diff options
| author | Christina Fu <cfu@redhat.com> | 2017-05-15 18:15:36 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2017-05-17 11:45:14 -0700 |
| commit | 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch) | |
| tree | e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/util | |
| parent | 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff) | |
| download | pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip | |
Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
Diffstat (limited to 'base/util')
3 files changed, 200 insertions, 14 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index e529a0f91..8b8c443c0 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -27,6 +27,7 @@ import java.net.SocketException; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.KeyPair; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PublicKey; @@ -127,6 +128,7 @@ import netscape.security.util.DerValue; import netscape.security.util.ObjectIdentifier; import netscape.security.util.WrappingParams; import netscape.security.x509.AlgorithmId; +import netscape.security.x509.CertAttrSet; import netscape.security.x509.CertificateAlgorithmId; import netscape.security.x509.CertificateChain; import netscape.security.x509.CertificateExtensions; @@ -136,7 +138,11 @@ import netscape.security.x509.CertificateSubjectName; import netscape.security.x509.CertificateValidity; import netscape.security.x509.CertificateVersion; import netscape.security.x509.CertificateX509Key; +import netscape.security.x509.Extension; import netscape.security.x509.Extensions; +import netscape.security.x509.KeyIdentifier; +import netscape.security.x509.PKIXExtensions; +import netscape.security.x509.SubjectKeyIdentifierExtension; import netscape.security.x509.X500Name; import netscape.security.x509.X500Signer; import netscape.security.x509.X509CertImpl; @@ -1536,10 +1542,33 @@ public class CryptoUtil { * This createCertificationRequest() allows extensions to be added to the CSR */ public static PKCS10 createCertificationRequest(String subjectName, + KeyPair keyPair, Extensions exts) + throws NoSuchAlgorithmException, NoSuchProviderException, + InvalidKeyException, IOException, CertificateException, + SignatureException { + String method = "CryptoUtil: createCertificationRequest: "; + + String alg = "SHA256withRSA"; + PublicKey pubk = keyPair.getPublic(); + X509Key key = convertPublicKeyToX509Key(pubk); + if (pubk instanceof RSAPublicKey) { + alg = "SHA256withRSA"; + } else if (isECCKey(key)) { + alg = "SHA256withEC"; + } else { + throw new NoSuchAlgorithmException(method + alg); + } + + return createCertificationRequest( + subjectName, key, (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(), + alg, exts); + } + + public static PKCS10 createCertificationRequest(String subjectName, X509Key pubk, PrivateKey prik, String alg, Extensions exts) throws NoSuchAlgorithmException, NoSuchProviderException, - InvalidKeyException, IOException, CertificateException, - SignatureException { + InvalidKeyException, IOException, CertificateException, + SignatureException { X509Key key = pubk; java.security.Signature sig = java.security.Signature.getInstance(alg, "Mozilla-JSS"); @@ -1548,11 +1577,12 @@ public class CryptoUtil { PKCS10 pkcs10 = null; if (exts != null && !exts.isEmpty()) { - PKCS10Attribute attr = new - PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, - exts); + PKCS10Attribute attr = new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, + exts); PKCS10Attributes attrs = new PKCS10Attributes(); + System.out.println("PKCS10: createCertificationRequest: adding attribute name =" + + attr.getAttributeValue().getName()); attrs.setAttribute(attr.getAttributeValue().getName(), attr); pkcs10 = new PKCS10(key, attrs); @@ -1566,6 +1596,51 @@ public class CryptoUtil { return pkcs10; } + public static KeyIdentifier createKeyIdentifier(KeyPair keypair) + throws NoSuchAlgorithmException, InvalidKeyException { + String method = "CryptoUtil: createKeyIdentifier: "; + System.out.println(method + "begins"); + + X509Key subjectKeyInfo = convertPublicKeyToX509Key( + keypair.getPublic()); + + byte[] hash = generateKeyIdentifier(subjectKeyInfo.getKey()); + + if (hash == null) { + System.out.println(method + + "generateKeyIdentifier returns null"); + return null; + } + return new KeyIdentifier(hash); + } + + public static byte[] generateKeyIdentifier(byte[] rawKey) { + return generateKeyIdentifier(rawKey, null); + } + + public static byte[] generateKeyIdentifier(byte[] rawKey, String alg) { + String method = "CryptoUtil: generateKeyIdentifier: "; + String msg = ""; + if (alg == null) { + alg = "SHA-1"; + } + try { + MessageDigest md = MessageDigest.getInstance(alg); + + md.update(rawKey); + byte[] hash = md.digest(); + + return hash; + } catch (NoSuchAlgorithmException e) { + msg = method + e; + System.out.println(msg); + } catch (Exception e) { + msg = method + e; + System.out.println(msg); + } + return null; + } + /** * Creates a PKCS#10 request. */ @@ -1611,6 +1686,102 @@ public class CryptoUtil { return pkcs10; } + /* + * get extention from PKCS10 request + */ + public static netscape.security.x509.Extension getExtensionFromPKCS10(PKCS10 pkcs10, String extnName) + throws IOException, CertificateException { + Extension extn = null; + + String method = "CryptoUtiil: getExtensionFromPKCS10: "; + System.out.println(method + "begins"); + + PKCS10Attributes attributeSet = pkcs10.getAttributes(); + if (attributeSet == null) { + System.out.println(method + "attributeSet not found"); + return null; + } + PKCS10Attribute attr = attributeSet.getAttribute("extensions"); + if (attr == null) { + System.out.println(method + "extensions attribute not found"); + return null; + } + System.out.println(method + attr.toString()); + + CertAttrSet cas = attr.getAttributeValue(); + if (cas == null) { + System.out.println(method + "CertAttrSet not found in PKCS10Attribute"); + return null; + } + + Enumeration<String> en = cas.getAttributeNames(); + while (en.hasMoreElements()) { + String name = en.nextElement(); + System.out.println(method + " checking extension in request:" + name); + if (name.equals(extnName)) { + System.out.println(method + "extension matches"); + extn = (Extension)cas.get(name); + } + } + + System.out.println(method + "ends"); + return extn; + } + + /* + * get extension from CRMF cert request (CertTemplate) + */ + public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, ObjectIdentifier csOID) { + //ObjectIdentifier csOID = PKIXExtensions.SubjectKey_Id; + OBJECT_IDENTIFIER jssOID = + new OBJECT_IDENTIFIER(csOID.toString()); +/* + return getExtensionFromCertTemplate(certTemplate, jssOID); + } + public static netscape.security.x509.Extension getExtensionFromCertTemplate(CertTemplate certTemplate, org.mozilla.jss.asn1.OBJECT_IDENTIFIER jssOID) { +*/ + + String method = "CryptoUtil: getSKIExtensionFromCertTemplate: "; + Extension extn = null; + + /* + * there seems to be an issue with constructor in Extension + * when feeding SubjectKeyIdentifierExtension; + * Special-case it + */ + OBJECT_IDENTIFIER SKIoid = + new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); + + if (certTemplate.hasExtensions()) { + int numexts = certTemplate.numExtensions(); + for (int j = 0; j < numexts; j++) { + org.mozilla.jss.pkix.cert.Extension jssext = + certTemplate.extensionAt(j); + org.mozilla.jss.asn1.OBJECT_IDENTIFIER extnoid = + jssext.getExtnId(); + System.out.println(method + "checking extension in request:" + extnoid.toString()); + if (extnoid.equals(jssOID)) { + System.out.println(method + "extension found"); + try { + if (jssOID.equals(SKIoid)) { + extn = + new SubjectKeyIdentifierExtension(false, jssext.getExtnValue().toByteArray()); + } else { + extn = + new netscape.security.x509.Extension(csOID, false, jssext.getExtnValue().toByteArray()); + } + } catch (IOException e) { + System.out.println(method + e); + } + } + } + } else { + System.out.println(method + "no extension found"); + } + + return extn; + } + public static void unTrustCert(InternalCertificate cert) { // remove TRUSTED_CA int flag = cert.getSSLTrust(); diff --git a/base/util/src/netscape/security/pkcs/PKCS10.java b/base/util/src/netscape/security/pkcs/PKCS10.java index 0702e8238..10933b025 100644 --- a/base/util/src/netscape/security/pkcs/PKCS10.java +++ b/base/util/src/netscape/security/pkcs/PKCS10.java @@ -123,6 +123,13 @@ public class PKCS10 { byte sigData[]; Signature sig; + String method = "PKCS10: PKCS10: "; + String msg = ""; + + System.out.println(method + "begins"); + if (data == null) { + throw new IllegalArgumentException(method + "param data cann't be null"); + } certificateRequest = data; // @@ -131,9 +138,12 @@ public class PKCS10 { // in = new DerInputStream(data); seq = in.getSequence(3); + if (seq == null) { + throw new IllegalArgumentException(method + "in.getSequence null"); + } if (seq.length != 3) - throw new IllegalArgumentException("not a PKCS #10 request"); + throw new IllegalArgumentException(method + "not a PKCS #10 request"); data = seq[0].toByteArray(); // reusing this variable certRequestInfo = seq[0].toByteArray(); // make a copy @@ -152,20 +162,22 @@ public class PKCS10 { */ subject = new X500Name(seq[0].data); + msg = "Request Subject: " + subject + ": "; byte val1[] = seq[0].data.getDerValue().toByteArray(); subjectPublicKeyInfo = X509Key.parse(new DerValue(val1)); PublicKey publicKey = X509Key.parsePublicKey(new DerValue(val1)); if (publicKey == null) { - System.out.println("PKCS10: publicKey null"); - throw new SignatureException ("publicKey null"); + System.out.println(method + msg + "publicKey null"); + throw new SignatureException (method + msg + "publicKey null"); } // Cope with a somewhat common illegal PKCS #10 format - if (seq[0].data.available() != 0) + if (seq[0].data.available() != 0) { attributeSet = new PKCS10Attributes(seq[0].data); - else + } else { attributeSet = new PKCS10Attributes(); + } // // OK, we parsed it all ... validate the signature using the @@ -202,14 +214,15 @@ public class PKCS10 { sig.initVerify(publicKey); sig.update(data); if (!sig.verify(sigData)) { - System.out.println("PKCS10: sig.verify() failed"); - throw new SignatureException("Invalid PKCS #10 signature"); + System.out.println(method + msg + "sig.verify() failed"); + throw new SignatureException(method + msg + "Invalid PKCS #10 signature"); } } } catch (InvalidKeyException e) { - System.out.println("PKCS10: "+ e.toString()); - throw new SignatureException("invalid key"); + System.out.println(method + msg + e.toString()); + throw new SignatureException(method + msg + "invalid key"); } + System.out.println(method + "ends"); } public PKCS10(byte data[]) diff --git a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java index 4c972187f..45d569565 100644 --- a/base/util/src/netscape/security/pkcs/PKCS10Attributes.java +++ b/base/util/src/netscape/security/pkcs/PKCS10Attributes.java @@ -66,6 +66,8 @@ public class PKCS10Attributes extends Vector<PKCS10Attribute> implements DerEnco for (int i = 0; i < attrs.length; i++) { PKCS10Attribute attr = new PKCS10Attribute(attrs[i]); addElement(attr); + System.out.println("PKCS10Attributes: adding attribute: " + + attr.getAttributeValue().getName()); map.put(attr.getAttributeValue().getName(), attr); } } |