summaryrefslogtreecommitdiffstats
path: root/base/util/src/com
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-03-23 00:20:32 -0400
committerAde Lee <alee@redhat.com>2017-03-23 16:16:08 -0400
commit5b7ce994b8698dca62c23e653b7a1cfeebf959e4 (patch)
treef7673ab05610d8cc8444d4482a95b1949c9eb985 /base/util/src/com
parent58bfe7d510126609969703325d7655175be5da62 (diff)
downloadpki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.gz
pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.xz
pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.zip
Refactor code that creates PKIArchiveOptions objects
* Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
Diffstat (limited to 'base/util/src/com')
-rw-r--r--base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java183
1 files changed, 135 insertions, 48 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 593d93f46..e3a378ebc 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -48,8 +48,8 @@ import java.util.Vector;
import org.apache.commons.lang.StringUtils;
import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.NoSuchTokenException;
import org.mozilla.jss.CryptoManager.NotInitializedException;
+import org.mozilla.jss.NoSuchTokenException;
import org.mozilla.jss.SecretDecoderRing.KeyManager;
import org.mozilla.jss.asn1.ANY;
import org.mozilla.jss.asn1.ASN1Util;
@@ -105,7 +105,6 @@ import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange;
import org.mozilla.jss.util.Base64OutputStream;
import org.mozilla.jss.util.Password;
-import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.Utils;
@@ -119,6 +118,7 @@ import netscape.security.util.DerInputStream;
import netscape.security.util.DerOutputStream;
import netscape.security.util.DerValue;
import netscape.security.util.ObjectIdentifier;
+import netscape.security.util.WrappingParams;
import netscape.security.x509.AlgorithmId;
import netscape.security.x509.CertificateAlgorithmId;
import netscape.security.x509.CertificateChain;
@@ -530,19 +530,18 @@ public class CryptoUtil {
/**
* Generates a RSA key pair.
+ * @throws Exception
*/
- public static KeyPair generateRSAKeyPair(String token, int keysize)
- throws CryptoManager.NotInitializedException,
- NoSuchTokenException,
- NoSuchAlgorithmException,
- TokenException {
- CryptoToken t = getKeyStorageToken(token);
- KeyPairGenerator g = t.getKeyPairGenerator(KeyPairAlgorithm.RSA);
-
- g.initialize(keysize);
- KeyPair pair = g.genKeyPair();
+ public static KeyPair generateRSAKeyPair(String tokenName, int keysize)
+ throws Exception {
+ CryptoToken token = getKeyStorageToken(tokenName);
+ return generateRSAKeyPair(token, keysize);
+ }
- return pair;
+ public static KeyPair generateRSAKeyPair(CryptoToken token, int keysize) throws Exception {
+ KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA);
+ kg.initialize(keysize);
+ return kg.genKeyPair();
}
public static boolean isECCKey(X509Key key) {
@@ -1919,7 +1918,7 @@ public class CryptoUtil {
}
/**
- * Generates a nonve_iv for padding.
+ * Generates a nonce_iv for padding.
*
* @return
*/
@@ -1982,55 +1981,143 @@ public class CryptoUtil {
return wrapUsingPublicKey(token, tcert.getPublicKey(), sk, KeyWrapAlgorithm.RSA);
}
- public static byte[] createPKIArchiveOptions(CryptoManager manager, CryptoToken token, String transportCert,
- SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV)
- throws Exception {
- byte[] key_data = null;
-
- //generate session key
- SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false);
-
- if (passphrase != null) {
- key_data = wrapPassphrase(token, passphrase, IV, sk, EncryptionAlgorithm.DES3_CBC_PAD);
+ /* Used to create PKIArchiveOptions for wrapped private key */
+ public static PKIArchiveOptions createPKIArchiveOptions(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ PrivateKey data,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ return createPKIArchiveOptionsInternal(
+ token, wrappingKey, null, data, null, params, aid);
+ }
+
+ public static byte[] createEncodedPKIArchiveOptions(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ PrivateKey data,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ PKIArchiveOptions opts = createPKIArchiveOptionsInternal(
+ token, wrappingKey, null, data, null, params, aid);
+ return encodePKIArchiveOptions(opts);
+ }
+
+ /* Used to create PKIArchiveOptions for wrapped symmetric key */
+ public static PKIArchiveOptions createPKIArchiveOptions(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ SymmetricKey data,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ return createPKIArchiveOptionsInternal(
