = factory.generatePrivate(new PKCS8EncodedKeySpec(privateKey));
- PublicKey pubKey = factory.generatePublic(new X509EncodedKeySpec(publicKey));
- Signature sig = Signature.getInstance(signingAlgorithm);
- sig.initSign(priKey);
- String s = "Data to test asymmetric keys.";
- sig.update(s.getBytes());
-
- // Sign the data with the private key.
- byte[] realSig = sig.sign();
-
- Signature sig2 = Signature.getInstance(signingAlgorithm);
- sig2.initVerify(pubKey);
-
- sig2.update(s.getBytes());
- // Verify the signature with the public key.
- return sig2.verify(realSig);
- }
-
- private static void printKeyInfo(KeyInfo keyInfo) {
- log("Printing keyInfo:");
- log("Client Key ID: " + keyInfo.getClientKeyID());
- log("Key URL: " + keyInfo.getKeyURL());
- log("Algorithm: " + keyInfo.getAlgorithm());
- log("Strength: " + keyInfo.getSize());
- log("Status: " + keyInfo.getStatus());
- if (keyInfo.getPublicKey() != null) {
- log("Public Key: ");
- String publicKey = Utils.base64encode(keyInfo.getPublicKey());
- log(publicKey);
- }
- }
-
- private static void log(String string) {
- System.out.println(string);
- }
-
- private static void printRequestInfo(KeyRequestInfo info) {
- log("KeyRequestURL: " + info.getRequestURL());
- log("Key URL: " + info.getKeyURL());
- log("Status: " + info.getRequestStatus());
- log("Type: " + info.getRequestType());
- }
-
- //Use this when we actually create random initialization vectors
- private static byte[] genIV(int blockSize) throws Exception {
- // generate an IV
- byte[] iv = new byte[blockSize];
-
- Random rnd = new Random();
- rnd.nextBytes(iv);
-
- return iv;
- }
-} \ No newline at end of file
diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java
index 6c835b439..64546867b 100644
--- a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java
+++ b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java
@@ -18,16 +18,24 @@ import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.commons.cli.PosixParser;
import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.asn1.OCTET_STRING;
import org.mozilla.jss.crypto.AlreadyInitializedException;
import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.IVParameterSpec;
import org.mozilla.jss.crypto.KeyGenAlgorithm;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.SymmetricKey;
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
import org.mozilla.jss.util.Password;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
+import netscape.security.util.WrappingParams;
+
public class GeneratePKIArchiveOptions {
public static void usage(Options options) {
@@ -154,7 +162,6 @@ public class GeneratePKIArchiveOptions {
// used for wrapping to send data to DRM
byte[] tcert = read(transport_file);
- String transportCert = Utils.base64encode(tcert);
// Initialize token
try {
@@ -181,8 +188,11 @@ public class GeneratePKIArchiveOptions {
}
} catch (Exception e) {
log("Exception in logging into token:" + e.toString());
+ System.exit(1);
}
+ X509Certificate transportCert = manager.importCACertPackage(tcert);
+
// Data to be archived
SymmetricKey vek = null;
if (!passphraseMode) {
@@ -193,12 +203,21 @@ public class GeneratePKIArchiveOptions {
byte[] encoded = null;
+ WrappingParams params = new WrappingParams(
+ SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+ KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+ KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps);
+
+ AlgorithmIdentifier aid = new AlgorithmIdentifier(
+ new OBJECT_IDENTIFIER("1.2.840.113549.3.7"),
+ new OCTET_STRING(ivps.getIV()));
+
if (passphraseMode) {
- encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, null, passphrase,
- KeyGenAlgorithm.DES3, 0, ivps);
+ encoded = CryptoUtil.createEncodedPKIArchiveOptions(
+ token, transportCert.getPublicKey(), passphrase, params, aid);
} else {
- encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, vek, null,
- KeyGenAlgorithm.DES3, 0, ivps);
+ encoded = CryptoUtil.createEncodedPKIArchiveOptions(
+ token, transportCert.getPublicKey(), vek, params, aid);
}
// write encoded to file
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 04f63a977..02a4ca143 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -30,9 +30,10 @@ import org.mozilla.jss.crypto.SymmetricKey;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.security.IEncryptionUnit;
-import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmsutil.crypto.CryptoUtil;
+import netscape.security.util.WrappingParams;
+
/**
* A class represents the transport key pair. This key pair
* is used to protected EE's private key in transit.
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 4dec837a0..d680445a2 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -60,13 +60,13 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
-import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cms.servlet.key.KeyRecordParser;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmscore.util.Debug;
import com.netscape.cmsutil.crypto.CryptoUtil;
import netscape.security.provider.RSAPublicKey;
+import netscape.security.util.WrappingParams;
/**
* A class representing keygen/archival request procesor for requests
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 1125ee19f..55111c9b8 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -44,12 +44,12 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
-import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
import netscape.security.util.DerValue;
+import netscape.security.util.WrappingParams;
import netscape.security.x509.X509Key;
public class SecurityDataProcessor {
diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
index 0402ab70f..295e4c7d1 100644
--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
@@ -63,7 +63,6 @@ import com.netscape.certsrv.kra.IShare;
import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.security.Credential;
import com.netscape.certsrv.security.IStorageKeyUnit;
-import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cms.servlet.key.KeyRecordParser;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Utils;
@@ -71,6 +70,7 @@ import com.netscape.cmsutil.util.Utils;
import netscape.security.util.DerInputStream;
import netscape.security.util.DerOutputStream;
import netscape.security.util.DerValue;
+import netscape.security.util.WrappingParams;
/**
* A class represents a storage key unit. Currently, this
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index 8abf92046..b084964f9 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -50,7 +50,6 @@ import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
-import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Cert;
@@ -58,6 +57,7 @@ import com.netscape.cmsutil.util.Cert;
import netscape.security.util.BigInt;
import netscape.security.util.DerInputStream;
import netscape.security.util.DerValue;
+import netscape.security.util.WrappingParams;
import netscape.security.x509.X509Key;
/**
diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
index 672cb857a..513c0b252 100644
--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
@@ -34,10 +34,11 @@ import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.ISubsystem;
import com.netscape.certsrv.security.ITransportKeyUnit;
-import com.netscape.certsrv.security.WrappingParams;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Cert;
+import netscape.security.util.WrappingParams;
+
/**
* A class represents the transport key pair. This key pair
* is used to protected EE's private key in transit.
generated by cgit (git 2.34.1) at 2026-01-06 10:41:25 +0000