Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.

author: Christina Fu <cfu@redhat.com> 2017-03-10 19:50:13 -0800
committer: Christina Fu <cfu@redhat.com> 2017-03-28 09:13:43 -0400
commit: 58b0563caac110e6950657eb9894c6981f179452 (patch)
tree: 11d7fbec8a513b85e1f11146476fc819dd7189a1 /base/util
parent: 5f2d025962afa34deca93c3b46ff374376c0ea43 (diff)
download: pki-58b0563caac110e6950657eb9894c6981f179452.tar.gz
pki-58b0563caac110e6950657eb9894c6981f179452.tar.xz
pki-58b0563caac110e6950657eb9894c6981f179452.zip
1 files changed, 69 insertions, 1 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index e3a378ebc..716a3f23f 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -55,10 +55,13 @@ import org.mozilla.jss.asn1.ANY;
 import org.mozilla.jss.asn1.ASN1Util;
 import org.mozilla.jss.asn1.ASN1Value;
 import org.mozilla.jss.asn1.BIT_STRING;
+import org.mozilla.jss.asn1.INTEGER;
 import org.mozilla.jss.asn1.InvalidBERException;
+import org.mozilla.jss.asn1.NULL;
 import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
 import org.mozilla.jss.asn1.OCTET_STRING;
 import org.mozilla.jss.asn1.SEQUENCE;
+import org.mozilla.jss.asn1.SET;
 import org.mozilla.jss.crypto.Algorithm;
 import org.mozilla.jss.crypto.BadPaddingException;
 import org.mozilla.jss.crypto.Cipher;
@@ -89,7 +92,11 @@ import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.pkcs11.PK11ECPublicKey;
 import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs12.PasswordConverter;
-import org.mozilla.jss.pkcs7.EncryptedContentInfo;
+import org.mozilla.jss.pkcs7.IssuerAndSerialNumber;
+import org.mozilla.jss.pkcs7.RecipientInfo;
+import org.mozilla.jss.pkix.cms.ContentInfo;
+import org.mozilla.jss.pkix.cms.EncryptedContentInfo;
+import org.mozilla.jss.pkix.cms.EnvelopedData;
 import org.mozilla.jss.pkix.crmf.CertReqMsg;
 import org.mozilla.jss.pkix.crmf.CertRequest;
 import org.mozilla.jss.pkix.crmf.CertTemplate;
@@ -2391,6 +2398,41 @@ public class CryptoUtil {
     }
 
     /**
+     * for CMC encryptedPOP
+     */
+    public static EnvelopedData createEnvelopedData(byte[] encContent, byte[] encSymKey)
+            throws Exception {
+        String method = "CryptoUtl: createEnvelopedData: ";
+        System.out.println(method + "begins");
+
+        EncryptedContentInfo encCInfo = new EncryptedContentInfo(
+                ContentInfo.DATA,
+                getDefaultEncAlg(),
+                new OCTET_STRING(encContent));
+
+        Name name = new Name();
+        name.addCommonName("unUsedIssuerName"); //unused; okay for cmc EncryptedPOP
+        RecipientInfo recipient = new RecipientInfo(
+                new INTEGER(0), //per rfc2315
+                new IssuerAndSerialNumber(name, new INTEGER(0)), //unUsed
+                new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()),
+                new OCTET_STRING(encSymKey));
+
+        SET recipients = new SET();
+        recipients.addElement(recipient);
+
+        EnvelopedData envData = new EnvelopedData(
+                new INTEGER(0),
+                recipients,
+                encCInfo);
+
+        return envData;
+    }
+
+    /* PKCS 1 - rsaEncryption */
+    public static OBJECT_IDENTIFIER RSA_ENCRYPTION = new OBJECT_IDENTIFIER(new long[] { 1, 2, 840, 113549, 1, 1, 1 });
+
+    /**
      * The following are convenience routines for quick preliminary
      * feature development or test programs that would just take
      * the defaults
@@ -2538,6 +2580,32 @@ public class CryptoUtil {
         }
         return oid;
     }
+
+    /**
+     * getNameFromHashAlgorithm returns the hashing algorithm name
+     * from input Algorithm
+     *
+     * @param ai the hashing algorithm AlgorithmIdentifier
+     * @return name of the hashing algorithm
+     *
+     */
+    public static String getNameFromHashAlgorithm(AlgorithmIdentifier ai)
+           throws NoSuchAlgorithmException {
+        OBJECT_IDENTIFIER oid = null;
+
+        System.out.println("CryptoUtil: getNameFromHashAlgorithm: " + ai.getOID().toString());
+        if (ai != null) {
+            if (ai.getOID().equals((DigestAlgorithm.SHA256).toOID())) {
+                return "SHA-256";
+            } else if (ai.getOID().equals((DigestAlgorithm.SHA384).toOID())) {
+                return "SHA-384";
+            } else if (ai.getOID().equals((DigestAlgorithm.SHA512).toOID())) {
+                return "SHA-512";
+            }
+        }
+        throw new NoSuchAlgorithmException();
+    }
+
 }
 
 // START ENABLE_ECC
author	Christina Fu <cfu@redhat.com>	2017-03-10 19:50:13 -0800
committer	Christina Fu <cfu@redhat.com>	2017-03-28 09:13:43 -0400
commit	58b0563caac110e6950657eb9894c6981f179452 (patch)
tree	11d7fbec8a513b85e1f11146476fc819dd7189a1 /base/util
parent	5f2d025962afa34deca93c3b46ff374376c0ea43 (diff)
download	pki-58b0563caac110e6950657eb9894c6981f179452.tar.gz pki-58b0563caac110e6950657eb9894c6981f179452.tar.xz pki-58b0563caac110e6950657eb9894c6981f179452.zip