diff options
author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-06-13 11:27:59 -0700 |
---|---|---|
committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2016-07-01 17:09:34 -0700 |
commit | 0f056221d096a30307834265ecd1c527087bb0f7 (patch) | |
tree | d81d3a5616cc90136ae09705ebb1c10f543a0691 /base/tks | |
parent | cfab57d057c7ada71ea9c360c278249d14e018d9 (diff) | |
download | pki-0f056221d096a30307834265ecd1c527087bb0f7.tar.gz pki-0f056221d096a30307834265ecd1c527087bb0f7.tar.xz pki-0f056221d096a30307834265ecd1c527087bb0f7.zip |
Separated TPS does not automatically receive shared secret from remote TKS.
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
Diffstat (limited to 'base/tks')
-rw-r--r-- | base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java | 147 |
1 files changed, 120 insertions, 27 deletions
diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java index bc655d6d0..a2d18f166 100644 --- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java +++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java @@ -1,5 +1,6 @@ package org.dogtagpki.server.tks.rest; +import java.io.CharConversionException; import java.io.IOException; import java.net.URI; import java.security.InvalidAlgorithmParameterException; @@ -10,6 +11,7 @@ import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collection; import java.util.Iterator; +import java.util.List; import java.util.TreeSet; import javax.servlet.http.HttpServletRequest; @@ -20,8 +22,13 @@ import javax.ws.rs.core.UriInfo; import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.jboss.resteasy.plugins.providers.atom.Link; +import org.mozilla.jss.CryptoManager; import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.InvalidKeyFormatException; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyGenerator; +import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; @@ -60,30 +67,32 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou public Response findConnectors(Integer start, Integer size) { try { String tpsList = cs.getString(TPS_LIST, ""); - Iterator<String> entries = Arrays.asList(StringUtils.split(tpsList,",")).iterator(); + Iterator<String> entries = Arrays.asList(StringUtils.split(tpsList, ",")).iterator(); TPSConnectorCollection response = new TPSConnectorCollection(); int i = 0; // skip to the start of the page - for ( ; i<start && entries.hasNext(); i++) entries.next(); + for (; i < start && entries.hasNext(); i++) + entries.next(); // return entries up to the page size - for ( ; i<start+size && entries.hasNext(); i++) { + for (; i < start + size && entries.hasNext(); i++) { response.addEntry(createTPSConnectorData(entries.next())); } // count the total entries - for ( ; entries.hasNext(); i++) entries.next(); + for (; entries.hasNext(); i++) + entries.next(); response.setTotal(i); if (start > 0) { - URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build(); + URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start - size, 0)).build(); response.addLink(new Link("prev", uri)); } - if (start+size < i) { - URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build(); + if (start + size < i) { + URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start + size).build(); response.addLink(new Link("next", uri)); } @@ -114,7 +123,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou public TPSConnectorData getConnectorData(String id) { - if (id == null) throw new BadRequestException("TPS connector ID is null."); + if (id == null) + throw new BadRequestException("TPS connector ID is null."); try { if (!connectorExists(id)) @@ -131,8 +141,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response getConnector(String host, String port) { - if (host == null) throw new BadRequestException("TPS connector host is null."); - if (port == null) throw new BadRequestException("TPS connector port is null."); + if (host == null) + throw new BadRequestException("TPS connector host is null."); + if (port == null) + throw new BadRequestException("TPS connector port is null."); try { String id = getConnectorID(host, port); @@ -151,8 +163,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response createConnector(String tpsHost, String tpsPort) { - if (tpsHost == null) throw new BadRequestException("TPS connector host is null."); - if (tpsPort == null) throw new BadRequestException("TPS connector port is null."); + if (tpsHost == null) + throw new BadRequestException("TPS connector host is null."); + if (tpsPort == null) + throw new BadRequestException("TPS connector port is null."); try { String id = getConnectorID(tpsHost, tpsPort); @@ -245,7 +259,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou if (StringUtils.isEmpty(id)) throw new BadRequestException("Attempt to delete TPS connection with null or empty id"); - if (!connectorExists(id)) return createNoContentResponse(); + if (!connectorExists(id)) + return createNoContentResponse(); deleteSharedSecret(id); cs.removeSubStore("tps." + id); @@ -263,8 +278,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response deleteConnector(String host, String port) { - if (host == null) throw new BadRequestException("TPS connector host is null."); - if (port == null) throw new BadRequestException("TPS connector port is null."); + if (host == null) + throw new BadRequestException("TPS connector host is null."); + if (port == null) + throw new BadRequestException("TPS connector port is null."); String id; try { @@ -281,7 +298,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response createSharedSecret(String id) { - if (id == null) throw new BadRequestException("TPS connector ID is null."); + CMS.debug("TPSConnectorService.createSharedSecret.id: " + id); + + if (id == null) + throw new BadRequestException("TPS connector ID is null."); try { if (!connectorExists(id)) { @@ -293,9 +313,13 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou // get user cert IUser user = userGroupManager.getUser(userid); + + CMS.debug("TPSConnectorService.createSharedSecret.userid: " + userid); X509Certificate[] certs = user.getX509Certificates(); String nickname = userid + " sharedSecret"; + + CMS.debug("TPSConnectorService.createSharedSecret. nickname: " + nickname); if (CryptoUtil.sharedSecretExists(nickname)) { throw new BadRequestException("Shared secret already exists"); } @@ -305,9 +329,21 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou cs.putString("tps." + id + ".nickname", nickname); cs.commit(true); - byte[] wrappedKey = CryptoUtil.exportSharedSecret(nickname, certs[0]); + //Create des3 session sym key to wrap the shared secret. + SymmetricKey tempKey = createDes3SessionKeyOnInternal(); + + if (tempKey == null) { + return createNoContentResponse(); + } + + List<byte[]> listWrappedKeys = CryptoUtil.exportSharedSecret(nickname, certs[0], tempKey); + + byte[] wrappedSessionKey = listWrappedKeys.get(0); + byte[] wrappedSharedSecret = listWrappedKeys.get(1); + KeyData keyData = new KeyData(); - keyData.setWrappedPrivateData(Utils.base64encode(wrappedKey)); + keyData.setWrappedPrivateData(Utils.base64encode(wrappedSessionKey)); + keyData.setAdditionalWrappedPrivateData(Utils.base64encode(wrappedSharedSecret)); return createOKResponse(keyData); @@ -341,7 +377,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response replaceSharedSecret(String id) { - if (id == null) throw new BadRequestException("TPS connector ID is null."); + if (id == null) + throw new BadRequestException("TPS connector ID is null."); try { if (!connectorExists(id)) { @@ -362,9 +399,22 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou CryptoUtil.deleteSharedSecret(nickname); CryptoUtil.createSharedSecret(nickname); - byte[] wrappedKey = CryptoUtil.exportSharedSecret(nickname, certs[0]); + + //Create des3 session sym key to wrap the shared secret. + SymmetricKey tempKey = createDes3SessionKeyOnInternal(); + + if (tempKey == null) { + return createNoContentResponse(); + } + + List<byte[]> listWrappedKeys = CryptoUtil.exportSharedSecret(nickname,certs[0], tempKey); + + byte[] wrappedSessionKey = listWrappedKeys.get(0); + byte[] wrappedSharedSecret = listWrappedKeys.get(1); + KeyData keyData = new KeyData(); - keyData.setWrappedPrivateData(Utils.base64encode(wrappedKey)); + keyData.setWrappedPrivateData(Utils.base64encode(wrappedSessionKey)); + keyData.setAdditionalWrappedPrivateData(Utils.base64encode(wrappedSharedSecret)); return createOKResponse(keyData); @@ -380,7 +430,8 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response deleteSharedSecret(String id) { - if (id == null) throw new BadRequestException("TPS connector ID is null."); + if (id == null) + throw new BadRequestException("TPS connector ID is null."); try { if (!connectorExists(id)) { @@ -415,8 +466,10 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou @Override public Response getSharedSecret(String id) { - if (id == null) throw new BadRequestException("TPS connector ID is null."); + if (id == null) + throw new BadRequestException("TPS connector ID is null."); + CMS.debug("TPSConnectorServlet.getSharedSecret: id : " + id); try { if (!connectorExists(id)) { throw new ResourceNotFoundException("TPS connection does not exist"); @@ -434,9 +487,20 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou IUser user = userGroupManager.getUser(userid); X509Certificate[] certs = user.getX509Certificates(); - byte[] wrappedKey = CryptoUtil.exportSharedSecret(nickname, certs[0]); + //Create des3 session sym key to wrap the shared secrt. + SymmetricKey tempKey = createDes3SessionKeyOnInternal(); + + if (tempKey == null) { + return createNoContentResponse(); + } + + List<byte[]> listWrappedKeys = CryptoUtil.exportSharedSecret(nickname, certs[0], tempKey); + byte[] wrappedSessionKey = listWrappedKeys.get(0); + byte[] wrappedSharedSecret = listWrappedKeys.get(1); + KeyData keyData = new KeyData(); - keyData.setWrappedPrivateData(Utils.base64encode(wrappedKey)); + keyData.setWrappedPrivateData(Utils.base64encode(wrappedSessionKey)); + keyData.setAdditionalWrappedPrivateData(Utils.base64encode(wrappedSharedSecret)); return createOKResponse(keyData); @@ -456,7 +520,7 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou private String getConnectorID(String host, String port) throws EBaseException { String tpsList = cs.getString(TPS_LIST, ""); - for (String tpsID : StringUtils.split(tpsList,",")) { + for (String tpsID : StringUtils.split(tpsList, ",")) { TPSConnectorData data = createTPSConnectorData(tpsID); if (data.getHost().equals(host) && data.getPort().equals(port)) return tpsID; @@ -486,7 +550,36 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou sorted.addAll(Arrays.asList(StringUtils.split(tpsList, ","))); int index = 0; - while (sorted.contains(Integer.toString(index))) index++; + while (sorted.contains(Integer.toString(index))) + index++; return Integer.toString(index); } + + private SymmetricKey createDes3SessionKeyOnInternal() throws EBaseException { + + SymmetricKey tempKey = null; + try { + CryptoManager cm = CryptoManager.getInstance(); + CryptoToken token = cm.getInternalKeyStorageToken(); + KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); + + SymmetricKey.Usage usages[] = new SymmetricKey.Usage[4]; + usages[0] = SymmetricKey.Usage.WRAP; + usages[1] = SymmetricKey.Usage.UNWRAP; + usages[2] = SymmetricKey.Usage.ENCRYPT; + usages[3] = SymmetricKey.Usage.DECRYPT; + + kg.setKeyUsages(usages); + kg.temporaryKeys(true); + tempKey = kg.generate(); + } catch (NoSuchAlgorithmException | TokenException | IllegalStateException | CharConversionException + | NotInitializedException e) { + CMS.debug("TPSConnectorService.createDes3SesisonKeyOnInternal: Can't generate temporary session key."); + + throw new EBaseException(e); + } + + return tempKey; + } + } |