diff options
author | Ade Lee <alee@redhat.com> | 2017-05-26 22:57:07 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-05-31 22:15:23 -0400 |
commit | 0984d8a114b326a75b2c32cd9da2b7dee23920bb (patch) | |
tree | b2eb036cdda0d9119d23be0e187dc4288373b13f /base/server/cms/src/com/netscape | |
parent | 4cdb7ca8dcafd7709c4ed97c1e1054da21443aae (diff) | |
download | pki-0984d8a114b326a75b2c32cd9da2b7dee23920bb.tar.gz pki-0984d8a114b326a75b2c32cd9da2b7dee23920bb.tar.xz pki-0984d8a114b326a75b2c32cd9da2b7dee23920bb.zip |
Convert CMC code to use AES
* Switched out CrytoUtil calls that use DES and replaced them
with AES equivalents. Removed these now unneeded methods.
* Added 16 byte constant IV for AES operations. This must be
replaced by a randomly generated IV. Added TODOs where IVs
should be replaced.
* Corrected misspellings of "enreypted" in both request fields
and variable names
* Removed some code from null checks where the result could
never be null. These cases were flagged in eclipse as dead
code.
Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
Diffstat (limited to 'base/server/cms/src/com/netscape')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 111 | ||||
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java | 40 |
2 files changed, 90 insertions, 61 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 1443a0a6d..12fb73694 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -45,7 +45,11 @@ import org.mozilla.jss.asn1.SET; import org.mozilla.jss.asn1.UTF8String; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.DigestAlgorithm; +import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.HMACAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.pkcs10.CertificationRequest; @@ -399,6 +403,10 @@ public abstract class EnrollProfile extends BasicProfile String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); token = CryptoUtil.getCryptoToken(tokenName); + // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length + byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + IVParameterSpec ivps = new IVParameterSpec(iv); + PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data)); if (userPubKey == null) { msg = method + "userPubKey null after X509Key.parsePublicKey"; @@ -406,37 +414,57 @@ public abstract class EnrollProfile extends BasicProfile throw new EBaseException(msg); } - SymmetricKey symKey = CryptoUtil.generateKey(token); - byte[] pop_encreyptedData = CryptoUtil.encryptUsingSymmetricKey( - token, symKey, challenge); - if (pop_encreyptedData == null) { - msg = method + "pop_encreyptedData null"; + SymmetricKey symKey = CryptoUtil.generateKey( + token, + KeyGenAlgorithm.AES, + 128, + null, + true); + + byte[] pop_encryptedData = CryptoUtil.encryptUsingSymmetricKey( + token, + symKey, + challenge, + EncryptionAlgorithm.AES_128_CBC, + ivps); + + if (pop_encryptedData == null) { + msg = method + "pop_encryptedData null"; CMS.debug(msg); throw new EBaseException(msg); } - byte[] pop_sysPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey( - token, issuanceProtPubKey, symKey); - if (pop_sysPubEncreyptedSession == null) { - msg = method + "pop_sysPubEncreyptedSession null"; + byte[] pop_sysPubEncryptedSession = CryptoUtil.wrapUsingPublicKey( + token, + issuanceProtPubKey, + symKey, + KeyWrapAlgorithm.RSA); + + if (pop_sysPubEncryptedSession == null) { + msg = method + "pop_sysPubEncryptedSession null"; CMS.debug(msg); throw new EBaseException(msg); } - byte[] pop_userPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey( - token, userPubKey, symKey); - if (pop_userPubEncreyptedSession == null) { - msg = method + "pop_userPubEncreyptedSession null"; + + byte[] pop_userPubEncryptedSession = CryptoUtil.wrapUsingPublicKey( + token, + userPubKey, + symKey, + KeyWrapAlgorithm.RSA); + + if (pop_userPubEncryptedSession == null) { + msg = method + "pop_userPubEncryptedSession null"; CMS.debug(msg); throw new EBaseException(msg); } CMS.debug(method + "POP challenge fields generated successfully...setting request extData"); - req.setExtData("pop_encreyptedData", pop_encreyptedData); + req.setExtData("pop_encryptedData", pop_encryptedData); - req.setExtData("pop_sysPubEncreyptedSession", pop_sysPubEncreyptedSession); + req.setExtData("pop_sysPubEncryptedSession", pop_sysPubEncryptedSession); - req.setExtData("pop_userPubEncreyptedSession", pop_userPubEncreyptedSession); + req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession); // now compute and set witness CMS.debug(method + "now compute and set witness"); @@ -1038,19 +1066,19 @@ public abstract class EnrollProfile extends BasicProfile } // now verify the POP witness - byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData"); - if (pop_encreyptedData == null) { + byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData"); + if (pop_encryptedData == null) { msg = method + - "pop_encreyptedData not found in request:" + + "pop_encryptedData not found in request:" + reqId.toString(); CMS.debug(msg); return null; } - byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession"); - if (pop_sysPubEncreyptedSession == null) { + byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); + if (pop_sysPubEncryptedSession == null) { msg = method + - "pop_sysPubEncreyptedSession not found in request:" + + "pop_sysPubEncryptedSession not found in request:" + reqId.toString(); CMS.debug(msg); return