diff options
author | Christina Fu <cfu@redhat.com> | 2017-03-10 19:50:13 -0800 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2017-03-28 09:13:43 -0400 |
commit | 58b0563caac110e6950657eb9894c6981f179452 (patch) | |
tree | 11d7fbec8a513b85e1f11146476fc819dd7189a1 /base/util | |
parent | 5f2d025962afa34deca93c3b46ff374376c0ea43 (diff) | |
download | pki-58b0563caac110e6950657eb9894c6981f179452.tar.gz pki-58b0563caac110e6950657eb9894c6981f179452.tar.xz pki-58b0563caac110e6950657eb9894c6981f179452.zip |
Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 70 |
1 files changed, 69 insertions, 1 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index e3a378ebc..716a3f23f 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -55,10 +55,13 @@ import org.mozilla.jss.asn1.ANY; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.ASN1Value; import org.mozilla.jss.asn1.BIT_STRING; +import org.mozilla.jss.asn1.INTEGER; import org.mozilla.jss.asn1.InvalidBERException; +import org.mozilla.jss.asn1.NULL; import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.asn1.SEQUENCE; +import org.mozilla.jss.asn1.SET; import org.mozilla.jss.crypto.Algorithm; import org.mozilla.jss.crypto.BadPaddingException; import org.mozilla.jss.crypto.Cipher; @@ -89,7 +92,11 @@ import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.pkcs11.PK11ECPublicKey; import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkcs12.PasswordConverter; -import org.mozilla.jss.pkcs7.EncryptedContentInfo; +import org.mozilla.jss.pkcs7.IssuerAndSerialNumber; +import org.mozilla.jss.pkcs7.RecipientInfo; +import org.mozilla.jss.pkix.cms.ContentInfo; +import org.mozilla.jss.pkix.cms.EncryptedContentInfo; +import org.mozilla.jss.pkix.cms.EnvelopedData; import org.mozilla.jss.pkix.crmf.CertReqMsg; import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.CertTemplate; @@ -2391,6 +2398,41 @@ public class CryptoUtil { } /** + * for CMC encryptedPOP + */ + public static EnvelopedData createEnvelopedData(byte[] encContent, byte[] encSymKey) + throws Exception { + String method = "CryptoUtl: createEnvelopedData: "; + System.out.println(method + "begins"); + + EncryptedContentInfo encCInfo = new EncryptedContentInfo( + ContentInfo.DATA, + getDefaultEncAlg(), + new OCTET_STRING(encContent)); + + Name name = new Name(); + name.addCommonName("unUsedIssuerName"); //unused; okay for cmc EncryptedPOP + RecipientInfo recipient = new RecipientInfo( + new INTEGER(0), //per rfc2315 + new IssuerAndSerialNumber(name, new INTEGER(0)), //unUsed + new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()), + new OCTET_STRING(encSymKey)); + + SET recipients = new SET(); + recipients.addElement(recipient); + + EnvelopedData envData = new EnvelopedData( + new INTEGER(0), + recipients, + encCInfo); + + return envData; + } + + /* PKCS 1 - rsaEncryption */ + public static OBJECT_IDENTIFIER RSA_ENCRYPTION = new OBJECT_IDENTIFIER(new long[] { 1, 2, 840, 113549, 1, 1, 1 }); + + /** * The following are convenience routines for quick preliminary * feature development or test programs that would just take * the defaults @@ -2538,6 +2580,32 @@ public class CryptoUtil { } return oid; } + + /** + * getNameFromHashAlgorithm returns the hashing algorithm name + * from input Algorithm + * + * @param ai the hashing algorithm AlgorithmIdentifier + * @return name of the hashing algorithm + * + */ + public static String getNameFromHashAlgorithm(AlgorithmIdentifier ai) + throws NoSuchAlgorithmException { + OBJECT_IDENTIFIER oid = null; + + System.out.println("CryptoUtil: getNameFromHashAlgorithm: " + ai.getOID().toString()); + if (ai != null) { + if (ai.getOID().equals((DigestAlgorithm.SHA256).toOID())) { + return "SHA-256"; + } else if (ai.getOID().equals((DigestAlgorithm.SHA384).toOID())) { + return "SHA-384"; + } else if (ai.getOID().equals((DigestAlgorithm.SHA512).toOID())) { + return "SHA-512"; + } + } + throw new NoSuchAlgorithmException(); + } + } // START ENABLE_ECC |