summaryrefslogtreecommitdiffstats
path: root/base/server/cms
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-05-26 22:57:07 -0400
committerAde Lee <alee@redhat.com>2017-05-31 22:15:23 -0400
commit0984d8a114b326a75b2c32cd9da2b7dee23920bb (patch)
treeb2eb036cdda0d9119d23be0e187dc4288373b13f /base/server/cms
parent4cdb7ca8dcafd7709c4ed97c1e1054da21443aae (diff)
downloadpki-0984d8a114b326a75b2c32cd9da2b7dee23920bb.tar.gz
pki-0984d8a114b326a75b2c32cd9da2b7dee23920bb.tar.xz
pki-0984d8a114b326a75b2c32cd9da2b7dee23920bb.zip
Convert CMC code to use AES
* Switched out CrytoUtil calls that use DES and replaced them with AES equivalents. Removed these now unneeded methods. * Added 16 byte constant IV for AES operations. This must be replaced by a randomly generated IV. Added TODOs where IVs should be replaced. * Corrected misspellings of "enreypted" in both request fields and variable names * Removed some code from null checks where the result could never be null. These cases were flagged in eclipse as dead code. Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
Diffstat (limited to 'base/server/cms')
-rw-r--r--base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java111
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java40
2 files changed, 90 insertions, 61 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
index 1443a0a6d..12fb73694 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -45,7 +45,11 @@ import org.mozilla.jss.asn1.SET;
import org.mozilla.jss.asn1.UTF8String;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.DigestAlgorithm;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.HMACAlgorithm;
+import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
import org.mozilla.jss.crypto.PrivateKey;
import org.mozilla.jss.crypto.SymmetricKey;
import org.mozilla.jss.pkcs10.CertificationRequest;
@@ -399,6 +403,10 @@ public abstract class EnrollProfile extends BasicProfile
String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME);
token = CryptoUtil.getCryptoToken(tokenName);
+ // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length
+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+ IVParameterSpec ivps = new IVParameterSpec(iv);
+
PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data));
if (userPubKey == null) {
msg = method + "userPubKey null after X509Key.parsePublicKey";
@@ -406,37 +414,57 @@ public abstract class EnrollProfile extends BasicProfile
throw new EBaseException(msg);
}
- SymmetricKey symKey = CryptoUtil.generateKey(token);
- byte[] pop_encreyptedData = CryptoUtil.encryptUsingSymmetricKey(
- token, symKey, challenge);
- if (pop_encreyptedData == null) {
- msg = method + "pop_encreyptedData null";
+ SymmetricKey symKey = CryptoUtil.generateKey(
+ token,
+ KeyGenAlgorithm.AES,
+ 128,
+ null,
+ true);
+
+ byte[] pop_encryptedData = CryptoUtil.encryptUsingSymmetricKey(
+ token,
+ symKey,
+ challenge,
+ EncryptionAlgorithm.AES_128_CBC,
+ ivps);
+
+ if (pop_encryptedData == null) {
+ msg = method + "pop_encryptedData null";
CMS.debug(msg);
throw new EBaseException(msg);
}
- byte[] pop_sysPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey(
- token, issuanceProtPubKey, symKey);
- if (pop_sysPubEncreyptedSession == null) {
- msg = method + "pop_sysPubEncreyptedSession null";
+ byte[] pop_sysPubEncryptedSession = CryptoUtil.wrapUsingPublicKey(
+ token,
+ issuanceProtPubKey,
+ symKey,
+ KeyWrapAlgorithm.RSA);
+
+ if (pop_sysPubEncryptedSession == null) {
+ msg = method + "pop_sysPubEncryptedSession null";
CMS.debug(msg);
throw new EBaseException(msg);
}
- byte[] pop_userPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey(
- token, userPubKey, symKey);
- if (pop_userPubEncreyptedSession == null) {
- msg = method + "pop_userPubEncreyptedSession null";
+
+ byte[] pop_userPubEncryptedSession = CryptoUtil.wrapUsingPublicKey(
+ token,
+ userPubKey,
+ symKey,
+ KeyWrapAlgorithm.RSA);
+
+ if (pop_userPubEncryptedSession == null) {
+ msg = method + "pop_userPubEncryptedSession null";
CMS.debug(msg);
throw new EBaseException(msg);
}
CMS.debug(method + "POP challenge fields generated successfully...setting request extData");
- req.setExtData("pop_encreyptedData", pop_encreyptedData);
+ req.setExtData("pop_encryptedData", pop_encryptedData);
- req.setExtData("pop_sysPubEncreyptedSession", pop_sysPubEncreyptedSession);
+ req.setExtData("pop_sysPubEncryptedSession", pop_sysPubEncryptedSession);
- req.setExtData("pop_userPubEncreyptedSession", pop_userPubEncreyptedSession);
+ req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession);
// now compute and set witness
CMS.debug(method + "now compute and set witness");
@@ -1038,19 +1066,19 @@ public abstract class EnrollProfile extends BasicProfile
}
// now verify the POP witness
- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData");
- if (pop_encreyptedData == null) {
+ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData");
+ if (pop_encryptedData == null) {
msg = method +
- "pop_encreyptedData not found in request:" +
+ "pop_encryptedData not found in request:" +
reqId.toString();
CMS.debug(msg);
return null;
}
- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession");
- if (pop_sysPubEncreyptedSession == null) {
+ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
+ if (pop_sysPubEncryptedSession == null) {
msg = method +
- "pop_sysPubEncreyptedSession not found in request:" +
+ "pop_sysPubEncryptedSession not found in request:" +
