Refactor code that creates PKIArchiveOptions objects

* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
  CRMFPopClient and replaced with calls to CryptoUtil methods.
  Note that the algorithms have been left as DES3.  They will be
  changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
  in CryptoUtil.
* Removed DRMTest  this code is no longer maintained or used.

Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a

2 files changed, 328 insertions, 48 deletions

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 593d93f46..e3a378ebc 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -48,8 +48,8 @@ import java.util.Vector;
 
 import org.apache.commons.lang.StringUtils;
 import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.NoSuchTokenException;
 import org.mozilla.jss.CryptoManager.NotInitializedException;
+import org.mozilla.jss.NoSuchTokenException;
 import org.mozilla.jss.SecretDecoderRing.KeyManager;
 import org.mozilla.jss.asn1.ANY;
 import org.mozilla.jss.asn1.ASN1Util;
@@ -105,7 +105,6 @@ import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange;
 import org.mozilla.jss.util.Base64OutputStream;
 import org.mozilla.jss.util.Password;
 
-import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion;
 import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.Utils;
 
@@ -119,6 +118,7 @@ import netscape.security.util.DerInputStream;
 import netscape.security.util.DerOutputStream;
 import netscape.security.util.DerValue;
 import netscape.security.util.ObjectIdentifier;
+import netscape.security.util.WrappingParams;
 import netscape.security.x509.AlgorithmId;
 import netscape.security.x509.CertificateAlgorithmId;
 import netscape.security.x509.CertificateChain;
@@ -530,19 +530,18 @@ public class CryptoUtil {
 
     /**
      * Generates a RSA key pair.
+     * @throws Exception
      */
-    public static KeyPair generateRSAKeyPair(String token, int keysize)
-            throws CryptoManager.NotInitializedException,
-                NoSuchTokenException,
-                NoSuchAlgorithmException,
-                TokenException {
-        CryptoToken t = getKeyStorageToken(token);
-        KeyPairGenerator g = t.getKeyPairGenerator(KeyPairAlgorithm.RSA);
-
-        g.initialize(keysize);
-        KeyPair pair = g.genKeyPair();
+    public static KeyPair generateRSAKeyPair(String tokenName, int keysize)
+            throws Exception {
+        CryptoToken token = getKeyStorageToken(tokenName);
+        return generateRSAKeyPair(token, keysize);
+    }
 
-        return pair;
+    public static KeyPair generateRSAKeyPair(CryptoToken token, int keysize) throws Exception {
+        KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA);
+        kg.initialize(keysize);
+        return kg.genKeyPair();
     }
 
     public static boolean isECCKey(X509Key key) {
@@ -1919,7 +1918,7 @@ public class CryptoUtil {
     }
 
     /**
-     * Generates a nonve_iv for padding.
+     * Generates a nonce_iv for padding.
      *
      * @return
      */
@@ -1982,55 +1981,143 @@ public class CryptoUtil {
         return wrapUsingPublicKey(token, tcert.getPublicKey(), sk, KeyWrapAlgorithm.RSA);
     }
 
-    public static byte[] createPKIArchiveOptions(CryptoManager manager, CryptoToken token, String transportCert,
-            SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV)
-            throws Exception {
-        byte[] key_data = null;
-
-        //generate session key
-        SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false);
-
-        if (passphrase != null) {
-            key_data = wrapPassphrase(token, passphrase, IV, sk, EncryptionAlgorithm.DES3_CBC_PAD);
+    /* Used to create PKIArchiveOptions for wrapped private key */
+    public static PKIArchiveOptions createPKIArchiveOptions(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            PrivateKey data,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+        return createPKIArchiveOptionsInternal(
+                token, wrappingKey, null, data, null, params, aid);
+    }
+
+    public static byte[] createEncodedPKIArchiveOptions(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            PrivateKey data,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+        PKIArchiveOptions opts = createPKIArchiveOptionsInternal(
+                token, wrappingKey, null, data, null, params, aid);
+        return encodePKIArchiveOptions(opts);
+    }
+
+    /* Used to create PKIArchiveOptions for wrapped symmetric key */
+    public static PKIArchiveOptions createPKIArchiveOptions(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            SymmetricKey data,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+         return createPKIArchiveOptionsInternal(
+                 token, wrappingKey, null, null, data, params, aid);
+    }
+
+    public static byte[] createEncodedPKIArchiveOptions(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            SymmetricKey data,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+        PKIArchiveOptions opts = createPKIArchiveOptionsInternal(
+                token, wrappingKey, null, null, data, params, aid);
+        return encodePKIArchiveOptions(opts);
+    }
+
+    /* Used to create PKIArchiveOptions for wrapped passphrase */
+    public static PKIArchiveOptions createPKIArchiveOptions(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            String data,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+        return createPKIArchiveOptionsInternal(
+                token, wrappingKey, data, null, null, params, aid);
+    }
+
+    public static byte[] createEncodedPKIArchiveOptions(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            String data,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+        PKIArchiveOptions opts = createPKIArchiveOptionsInternal(
+                token, wrappingKey, data, null, null, params, aid);
+        return encodePKIArchiveOptions(opts);
+    }
+
+    private static PKIArchiveOptions createPKIArchiveOptionsInternal(
+            CryptoToken token,
+            PublicKey wrappingKey,
+            String passphraseData,
+            PrivateKey privKeyData,
+            SymmetricKey symKeyData,
+            WrappingParams params,
+            AlgorithmIdentifier aid) throws Exception {
+        SymmetricKey sessionKey = CryptoUtil.generateKey(
+                token,
+                params.getSkKeyGenAlgorithm(),
+                params.getSkLength(),
+                null,
+                false);
+
+        byte[] key_data;
+        if (passphraseData != null) {
+            key_data = wrapPassphrase(
+                    token,
+                    passphraseData,
+                    params.getPayloadEncryptionIV(),
+                    sessionKey,
+                    params.getPayloadEncryptionAlgorithm());
+        } else if (privKeyData != null) {
+            key_data = wrapUsingSymmetricKey(
+                    token,
+                    sessionKey,
+                    privKeyData,
+                    params.getPayloadWrappingIV(),
+                    params.getPayloadWrapAlgorithm());
+        } else if (symKeyData != null) {
+            key_data = wrapUsingSymmetricKey(
+                    token,
+                    sessionKey,
+                    symKeyData,
+                    params.getPayloadWrappingIV(),
+                    params.getPayloadWrapAlgorithm());
         } else {
-            // wrap payload using session key
-            key_data = wrapUsingSymmetricKey(token, sk, vek, IV, KeyWrapAlgorithm.DES3_CBC_PAD);
+            throw new IOException("No data to package in PKIArchiveOptions!");
         }
 
