diff options
| author | Ade Lee <alee@redhat.com> | 2017-03-09 12:54:57 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-03-14 17:10:43 -0400 |
| commit | 648361bac96996e76339b9390b8a8882dcde8ad7 (patch) | |
| tree | 498bd346e4621e69030ee33e39cf934d725691cb /base/kra | |
| parent | 7e42ef2f63a73931610252db3e30b8a7357e4425 (diff) | |
| download | pki-648361bac96996e76339b9390b8a8882dcde8ad7.tar.gz pki-648361bac96996e76339b9390b8a8882dcde8ad7.tar.xz pki-648361bac96996e76339b9390b8a8882dcde8ad7.zip | |
Continue to move more crypto into CryptoUtil
Change-Id: I6024ca5a32769b460d578dfad46598432381784c
Diffstat (limited to 'base/kra')
5 files changed, 56 insertions, 94 deletions
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 9500d9018..6d101089d 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -24,15 +24,14 @@ import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.security.IEncryptionUnit; import com.netscape.certsrv.security.WrappingParams; +import com.netscape.cmsutil.crypto.CryptoUtil; /** * A class represents the transport key pair. This key pair @@ -77,13 +76,19 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage, - WrappingParams params) { + WrappingParams params) throws Exception { PrivateKey wrappingKey = getPrivateKey(); String priKeyAlgo = wrappingKey.getAlgorithm(); if (priKeyAlgo.equals("EC")) params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB); - return unwrap_session_key(token, encSymmKey, usage, wrappingKey, params); + return CryptoUtil.unwrap( + token, + params.getSkType(), + 0, + usage, wrappingKey, + encSymmKey, + params.getSkWrapAlgorithm()); } /** @@ -93,63 +98,4 @@ public abstract class EncryptionUnit implements IEncryptionUnit { EBaseException { } - ////////////////////////////////////////////////////////////////////////////////////////////////////////////// - // Crypto specific methods below here ... - ////////////////////////////////////////////////////////////////////////////////////////////////////////////// - - protected SymmetricKey unwrap_session_key(CryptoToken token, byte[] wrappedSessionKey, SymmetricKey.Usage usage, - PrivateKey wrappingKey, WrappingParams params) { - try { - KeyWrapper keyWrapper = token.getKeyWrapper(params.getSkWrapAlgorithm()); - keyWrapper.initUnwrap(wrappingKey, null); - - SymmetricKey sk = keyWrapper.unwrapSymmetric( - wrappedSessionKey, - params.getSkType(), - usage, - 0); - CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: " - + token.getName()); - return sk; - } catch (Exception e) { - CMS.debug("EncryptionUnit::unwrap_session_key() error:" + e.toString()); - return null; - } - } - - protected SymmetricKey unwrap_symmetric_key(CryptoToken token, SymmetricKey.Type algorithm, - int strength, SymmetricKey.Usage usage, SymmetricKey sessionKey, byte[] wrappedData, - WrappingParams params) throws Exception { - KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - wrapper.initUnwrap(sessionKey, params.getPayloadWrappingIV()); - SymmetricKey symKey = wrapper.unwrapSymmetric(wrappedData, algorithm, usage, strength); - return symKey; - } - - protected PrivateKey unwrap_private_key(CryptoToken token, PublicKey pubKey, - boolean temporary, SymmetricKey sessionKey, byte[] wrappedData, WrappingParams params) - throws Exception { - KeyWrapper wrapper = token.getKeyWrapper(params.getPayloadWrapAlgorithm()); - wrapper.initUnwrap(sessionKey, params.getPayloadWrappingIV()); - - // Get the key type for unwrapping the private key. - PrivateKey.Type keyType = null; - if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.RSA_ALGORITHM)) { - keyType = PrivateKey.RSA; - } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.DSA_ALGORITHM)) { - keyType = PrivateKey.DSA; - } else if (pubKey.getAlgorithm().equalsIgnoreCase(KeyRequestResource.EC_ALGORITHM)) { - keyType = PrivateKey.EC; - } - - PrivateKey pk = null; - if (temporary) { - pk = wrapper.unwrapTemporaryPrivate(wrappedData, - keyType, pubKey); - } else { - pk = wrapper.unwrapPrivate(wrappedData, - keyType, pubKey); - } - return pk; - } } diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index d6b456b66..4dec837a0 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -352,7 +352,6 @@ public class NetkeyKeygenService implements IService { wrapped_des_key = null; boolean archive = true; - PK11SymKey sk = null; byte[] publicKeyData = null; ; String PubKey = ""; @@ -441,9 +440,6 @@ public class NetkeyKeygenService implements IService { KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV); - // unwrap the DES key - sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams); - /* XXX