null; @@ -1082,17 +1110,31 @@ public abstract class EnrollProfile extends BasicProfile SymmetricKey symKey = CryptoUtil.unwrap( token, + SymmetricKey.AES, + 128, SymmetricKey.Usage.DECRYPT, issuanceProtPrivKey, - pop_sysPubEncreyptedSession); + pop_sysPubEncryptedSession, + KeyWrapAlgorithm.RSA); + if (symKey == null) { msg = "symKey null after CryptoUtil.unwrap returned"; CMS.debug(msg); return null; } + // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request + // This IV is supposed to be random + byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + IVParameterSpec default_iv = new IVParameterSpec(iv); + byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey( - token, pop_encreyptedData, symKey); + token, + default_iv, + pop_encryptedData, + symKey, + EncryptionAlgorithm.AES_128_CBC); + if (challenge_b == null) { msg = method + "challenge_b null after decryptUsingSymmetricKey returned"; CMS.debug(msg); @@ -1596,23 +1638,16 @@ public abstract class EnrollProfile extends BasicProfile witness_bytes, hashAlg, macAlg); - String authMgrID = - (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID); String auditSubjectID = null; if (verified) { - // update auditSubjectID - if (sessionContext != null) { - auditSubjectID = (String) - sessionContext.get(SessionContext.USER_ID); - CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); - CMS.debug(method + "identity verified. Updating auditSubjectID"); - CMS.debug(method + "updated auditSubjectID is:"+ ident_string); - auditSubjectID = ident_string; - sessionContext.put(SessionContext.USER_ID, auditSubjectID); - } else { //very unlikely - CMS.debug(method + "sessionContext null; cannot update auditSubjectID"); - } + auditSubjectID = (String) + sessionContext.get(SessionContext.USER_ID); + CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID); + CMS.debug(method + "identity verified. Updating auditSubjectID"); + CMS.debug(method + "updated auditSubjectID is:"+ ident_string); + auditSubjectID = ident_string; + sessionContext.put(SessionContext.USER_ID, auditSubjectID); auditMessage = CMS.getLogMessage( AuditEvent.CMC_PROOF_OF_IDENTIFICATION, diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java index c130a1e68..8e472985e 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java @@ -43,6 +43,7 @@ import org.mozilla.jss.asn1.SEQUENCE; import org.mozilla.jss.asn1.SET; import org.mozilla.jss.asn1.UTF8String; import org.mozilla.jss.crypto.DigestAlgorithm; +import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.SignatureAlgorithm; import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkix.cert.Certificate; @@ -433,10 +434,7 @@ public class CMCOutputTemplate { ResponseBody respBody = new ResponseBody(controlSeq, cmsSeq, otherMsgSeq); - if (respBody != null) - CMS.debug(method + " after new ResponseBody, respBody not null"); - else - CMS.debug(method + " after new ResponseBody, respBody null"); + CMS.debug(method + " after new ResponseBody, respBody not null"); ContentInfo contentInfo = getContentInfo(respBody, certs); ByteArrayOutputStream fos = new ByteArrayOutputStream(); @@ -489,30 +487,25 @@ public class CMCOutputTemplate { CMS.debug(method + "popChallengeRequired true"); byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST); - byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData"); + byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData"); //don't need this for encryptedPOP, but need to check for existence anyway - byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession"); - byte[] pop_userPubEncreyptedSession = req.getExtDataInByteArray("pop_userPubEncreyptedSession"); - if ((pop_encreyptedData != null) && - (pop_sysPubEncreyptedSession != null) && - (pop_userPubEncreyptedSession != null)) { + byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); + byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession"); + if ((pop_encryptedData != null) && + (pop_sysPubEncryptedSession != null) && + (pop_userPubEncryptedSession != null)) { // generate encryptedPOP here // algs are hard-coded for now try { EnvelopedData envData = CryptoUtil.createEnvelopedData( - pop_encreyptedData, - pop_userPubEncreyptedSession); + pop_encryptedData, + pop_userPubEncryptedSession); if (envData == null) { msg = "envData null returned by createEnvelopedData"; throw new EBaseException(method + msg); } ContentInfo ci = new ContentInfo(envData); - if (ci == null) { - msg = "ci null from new ContentInfo"; - CMS.debug(msg); - throw new EBaseException(method + msg); - } CMS.debug(method + "now we can compose encryptedPOP"); TaggedRequest.Template tReqTemplate = new TaggedRequest.Template(); @@ -524,17 +517,18 @@ public class CMCOutputTemplate { throw new EBaseException(method + msg); } + // TODO(alee) The code below should be replaced by code that generates a random IV + byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + + OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); + AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); + encPop = new EncryptedPOP( tReq, ci, - CryptoUtil.getDefaultEncAlg(), + aid, CryptoUtil.getDefaultHashAlg(), new OCTET_STRING(req.getExtDataInByteArray("pop_witness"))); - if (encPop == null) { - msg = "encPop null returned by new EncryptedPOP"; - CMS.debug(msg); - throw new EBaseException(method + msg); - } } catch (Exception e) { CMS.debug(method + " excepton:" + e); |