diff options
| author | Ade Lee <alee@redhat.com> | 2017-02-28 12:18:29 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-03-14 17:09:09 -0400 |
| commit | d13181faea23cdb5a07136d3fdabeedb70effda9 (patch) | |
| tree | b944588c3adfd297bcda4b4a26360d982557e3da /base/server/cmscore | |
| parent | e1789708a9a6f66c3e3f1478e7bbc03da5b3b0df (diff) | |
| download | pki-d13181faea23cdb5a07136d3fdabeedb70effda9.tar.gz pki-d13181faea23cdb5a07136d3fdabeedb70effda9.tar.xz pki-d13181faea23cdb5a07136d3fdabeedb70effda9.zip | |
Change internal wrapping to AES
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
Diffstat (limited to 'base/server/cmscore')
| -rw-r--r-- | base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java index 90050132b..31459aefa 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java @@ -22,11 +22,16 @@ import java.util.Date; import java.util.Enumeration; import java.util.Vector; +import org.apache.commons.codec.binary.Base64; +import org.mozilla.jss.crypto.IVParameterSpec; + import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.dbs.IDBObj; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.KeyState; +import com.netscape.certsrv.security.WrappingParams; +import com.netscape.cms.servlet.key.KeyRecordParser; /** * A class represents a Key record. It maintains the key @@ -397,4 +402,89 @@ public class KeyRecord implements IDBObj, IKeyRecord { public String getRealm() throws EBaseException { return realm; } + + public void setWrappingParams(WrappingParams params) throws Exception { + if (mMetaInfo == null) { + mMetaInfo = new MetaInfo(); + } + // set session key parameters + mMetaInfo.set(KeyRecordParser.OUT_SK_LENGTH, String.valueOf(params.getSkLength())); + if (params.getSkType() != null) { + mMetaInfo.set(KeyRecordParser.OUT_SK_TYPE, params.getSkType().toString()); + } + if (params.getSkKeyGenAlgorithm() != null) { + // JSS doesn't have a name map or a functional OID map + // for now, save the "name" + mMetaInfo.set(KeyRecordParser.OUT_SK_KEYGEN_ALGORITHM, params.getSkKeyGenAlgorithm().toString()); + } + if (params.getSkWrapAlgorithm() != null) { + mMetaInfo.set(KeyRecordParser.OUT_SK_WRAP_ALGORITHM, params.getSkWrapAlgorithm().toString()); + } + + // set payload parameters + if (params.getPayloadEncryptionAlgorithm() != null) { + mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTION_ALGORITHM, params.getPayloadEncryptionAlgorithm().getAlg().toString()); + mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTION_MODE, params.getPayloadEncryptionAlgorithm().getMode().toString()); + mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTION_PADDING, params.getPayloadEncryptionAlgorithm().getPadding().toString()); + } + if (params.getPayloadWrapAlgorithm() != null) { + mMetaInfo.set(KeyRecordParser.OUT_PL_WRAP_ALGORITHM, params.getPayloadWrapAlgorithm().toString()); + } + if (params.getPayloadWrappingIV() != null) { + // store as base64 encoded string + mMetaInfo.set( + KeyRecordParser.OUT_PL_WRAP_IV, + Base64.encodeBase64String(params.getPayloadWrappingIV().getIV()) + ); + } + if (params.getPayloadEncryptionIV() != null) { + // store as base 64 encoded string + mMetaInfo.set( + KeyRecordParser.OUT_PL_ENCRYPTION_IV, + Base64.encodeBase64String(params.getPayloadEncryptionIV().getIV()) + ); + } + + } + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception { + if ((mMetaInfo == null) || (mMetaInfo.get(KeyRecordParser.OUT_SK_TYPE) == null)) { + // This is likely a legacy record. Return the old DES3 parameters. + // TODO(alee) modify to pass this in - to keep bean-ness + return oldParams; + } + + WrappingParams params = new WrappingParams(); + params.setSkType(mMetaInfo.get(KeyRecordParser.OUT_SK_TYPE).toString()); + params.setSkLength(Integer.parseInt(mMetaInfo.get(KeyRecordParser.OUT_SK_LENGTH).toString())); + + Object data = mMetaInfo.get(KeyRecordParser.OUT_SK_WRAP_ALGORITHM); + if (data != null) params.setSkWrapAlgorithm(data.toString()); + + data = mMetaInfo.get(KeyRecordParser.OUT_SK_KEYGEN_ALGORITHM); + if (data != null) params.setSkKeyGenAlgorithm(data.toString()); + + data = mMetaInfo.get(KeyRecordParser.OUT_PL_WRAP_ALGORITHM); + if (data != null) params.setPayloadWrapAlgorithm(data.toString()); + + params.setPayloadEncryptionAlgorithm( + mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_ALGORITHM).toString(), + mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_MODE).toString(), + mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_PADDING).toString(), + Integer.parseInt(mMetaInfo.get(KeyRecordParser.OUT_SK_LENGTH).toString())); + + data = mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTION_IV); + if (data != null) { + byte[] iv = Base64.decodeBase64(data.toString()); + params.setPayloadEncryptionIV(new IVParameterSpec(iv)); + } + + data = mMetaInfo.get(KeyRecordParser.OUT_PL_WRAP_IV); + if (data != null) { + byte[] iv = Base64.decodeBase64(data.toString()); + params.setPayloadWrappingIV(new IVParameterSpec(iv)); + } + + return params; + } } |