reqId.toString();
CMS.debug(msg);
return null;
@@ -1082,17 +1110,31 @@ public abstract class EnrollProfile extends BasicProfile
SymmetricKey symKey = CryptoUtil.unwrap(
token,
+ SymmetricKey.AES,
+ 128,
SymmetricKey.Usage.DECRYPT,
issuanceProtPrivKey,
- pop_sysPubEncreyptedSession);
+ pop_sysPubEncryptedSession,
+ KeyWrapAlgorithm.RSA);
+
if (symKey == null) {
msg = "symKey null after CryptoUtil.unwrap returned";
CMS.debug(msg);
return null;
}
+ // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request
+ // This IV is supposed to be random
+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+ IVParameterSpec default_iv = new IVParameterSpec(iv);
+
byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey(
- token, pop_encreyptedData, symKey);
+ token,
+ default_iv,
+ pop_encryptedData,
+ symKey,
+ EncryptionAlgorithm.AES_128_CBC);
+
if (challenge_b == null) {
msg = method + "challenge_b null after decryptUsingSymmetricKey returned";
CMS.debug(msg);
@@ -1596,23 +1638,16 @@ public abstract class EnrollProfile extends BasicProfile
witness_bytes,
hashAlg, macAlg);
- String authMgrID =
- (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID);
String auditSubjectID = null;
if (verified) {
- // update auditSubjectID
- if (sessionContext != null) {
- auditSubjectID = (String)
- sessionContext.get(SessionContext.USER_ID);
- CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
- CMS.debug(method + "identity verified. Updating auditSubjectID");
- CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
- auditSubjectID = ident_string;
- sessionContext.put(SessionContext.USER_ID, auditSubjectID);
- } else { //very unlikely
- CMS.debug(method + "sessionContext null; cannot update auditSubjectID");
- }
+ auditSubjectID = (String)
+ sessionContext.get(SessionContext.USER_ID);
+ CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
+ CMS.debug(method + "identity verified. Updating auditSubjectID");
+ CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
+ auditSubjectID = ident_string;
+ sessionContext.put(SessionContext.USER_ID, auditSubjectID);
auditMessage = CMS.getLogMessage(
AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
index c130a1e68..8e472985e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
@@ -43,6 +43,7 @@ import org.mozilla.jss.asn1.SEQUENCE;
import org.mozilla.jss.asn1.SET;
import org.mozilla.jss.asn1.UTF8String;
import org.mozilla.jss.crypto.DigestAlgorithm;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
import org.mozilla.jss.crypto.SignatureAlgorithm;
import org.mozilla.jss.pkcs11.PK11PubKey;
import org.mozilla.jss.pkix.cert.Certificate;
@@ -433,10 +434,7 @@ public class CMCOutputTemplate {
ResponseBody respBody = new ResponseBody(controlSeq,
cmsSeq, otherMsgSeq);
- if (respBody != null)
- CMS.debug(method + " after new ResponseBody, respBody not null");
- else
- CMS.debug(method + " after new ResponseBody, respBody null");
+ CMS.debug(method + " after new ResponseBody, respBody not null");
ContentInfo contentInfo = getContentInfo(respBody, certs);
ByteArrayOutputStream fos = new ByteArrayOutputStream();
@@ -489,30 +487,25 @@ public class CMCOutputTemplate {
CMS.debug(method + "popChallengeRequired true");
byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST);
- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData");
+ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData");
//don't need this for encryptedPOP, but need to check for existence anyway
- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession");
- byte[] pop_userPubEncreyptedSession = req.getExtDataInByteArray("pop_userPubEncreyptedSession");
- if ((pop_encreyptedData != null) &&
- (pop_sysPubEncreyptedSession != null) &&
- (pop_userPubEncreyptedSession != null)) {
+ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
+ byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession");
+ if ((pop_encryptedData != null) &&
+ (pop_sysPubEncryptedSession != null) &&
+ (pop_userPubEncryptedSession != null)) {
// generate encryptedPOP here
// algs are hard-coded for now
try {
EnvelopedData envData = CryptoUtil.createEnvelopedData(
- pop_encreyptedData,
- pop_userPubEncreyptedSession);
+ pop_encryptedData,
+ pop_userPubEncryptedSession);
if (envData == null) {
msg = "envData null returned by createEnvelopedData";
throw new EBaseException(method + msg);
}
ContentInfo ci = new ContentInfo(envData);
- if (ci == null) {
- msg = "ci null from new ContentInfo";
- CMS.debug(msg);
- throw new EBaseException(method + msg);
- }
CMS.debug(method + "now we can compose encryptedPOP");
TaggedRequest.Template tReqTemplate = new TaggedRequest.Template();
@@ -524,17 +517,18 @@ public class CMCOutputTemplate {
throw new EBaseException(method + msg);
}
+ // TODO(alee) The code below should be replaced by code that generates a random IV
+ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+
+ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID();
+ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
+
encPop = new EncryptedPOP(
tReq,
ci,
- CryptoUtil.getDefaultEncAlg(),
+ aid,
CryptoUtil.getDefaultHashAlg(),
new OCTET_STRING(req.getExtDataInByteArray("pop_witness")));
- if (encPop == null) {
- msg = "encPop null returned by new EncryptedPOP";
- CMS.debug(msg);
- throw new EBaseException(method + msg);
- }
} catch (Exception e) {
CMS.debug(method + " excepton:" + e);
generated by cgit (git 2.34.1) at 2024-06-21 10:53:30 +0000