+ token, wrappingKey, null, null, data, params, aid);
+ }
+
+ public static byte[] createEncodedPKIArchiveOptions(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ SymmetricKey data,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ PKIArchiveOptions opts = createPKIArchiveOptionsInternal(
+ token, wrappingKey, null, null, data, params, aid);
+ return encodePKIArchiveOptions(opts);
+ }
+
+ /* Used to create PKIArchiveOptions for wrapped passphrase */
+ public static PKIArchiveOptions createPKIArchiveOptions(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ String data,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ return createPKIArchiveOptionsInternal(
+ token, wrappingKey, data, null, null, params, aid);
+ }
+
+ public static byte[] createEncodedPKIArchiveOptions(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ String data,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ PKIArchiveOptions opts = createPKIArchiveOptionsInternal(
+ token, wrappingKey, data, null, null, params, aid);
+ return encodePKIArchiveOptions(opts);
+ }
+
+ private static PKIArchiveOptions createPKIArchiveOptionsInternal(
+ CryptoToken token,
+ PublicKey wrappingKey,
+ String passphraseData,
+ PrivateKey privKeyData,
+ SymmetricKey symKeyData,
+ WrappingParams params,
+ AlgorithmIdentifier aid) throws Exception {
+ SymmetricKey sessionKey = CryptoUtil.generateKey(
+ token,
+ params.getSkKeyGenAlgorithm(),
+ params.getSkLength(),
+ null,
+ false);
+
+ byte[] key_data;
+ if (passphraseData != null) {
+ key_data = wrapPassphrase(
+ token,
+ passphraseData,
+ params.getPayloadEncryptionIV(),
+ sessionKey,
+ params.getPayloadEncryptionAlgorithm());
+ } else if (privKeyData != null) {
+ key_data = wrapUsingSymmetricKey(
+ token,
+ sessionKey,
+ privKeyData,
+ params.getPayloadWrappingIV(),
+ params.getPayloadWrapAlgorithm());
+ } else if (symKeyData != null) {
+ key_data = wrapUsingSymmetricKey(
+ token,
+ sessionKey,
+ symKeyData,
+ params.getPayloadWrappingIV(),
+ params.getPayloadWrapAlgorithm());
} else {
- // wrap payload using session key
- key_data = wrapUsingSymmetricKey(token, sk, vek, IV, KeyWrapAlgorithm.DES3_CBC_PAD);
+ throw new IOException("No data to package in PKIArchiveOptions!");
}
- // wrap session key using transport key
- byte[] session_data = wrapSymmetricKey(manager, token, transportCert, sk);
-
- return createPKIArchiveOptions(IV, session_data, key_data);
- }
-
- public static byte[] createPKIArchiveOptions(
- CryptoToken token, PublicKey wrappingKey, PrivateKey toBeWrapped,
- KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV)
- throws Exception {
- SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false);
- byte[] key_data = wrapUsingSymmetricKey(token, sessionKey, toBeWrapped, IV, KeyWrapAlgorithm.DES3_CBC_PAD);
+ byte[] session_data = wrapUsingPublicKey(
+ token,
+ wrappingKey,
+ sessionKey,
+ params.getSkWrapAlgorithm());
- byte[] session_data = wrapUsingPublicKey(token, wrappingKey, sessionKey, KeyWrapAlgorithm.RSA);
- return createPKIArchiveOptions(IV, session_data, key_data);
+ return createPKIArchiveOptions(session_data, key_data, aid);
}
- private static byte[] createPKIArchiveOptions(
- IVParameterSpec IV, byte[] session_data, byte[] key_data)
- throws IOException, InvalidBERException {
+ public static PKIArchiveOptions createPKIArchiveOptions(
+ byte[] session_data, byte[] key_data, AlgorithmIdentifier aid) {
// create PKIArchiveOptions structure
- AlgorithmIdentifier algS = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"),
- new OCTET_STRING(IV.getIV()));
- EncryptedValue encValue = new EncryptedValue(null, algS, new BIT_STRING(session_data, 0), null, null,
+ EncryptedValue encValue = new EncryptedValue(
+ null,
+ aid,
+ new BIT_STRING(session_data, 0),
+ null,
+ null,
new BIT_STRING(key_data, 0));
EncryptedKey key = new EncryptedKey(encValue);
- PKIArchiveOptions opt = new PKIArchiveOptions(key);
+ return new PKIArchiveOptions(key);
+ }
+ public static byte[] encodePKIArchiveOptions(PKIArchiveOptions opts) throws Exception {
byte[] encoded = null;
//Let's make sure we can decode the encoded PKIArchiveOptions..
ByteArrayOutputStream oStream = new ByteArrayOutputStream();
- opt.encode(oStream);
+ opts.encode(oStream);
encoded = oStream.toByteArray();
ByteArrayInputStream inStream = new ByteArrayInputStream(encoded);
generated by cgit (git 2.34.1) at 2026-01-06 01:54:02 +0000