could be done in HSM*/ KeyPair keypair = null; @@ -511,12 +507,15 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: got private key"); } - if (sk == null) { - CMS.debug("NetkeyKeygenService: no DES key"); + // unwrap the DES key + PK11SymKey sk = null; + try { + sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams); + CMS.debug("NetkeyKeygenService: received DES key"); + } catch (Exception e) { + CMS.debug("NetkeyKeygenService: no DES key: " + e); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); return false; - } else { - CMS.debug("NetkeyKeygenService: received DES key"); } // 3 wrapping should be done in HSM diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java index f7638c7fb..8b4c801fb 100644 --- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -1178,8 +1178,15 @@ public class StorageKeyUnit extends EncryptionUnit implements SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); // (2) unwrap the session-wrapped-symmetric key - return unwrap_symmetric_key(token, algorithm, keySize, SymmetricKey.Usage.UNWRAP, - sk, pri, params); + return CryptoUtil.unwrap( + token, + algorithm, + keySize, + SymmetricKey.Usage.UNWRAP, + sk, + pri, + params.getPayloadWrapAlgorithm(), + params.getPayloadWrappingIV()); } public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey, boolean temporary, WrappingParams params) @@ -1197,6 +1204,13 @@ public class StorageKeyUnit extends EncryptionUnit implements SymmetricKey sk = unwrap_session_key(token, session, SymmetricKey.Usage.UNWRAP, params); // (2) unwrap the private key - return unwrap_private_key(token, pubKey, temporary, sk, pri, params); + return CryptoUtil.unwrap( + token, + pubKey, + temporary, + sk, + pri, + params.getPayloadWrapAlgorithm(), + params.getPayloadWrappingIV()); } } diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 6494c36ef..8abf92046 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -260,13 +260,12 @@ public class TokenKeyRecoveryService implements IService { KeyWrapAlgorithm.DES3_CBC_PAD, EncryptionUnit.IV, EncryptionUnit.IV); // unwrap the des key - sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams); - - if (sk == null) { + try { + sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key, wrapParams); + CMS.debug("TokenKeyRecoveryService: received des key"); + } catch (Exception e) { CMS.debug("TokenKeyRecoveryService: no des key"); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - } else { - CMS.debug("TokenKeyRecoveryService: received des key"); } } else { CMS.debug("TokenKeyRecoveryService: not receive des key"); diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java index 03f0a900c..672cb857a 100644 --- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -262,7 +262,7 @@ public class TransportKeyUnit extends EncryptionUnit implements // XXX } - public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) { + public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params) throws Exception { return unwrap_session_key(getToken(), encSymmKey, SymmetricKey.Usage.WRAP, params); } @@ -289,12 +289,14 @@ public class TransportKeyUnit extends EncryptionUnit implements new IVParameterSpec(symmAlgParams), null); - SymmetricKey sk = unwrap_session_key( + SymmetricKey sk = CryptoUtil.unwrap( token, - encSymmKey, + params.getSkType(), + 0, SymmetricKey.Usage.DECRYPT, wrappingKey, - params); + encSymmKey, + params.getSkWrapAlgorithm()); return CryptoUtil.decryptUsingSymmetricKey( token, @@ -327,16 +329,15 @@ public class TransportKeyUnit extends EncryptionUnit implements SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params); // (2) unwrap the session-wrapped-symmetric-key - SymmetricKey symKey = unwrap_symmetric_key( + return CryptoUtil.unwrap( token, algorithm, strength, SymmetricKey.Usage.DECRYPT, sk, encValue, - params); - - return symKey; + params.getPayloadWrapAlgorithm(), + params.getPayloadEncryptionIV()); } /** @@ -356,23 +357,26 @@ public class TransportKeyUnit extends EncryptionUnit implements null, priKeyAlgo, new IVParameterSpec(symmAlgParams), - null); + new IVParameterSpec(symmAlgParams)); // (1) unwrap the session key - SymmetricKey sk = unwrap_session_key( + SymmetricKey sk = CryptoUtil.unwrap( token, - encSymmKey, + params.getSkType(), + 0, SymmetricKey.Usage.UNWRAP, wrappingKey, - params); + encSymmKey, + params.getSkWrapAlgorithm()); // (2) unwrap the session-wrapped-private key - return unwrap_private_key( + return CryptoUtil.unwrap( token, pubKey, - true /*temporary*/, + true, sk, encValue, - params); + params.getPayloadWrapAlgorithm(), + params.getPayloadWrappingIV()); } } |