diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-24 02:27:47 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-03-26 11:43:54 -0500 |
commit | 621d9e5c413e561293d7484b93882d985b3fe15f (patch) | |
tree | 638f3d75761c121d9a8fb50b52a12a6686c5ac5c /base/migrate/kra | |
parent | 40d3643b8d91886bf210aa27f711731c81a11e49 (diff) | |
download | pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.gz pki-621d9e5c413e561293d7484b93882d985b3fe15f.tar.xz pki-621d9e5c413e561293d7484b93882d985b3fe15f.zip |
Removed unnecessary pki folder.
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
Diffstat (limited to 'base/migrate/kra')
-rwxr-xr-x | base/migrate/kra/RecoverKey.class | bin | 0 -> 3566 bytes | |||
-rwxr-xr-x | base/migrate/kra/RecoverKey.java | 101 | ||||
-rwxr-xr-x | base/migrate/kra/RecoverPin.class | bin | 0 -> 5029 bytes | |||
-rwxr-xr-x | base/migrate/kra/RecoverPin.java | 149 | ||||
-rwxr-xr-x | base/migrate/kra/readme.txt | 130 |
5 files changed, 380 insertions, 0 deletions
diff --git a/base/migrate/kra/RecoverKey.class b/base/migrate/kra/RecoverKey.class Binary files differnew file mode 100755 index 000000000..756380e8d --- /dev/null +++ b/base/migrate/kra/RecoverKey.class diff --git a/base/migrate/kra/RecoverKey.java b/base/migrate/kra/RecoverKey.java new file mode 100755 index 000000000..06e5fc55f --- /dev/null +++ b/base/migrate/kra/RecoverKey.java @@ -0,0 +1,101 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + + +// package com.netscape.cmstools; + +import org.mozilla.jss.pkix.cmc.*; +import org.mozilla.jss.pkix.cms.*; +import org.mozilla.jss.pkix.cert.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkcs10.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.SignatureAlgorithm; +import org.mozilla.jss.crypto.DigestAlgorithm; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.util.*; +import org.mozilla.jss.*; + +import sun.misc.BASE64Encoder; +import sun.misc.*; + +import java.io.*; +import java.util.*; + +import com.netscape.cmscore.shares.*; + +public class RecoverKey { + + public static void main(String args[]) throws Exception + { + if (args.length != 6) { + System.out.println("Usage: RecoverKey <alias directory> <prefix> <password> <pin> <nickname> <kra-key.db path>"); + System.exit(0); + } + + String alias = args[0]; + String prefix = args[1]; + String password = args[2]; + String pin = args[3]; + String nickname = args[4]; + String db_path = args[5]; + + CryptoManager.InitializationValues vals = + new CryptoManager.InitializationValues(alias, + prefix, prefix, "secmod.db"); + + CryptoManager.initialize(vals); + CryptoManager cm = CryptoManager.getInstance(); + + CryptoToken token = cm.getInternalKeyStorageToken(); + token.login(new Password(password.toCharArray())); + + // retrieve public key + X509Certificate cert = cm.findCertByNickname(nickname); + + // retrieve encrypted private key material + File priFile = new File(db_path); + byte priData[] = new byte[(new Long(priFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(priFile); + fi.read(priData); + fi.close(); + + // recover private key + Password pass = new Password(pin.toCharArray()); + KeyGenerator kg = token.getKeyGenerator( + PBEAlgorithm.PBE_SHA1_DES3_CBC); + byte iv[] = {0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01}; + PBEKeyGenParams kgp = new PBEKeyGenParams(pass, + iv, 5); + + pass.clear(); + kg.initialize(kgp); + SymmetricKey sk = kg.generate(); + + KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + wrapper.initUnwrap(sk, new IVParameterSpec(iv)); + PrivateKey pk = wrapper.unwrapPrivate(priData, + PrivateKey.RSA, cert.getPublicKey()); + + System.out.println("=> Private is '" + pk + "'"); + } +} diff --git a/base/migrate/kra/RecoverPin.class b/base/migrate/kra/RecoverPin.class Binary files differnew file mode 100755 index 000000000..75db9d5f9 --- /dev/null +++ b/base/migrate/kra/RecoverPin.class diff --git a/base/migrate/kra/RecoverPin.java b/base/migrate/kra/RecoverPin.java new file mode 100755 index 000000000..2ad268c37 --- /dev/null +++ b/base/migrate/kra/RecoverPin.java @@ -0,0 +1,149 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + + +// package com.netscape.cmstools; + +import org.mozilla.jss.pkix.cmc.*; +import org.mozilla.jss.pkix.cms.*; +import org.mozilla.jss.pkix.cert.*; +import org.mozilla.jss.pkix.primitive.*; +import org.mozilla.jss.asn1.*; +import org.mozilla.jss.pkcs10.