diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2017-01-24 16:17:10 +0100 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2017-01-27 17:52:27 +0100 |
| commit | 2fa7bc707a558da1b0c4d748d0805bdd0b60168c (patch) | |
| tree | 9a0152fb6da9db98883bc16e8ee46ae676f0eac0 /base/server/cms/src | |
| parent | 755fb2834d22131628ad1929c1bd4b1cd7592203 (diff) | |
Replaced CryptoManager.getTokenByName().
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
Diffstat (limited to 'base/server/cms/src')
10 files changed, 22 insertions, 62 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index d1c04ee9b..44dbed043 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -519,11 +519,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); savedToken = cm.getThreadToken(); - if (tokenName.equals(CryptoUtil.INTERNAL_TOKEN_NAME)) { - signToken = cm.getInternalCryptoToken(); - } else { - signToken = cm.getTokenByName(tokenName); - } + signToken = CryptoUtil.getCryptoToken(tokenName); if (!savedToken.getName().equals(signToken.getName())) { cm.setThreadToken(signToken); tokenSwitched = true; @@ -928,7 +924,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, // by default JSS will use internal crypto token if (!CryptoUtil.isInternalToken(tokenName)) { savedToken = cm.getThreadToken(); - signToken = cm.getTokenByName(tokenName); + signToken = CryptoUtil.getCryptoToken(tokenName); if(signToken != null) { cm.setThreadToken(signToken); tokenSwitched = true; diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 3b6916b37..8d10ec26b 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -702,11 +702,7 @@ public abstract class EnrollProfile extends BasicProfile String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); savedToken = cm.getThreadToken(); - if (CryptoUtil.isInternalToken(tokenName)) { - signToken = cm.getInternalCryptoToken(); - } else { - signToken = cm.getTokenByName(tokenName); - } + signToken = CryptoUtil.getCryptoToken(tokenName); if (!savedToken.getName().equals(signToken.getName())) { cm.setThreadToken(signToken); tokenSwitched = true; @@ -1057,14 +1053,7 @@ public abstract class EnrollProfile extends BasicProfile CMS.debug("EnrollProfile: parsePKCS10: signature verification enabled"); String tokenName = CMS.getConfigStore().getString("ca.requestVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); savedToken = cm.getThreadToken(); - CryptoToken signToken = null; - if (tokenName.equals(CryptoUtil.INTERNAL_TOKEN_NAME)) { - CMS.debug("EnrollProfile: parsePKCS10: use internal token"); - signToken = cm.getInternalCryptoToken(); - } else { - CMS.debug("EnrollProfile: parsePKCS10: tokenName=" + tokenName); - signToken = cm.getTokenByName(tokenName); - } + CryptoToken signToken = CryptoUtil.getCryptoToken(tokenName); CMS.debug("EnrollProfile: parsePKCS10 setting thread token"); cm.setThreadToken(signToken); pkcs10 = new PKCS10(data); @@ -1514,7 +1503,7 @@ public abstract class EnrollProfile extends BasicProfile certReqMsg.verify(); } else { CMS.debug("POP verification using token:" + tokenName); - verifyToken = cm.getTokenByName(tokenName); + verifyToken = CryptoUtil.getCryptoToken(tokenName); certReqMsg.verify(verifyToken); } diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java index 0a389fe6f..f24695145 100644 --- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java +++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java @@ -213,7 +213,7 @@ public abstract class EnrollInput implements IProfileInput { certReqMsg.verify(); } else { CMS.debug("POP verification using token:" + tokenName); - verifyToken = cm.getTokenByName(tokenName); + verifyToken = CryptoUtil.getCryptoToken(tokenName); certReqMsg.verify(verifyToken); } diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java index eecbdbcd0..2c3c6beed 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java @@ -911,17 +911,12 @@ public final class CMSAdminServlet extends AdminServlet { ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); CryptoToken token = null; - CryptoManager mCryptoManager = null; - try { - mCryptoManager = CryptoManager.getInstance(); - } catch (Exception e2) { - } if (!jssSubSystem.isTokenLoggedIn(selectedToken)) { PasswordCallback cpcb = new ConsolePasswordCallback(); while (true) { try { - token = mCryptoManager.getTokenByName(selectedToken); + token = CryptoUtil.getKeyStorageToken(selectedToken); token.login(cpcb); break; } catch (Exception e3) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java index 55860fad5..c2c6cde45 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java @@ -1963,12 +1963,11 @@ public class CRSEnrollment extends HttpServlet { cm = CryptoManager.getInstance(); internalToken = cm.getInternalCryptoToken(); DESkg = internalToken.getKeyGenerator(kga); + keyStorageToken = CryptoUtil.getKeyStorageToken(mTokenName); if (CryptoUtil.isInternalToken(mTokenName)) { - keyStorageToken = cm.getInternalKeyStorageToken(); internalKeyStorageToken = keyStorageToken; CMS.debug("CRSEnrollment: CryptoContext: internal token name: '" + mTokenName + "'"); } else { - keyStorageToken = cm.getTokenByName(mTokenName); internalKeyStorageToken = null; } if (!mUseCA && internalKeyStorageToken == null) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index e65035ecb..0f3153d3d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -993,7 +993,7 @@ public class ConfigurationUtils { continue; String tokenname = cs.getString("preop.module.token", ""); - cm.getTokenByName(tokenname); // throw exception if token doesn't exist + CryptoUtil.getKeyStorageToken(tokenname); // throw exception if token doesn't exist String name1 = "preop.master." + tag + ".nickname"; String nickname = cs.getString(name1, ""); diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java index d2dec7310..386ce93e7 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java @@ -356,11 +356,7 @@ public class AddCRLServlet extends CMSServlet { String tokenName = CMS.getConfigStore().getString("ocsp.crlVerify.token", CryptoUtil.INTERNAL_TOKEN_NAME); savedToken = cmanager.getThreadToken(); - if (CryptoUtil.isInternalToken(tokenName)) { - verToken = cmanager.getInternalCryptoToken(); - } else { - verToken = cmanager.getTokenByName(tokenName); - } + verToken = CryptoUtil.getCryptoToken(tokenName); if (!savedToken.getName().equals(verToken.getName())) { cmanager.setThreadToken(verToken); tokenSwitched = true; diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java index a5cae347b..1766f0459 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java @@ -4,7 +4,6 @@ import java.io.ByteArrayOutputStream; import java.io.CharConversionException; import java.io.IOException; import java.nio.ByteBuffer; -import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.Arrays; @@ -13,11 +12,9 @@ import java.util.Map; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; import org.mozilla.jss.NoSuchTokenException; -import org.mozilla.jss.crypto.BadPaddingException; import org.mozilla.jss.crypto.Cipher; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; -import org.mozilla.jss.crypto.IllegalBlockSizeException; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; @@ -687,18 +684,13 @@ public class SecureChannelProtocol { return null; } - public CryptoToken returnTokenByName(String name, CryptoManager manager) throws NoSuchTokenException { + public CryptoToken returnTokenByName(String name, CryptoManager manager) throws NoSuchTokenException, NotInitializedException { CMS.debug("returnTokenByName: requested name: " + name); if (name == null || manager == null) throw new NoSuchTokenException(); - if(CryptoUtil.isInternalToken(name)) { - return manager.getInternalKeyStorageToken(); - } else { - return manager.getTokenByName(name); - } - + return CryptoUtil.getKeyStorageToken(name); } public static byte[] makeDes3FromDes2(byte[] des2) { @@ -795,8 +787,7 @@ public class SecureChannelProtocol { symKeyFinal = this.makeDes3KeyDerivedFromDes2(symKey, selectedToken); - } catch (NoSuchAlgorithmException | TokenException | NoSuchTokenException | IllegalStateException - | CharConversionException e) { + } catch (Exception e) { CMS.debug(method + " " + e); throw new EBaseException(e); } @@ -874,7 +865,7 @@ public class SecureChannelProtocol { des3 = concat.derive(); - } catch (NoSuchTokenException | IllegalStateException | TokenException | InvalidKeyException e) { + } catch (Exception e) { CMS.debug(method + " " + e); throw new EBaseException(e); } @@ -907,7 +898,7 @@ public class SecureChannelProtocol { extracted16 = extract16.derive(); - } catch (NoSuchTokenException | IllegalStateException | TokenException | InvalidKeyException e) { + } catch (Exception e) { CMS.debug(method + " " + e); throw new EBaseException(e); } @@ -945,8 +936,7 @@ public class SecureChannelProtocol { keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.DES3_ECB); keyWrap.initWrap(wrapper, null); wrappedSessKeyData = keyWrap.wrap(sessionKey); - } catch (NoSuchAlgorithmException | TokenException | InvalidKeyException | InvalidAlgorithmParameterException - | NoSuchTokenException e) { + } catch (Exception e) { CMS.debug(method + " " + e); throw new EBaseException(e); } @@ -982,9 +972,7 @@ public class SecureChannelProtocol { CMS.debug(method + "done doFinal"); // SecureChannelProtocol.debugByteArray(output, "Encrypted data:"); - } catch (EBaseException | NoSuchTokenException | NoSuchAlgorithmException | TokenException - | InvalidKeyException | InvalidAlgorithmParameterException | - IllegalStateException | IllegalBlockSizeException | BadPaddingException e) { + } catch (Exception e) { CMS.debug(method + e); throw new EBaseException(method + e); diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java index 39cd429df..a282cd26f 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -615,10 +615,9 @@ public class TokenServlet extends CMSServlet { CryptoToken token = null; if (useSoftToken_s.equals("true")) { - //token = CryptoManager.getInstance().getTokenByName(selectedToken); - token = CryptoManager.getInstance().getInternalCryptoToken(); + token = CryptoUtil.getCryptoToken(null); } else { - token = CryptoManager.getInstance().getTokenByName(selectedToken); + token = CryptoUtil.getCryptoToken(selectedToken); } //Now we have to create a sym key object for the wrapped session_key (dekKey) @@ -1242,10 +1241,9 @@ public class TokenServlet extends CMSServlet { // wrap kek session key with DRM transport public key CryptoToken token = null; if (useSoftToken_s.equals("true")) { - //token = CryptoManager.getInstance().getTokenByName(selectedToken); - token = CryptoManager.getInstance().getInternalCryptoToken(); + token = CryptoUtil.getCryptoToken(null); } else { - token = CryptoManager.getInstance().getTokenByName(selectedToken); + token = CryptoUtil.getCryptoToken(selectedToken); } PublicKey pubKey = drmTransCert.getPublicKey(); String pubKeyAlgo = pubKey.getAlgorithm(); diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 2cf76d80a..18263f74f 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -1025,8 +1025,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou if (!CryptoUtil.isInternalToken(token)) { try { - CryptoManager cryptoManager = CryptoManager.getInstance(); - CryptoToken ctoken = cryptoManager.getTokenByName(token); + CryptoToken ctoken = CryptoUtil.getKeyStorageToken(token); String tokenpwd = data.getTokenPassword(); ConfigurationUtils.loginToken(ctoken, tokenpwd); } catch (NotInitializedException e) { |