Refactor client to not use keysets

It is simpler to simply tell the client which algorithm to use for key wrapping and encryption, rather than use key sets. Therefore: * KRAInfo and CAInfo are refactored to provide the algorithms required for key wrapping and encryption. * Client is modified to use these parameters to determine which algorithms to use. * We specify the OIDs that will be used in the PKIARchiveOptions more correctly. The options are basically: AES-128-CBC, DES3-CBC, AES KeyWrap/Pad Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
author: Ade Lee <alee@redhat.com> 2017-05-26 13:06:18 -0400
committer: Ade Lee <alee@redhat.com> 2017-06-07 16:00:41 -0400
commit: 38df4274214938ceece85627abb6d4fe77b960ff (patch)
tree: c3361a13185302f03ddb4162aa04f5816190c27d /base/server/cms/src
parent: 9db838825b60719e6670c92957db3f33c5b12ae0 (diff)
2 files changed, 49 insertions, 9 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
index 398f49982..52c9ca00f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
@@ -28,6 +28,8 @@ import org.dogtagpki.common.CAInfo;
 import org.dogtagpki.common.CAInfoResource;
 import org.dogtagpki.common.KRAInfo;
 import org.dogtagpki.common.KRAInfoClient;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -73,7 +75,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
     // KRA-related fields (the initial values are only used if we
     // did not yet receive authoritative info from KRA)
     private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM;
-    private static String wrappingKeySet = "0";
+    private static String encryptAlgorithm;
+    private static String keyWrapAlgorithm;
 
     @Override
     public Response getInfo() throws Exception {
@@ -116,7 +119,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
             }
 
             info.setArchivalMechanism(archivalMechanism);
-            info.setWrappingKeySet(wrappingKeySet);
+            info.setEncryptAlgorithm(encryptAlgorithm);
+            info.setKeyWrapAlgorithm(keyWrapAlgorithm);
         }
     }
 
@@ -125,10 +129,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
             KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo();
 
             archivalMechanism = kraInfo.getArchivalMechanism();
-
-            // request succeeded; the KRA is 10.4 or higher,
-            // therefore supports key set v1
-            wrappingKeySet = "1";
+            encryptAlgorithm = kraInfo.getEncryptAlgorithm();
+            keyWrapAlgorithm = kraInfo.getWrapAlgorithm();
 
             // mark info as authoritative
             kraInfoAuthoritative = true;
@@ -137,8 +139,8 @@ public class CAInfoService extends PKIService implements CAInfoResource {
                 // The KRAInfoResource was added in 10.4,
                 // so we are talking to a pre-10.4 KRA
 
-                // pre-10.4 only supports key set v0
-                wrappingKeySet = "0";
+                encryptAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD.toString();
+                keyWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD.toString();
 
                 // pre-10.4 KRA does not advertise the archival
                 // mechanism; look for the old knob in CA's config
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
index c4b3252b2..a9c3cdfc1 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
@@ -29,14 +29,25 @@ import org.slf4j.LoggerFactory;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.security.IStorageKeyUnit;
 import com.netscape.cms.servlet.base.PKIService;
 
+import netscape.security.util.WrappingParams;
+
 /**
  * @author Ade Lee
  */
 public class KRAInfoService extends PKIService implements KRAInfoResource {
 
     private static Logger logger = LoggerFactory.getLogger(InfoService.class);
+    private IKeyRecoveryAuthority kra;
+    private IStorageKeyUnit storageUnit;
+
+    public KRAInfoService() {
+        kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra");
+        storageUnit = kra.getStorageKeyUnit();
+    }
 
     @Override
     public Response getInfo() throws Exception {
@@ -47,7 +58,8 @@ public class KRAInfoService extends PKIService implements KRAInfoResource {
         KRAInfo info = new KRAInfo();
         info.setArchivalMechanism(getArchivalMechanism());
         info.setRecoveryMechanism(getRecoveryMechanism());
-
+        info.setEncryptAlgorithm(getEncryptAlgorithm());
+        info.setArchivalMechanism(getWrapAlgorithm());
 
         return createOKResponse(info);
     }
@@ -63,5 +75,31 @@ public class KRAInfoService extends PKIService implements KRAInfoResource {
         boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false);
         return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM;
     }
+
+    String getWrapAlgorithm() throws EBaseException {
+        IConfigStore cs = CMS.getConfigStore();
+        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+        WrappingParams params = null;
+        try {
+            params = storageUnit.getWrappingParams(encrypt_archival);
+        } catch (Exception e) {
+            // return something that should always work
+            return "AES/CBC/Padding";
+        }
+        return params.getPayloadWrapAlgorithm().toString();
+    }
+
+    String getEncryptAlgorithm() throws EBaseException {
+        IConfigStore cs = CMS.getConfigStore();
+        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+        WrappingParams params = null;
+        try {
+            params = storageUnit.getWrappingParams(encrypt_archival);
+        } catch (Exception e) {
+            // return something that should always work
+            return "AES/CBC/Padding";
+        }
+        return params.getPayloadEncryptionAlgorithm().toString();
+    }
 }
author	Ade Lee <alee@redhat.com>	2017-05-26 13:06:18 -0400
committer	Ade Lee <alee@redhat.com>	2017-06-07 16:00:41 -0400
commit	38df4274214938ceece85627abb6d4fe77b960ff (patch)
tree	c3361a13185302f03ddb4162aa04f5816190c27d /base/server/cms/src
parent	9db838825b60719e6670c92957db3f33c5b12ae0 (diff)