*; +import org.mozilla.jss.crypto.*; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.SignatureAlgorithm; +import org.mozilla.jss.crypto.DigestAlgorithm; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.util.*; +import org.mozilla.jss.*; + +import sun.misc.BASE64Encoder; +import sun.misc.*; + +import java.io.*; +import java.util.*; + +import com.netscape.cmscore.shares.*; + +public class RecoverPin { + + public static String getPassword(Hashtable shares) throws Exception + { + System.out.println("Share size '" + shares.size() + "'"); + JoinShares j = new JoinShares(shares.size()); + + Enumeration e = shares.keys(); + while (e.hasMoreElements()) { + String next = (String) e.nextElement(); +System.out.println("Add share " + (int)(Integer.parseInt(next) + 1)); + j.addShare(Integer.parseInt(next) + 1, + (byte[]) shares.get(next)); + } + byte secret[] = j.recoverSecret(); + String pwd = new String(secret); + return pwd; + } + + public static byte[] resizeShare(byte share[]) { + byte data[] = new byte[share.length - 2]; + + for (int i = 2; i < share.length; i++) { + data[i - 2] = share[i]; + } + return data; + } + + public static Hashtable getShares(CryptoToken token, + Properties kra_mn_p) throws Exception + { + BufferedReader br = new BufferedReader( new InputStreamReader(System.in)); + Hashtable v = new Hashtable(); + Enumeration e = kra_mn_p.keys(); + int n = Integer.parseInt((String)kra_mn_p.get("n")); + for (int i = 0; i < n; i++) { + String uid = (String)kra_mn_p.get("uid"+i); + System.out.println("Got uid '" + uid + "'"); + + String encrypted = (String)kra_mn_p.get("share"+i); + System.out.println("Got share '" + encrypted + "'"); + + BASE64Decoder decoder = new BASE64Decoder(); + byte share[] = decoder.decodeBuffer(encrypted); + System.out.println("Got encrypted share length '" + + share.length + "'"); + + System.out.println("Please input password for " + uid + ":"); + String pwd = br.readLine(); + System.out.println("Got password '" + pwd + "'"); + + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + byte iv[] = {0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01}; + Password pass = new Password(pwd.toCharArray()); + KeyGenerator kg = token.getKeyGenerator( + PBEAlgorithm.PBE_SHA1_DES3_CBC); + PBEKeyGenParams kgp = new PBEKeyGenParams(pass, + iv, 5); + kg.initialize(kgp); + SymmetricKey sk = kg.generate(); + cipher.initDecrypt(sk, new IVParameterSpec(iv)); + byte dec[] = cipher.doFinal(share); + System.out.println("Got decrypted share length '" + dec.length + "'"); + System.out.println("Got share[0] '" + dec[0] + "'"); + System.out.println("Got share[1] '" + dec[1] + "'"); + byte res[] = resizeShare(dec); + v.put(Integer.toString(i), res); + } + return v; + } + + public static void main(String args[]) throws Exception + { + if (args.length != 4) { + System.out.println("Usage: RecoverPin <alias directory> <prefix> <password> <kra-mn.conf path>"); + System.exit(0); + } + + String alias = args[0]; + String prefix = args[1]; + String password = args[2]; + String path_kra_mn = args[3]; + + CryptoManager.InitializationValues vals = + new CryptoManager.InitializationValues(alias, + prefix, prefix, "secmod.db"); + + CryptoManager.initialize(vals); + CryptoManager cm = CryptoManager.getInstance(); + + // load files into properties + Properties kra_mn_p = new Properties(); + kra_mn_p.load(new FileInputStream(path_kra_mn)); + + CryptoToken token = cm.getInternalKeyStorageToken(); + token.login(new Password(password.toCharArray())); + + Hashtable shares = getShares(token, kra_mn_p); + + String pwd = getPassword(shares); + System.out.println("=> Pin is '" + pwd + "'"); + } +} diff --git a/base/migrate/kra/readme.txt b/base/migrate/kra/readme.txt new file mode 100755 index 000000000..8b7b69b49 --- /dev/null +++ b/base/migrate/kra/readme.txt @@ -0,0 +1,130 @@ +Date + + Tue Oct 17 16:11:07 PDT 2006 + +Version + + CMS 6.1 + +Overview + + In CMS6.1 Data Recovery Manager (DRM), it has deployed a + complicated key splitting scheme where software token and + hardware token are treated differently. + + Both software and hardware token requires a group of N recovery agents + to be present during the configuration. A Pin is randomly generated + and splitted into N pieces called shares. Each share is encrypted with + a password provided by the individual recovery agent. This is to + ensure no single recovery agent to access the pin. + + For software token, during configuration, a storage key pair is + generated, and the private key portion is then encrypted by the + Pin mentioned above. The encrypted key is stored in a file called + kra-key.db in the conf directory. The configuration deletes + the private key from the software token. For each recovery + operation, the private key is then reconstructed and imported + into the software token. + + For hardware token, during configuration, a storage key pair is + generated on the selected token, then the configuration changes the + hardware token's pin to the randomly generated pin mentioned above. + For each recovery operation, the token's pin is reconstructed and + private key is accessed. + + To provide migration on the user keys that were encrypted with the + storage keys of CS6.1, we need to be able to migrate the public and + private keys to the new system. To access the private key, we need + to have a way to reconstruct the pin. + + This support package provides 2 utilities that can assist the + migration. + +Programs + + RecoverPin - This command is to reconstruct the pin. It reads + the shares from conf/kra-mn.conf, and prompts for + agent passwords. It then reconstructs and prints the + pin to the screen. + + RecoverKey - For software token deployment, the encrypted private + key is stored in the file conf/kra-key.db. To recover + the private key, the user needs to use the pin obtained + from RecoverPin. Once the private key is recovered into + the security database. The user can use pk12util to + migrate key to the new installation. For hardware token + deployment, this command is not necessary. + +Examples + + Here is an example of RecoverPin usage + + java -classpath <server-root>/bin/cert/jars/cmscore.jar:<server-root>/bin/cert/jars/nsutil.jar:<server-root>/bin/cert/jars/jss3.jar:. RecoverPin <path to alias directory> <prefix> <password> <key splitting scheme file> + + For example, + + java -classpath /home/user/cs61/servers/bin/cert/jars/cmscore.jar:/export/home/user/cs61/servers/bin/cert/jars/nsutil.jar:/export/home/user/cs61/servers/bin/cert/jars/jss3.jar:. RecoverPin /export/home/user/cs61/servers/alias "cert-drm-sunburst-" netscape /export/home/user/cs61/servers/cert-drm/config/kra-mn.conf + + The output is: + + Got uid 'agent1' + Got share 'A23UO/q9f40=' + Got encrypted share length '8' + Please input password for agent1: + netscape1 + Got password 'netscape1' + Got decrypted share length '2' + Got share[0] '0' + Got share[1] '0' + Got uid 'agent2' + Got share 'R+zGVd5zczI=' + Got encrypted share length '8' + Please input password for agent2: + netscape2 + Got password 'netscape2' + Got decrypted share length '2' + Got share[0] '0' + Got share[1] '0' + Got uid 'agent3' + Got share 'lsipE7cM8jg=' + Got encrypted share length '8' + Please input password for agent3: + netscape3 + Got password 'netscape3' + Got decrypted share length '2' + Got share[0] '0' + Got share[1] '0' + Share size '3' + Add share 3 + Add share 2 + Add share 1 + => Pin is '' + + Here is an example of RecoverKey usage + + java -classpath <server-root>/bin/cert/jars/cmscore.jar:<server-root>/bin/cert/jars/nsutil.jar:<server-root>/bin/cert/jars/jss3.jar:. RecoverKey <alias path> <prefix> <db password> <pin from RecoverPin> <nickname> <key db path> + + For example, + + java -classpath /export/home/user/cs61/servers/bin/cert/jars/cmscore.jar:/export/home/user/cs61/servers/bin/cert/jars/nsutil.jar:/export/home/user/cs61/servers/bin/cert/jars/jss3.jar:. RecoverKey /export/home/user/cs61/servers/alias cert-drm-sunburst- "netscape" "" "kraStorageCert 1161121005622" /export/home/user/cs61/servers/cert-drm/config/kra-key.db + + The output is: + + => Private is 'org.mozilla.jss.pkcs11.PK11RSAPrivateKey@1ab8f9e' + +To make the private and public key exportable via pk12util. You need to first +backup the storage certificate, delete it, and then import it +again. For example, + + certutil -d . -P cert-drm-sunburst- \ + -n "kraStorageCert 1161121005622" -a > storageCert.txt + + certutil -d . -P cert-drm-sunburst- -D -n "kraStorageCert 1161121005622" + + certutil -d . -P cert-drm-sunburst- -A -t "u,u,u" \ + -n "kraStorageCert 1161121005622" -i storageCert.txt + +Finally, you can export the private and public key using pk12util + + pk12util -o storage.p12 -d . -P cert-drm-sunburst- \ + -n "kraStorageCert 1161121005622" |