-        // wrap session key using transport key
-        byte[] session_data = wrapSymmetricKey(manager, token, transportCert, sk);
-
-        return createPKIArchiveOptions(IV, session_data, key_data);
-    }
-
-    public static byte[] createPKIArchiveOptions(
-            CryptoToken token, PublicKey wrappingKey, PrivateKey toBeWrapped,
-            KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV)
-            throws Exception {
-        SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false);
-        byte[] key_data = wrapUsingSymmetricKey(token, sessionKey, toBeWrapped, IV, KeyWrapAlgorithm.DES3_CBC_PAD);
+        byte[] session_data = wrapUsingPublicKey(
+                token,
+                wrappingKey,
+                sessionKey,
+                params.getSkWrapAlgorithm());
 
-        byte[] session_data = wrapUsingPublicKey(token, wrappingKey, sessionKey, KeyWrapAlgorithm.RSA);
-        return createPKIArchiveOptions(IV, session_data, key_data);
+        return createPKIArchiveOptions(session_data, key_data, aid);
     }
 
-    private static byte[] createPKIArchiveOptions(
-            IVParameterSpec IV, byte[] session_data, byte[] key_data)
-            throws IOException, InvalidBERException {
+    public static PKIArchiveOptions createPKIArchiveOptions(
+            byte[] session_data, byte[] key_data, AlgorithmIdentifier aid) {
         // create PKIArchiveOptions structure
-        AlgorithmIdentifier algS = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"),
-                new OCTET_STRING(IV.getIV()));
-        EncryptedValue encValue = new EncryptedValue(null, algS, new BIT_STRING(session_data, 0), null, null,
+        EncryptedValue encValue = new EncryptedValue(
+                null,
+                aid,
+                new BIT_STRING(session_data, 0),
+                null,
+                null,
                 new BIT_STRING(key_data, 0));
         EncryptedKey key = new EncryptedKey(encValue);
-        PKIArchiveOptions opt = new PKIArchiveOptions(key);
+        return new PKIArchiveOptions(key);
+    }
 
+    public static byte[] encodePKIArchiveOptions(PKIArchiveOptions opts) throws Exception {
         byte[] encoded = null;
 
         //Let's make sure we can decode the encoded PKIArchiveOptions..
         ByteArrayOutputStream oStream = new ByteArrayOutputStream();
 
-        opt.encode(oStream);
+        opts.encode(oStream);
 
         encoded = oStream.toByteArray();
         ByteArrayInputStream inStream = new ByteArrayInputStream(encoded);
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
new file mode 100644
index 000000000..e73832638
--- /dev/null
+++ b/base/util/src/netscape/security/util/WrappingParams.java
@@ -0,0 +1,193 @@
+package netscape.security.util;
+
+import java.security.NoSuchAlgorithmException;
+
+import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
+import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
+import org.mozilla.jss.crypto.SymmetricKey;
+import org.mozilla.jss.crypto.SymmetricKey.Type;
+
+public class WrappingParams {
+    // session key attributes
+    SymmetricKey.Type skType;
+    KeyGenAlgorithm skKeyGenAlgorithm;
+    int skLength;
+
+    // wrapping algorithm for session key
+    KeyWrapAlgorithm skWrapAlgorithm;
+
+    // Encryption algorithm for payload
+    EncryptionAlgorithm payloadEncryptionAlgorithm;
+
+    //wrapping algorithm for payload
+    KeyWrapAlgorithm payloadWrapAlgorithm;
+
+    // payload encryption IV
+    IVParameterSpec payloadEncryptionIV;
+
+    // payload wrapping IV
+    IVParameterSpec payloadWrappingIV;
+
+    public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength,
+            KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm,
+            KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) {
+        super();
+        this.skType = skType;
+        this.skKeyGenAlgorithm = skKeyGenAlgorithm;
+        this.skLength = skLength;
+        this.skWrapAlgorithm = skWrapAlgorithm;
+        this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm;
+        this.payloadWrapAlgorithm = payloadWrapAlgorithm;
+        this.payloadEncryptionIV = payloadEncryptIV;
+        this.payloadWrappingIV = payloadWrapIV;
+    }
+
+    public WrappingParams() {}
+
+    public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV)
+            throws NumberFormatException, NoSuchAlgorithmException {
+        EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
+
+        KeyWrapAlgorithm wrap = null;
+        if (wrapName != null) {
+            wrap = KeyWrapAlgorithm.fromString(wrapName);
+            this.payloadWrapAlgorithm = wrap;
+        }
+
+        switch (encrypt.getAlg().toString()) {
+        case "AES":
+            // TODO(alee) - Terrible hack till we figure out why GCM is not working
+            // or a way to detect the padding.
+            // We are going to assume AES-128-PAD
+            encrypt = EncryptionAlgorithm.AES_128_CBC_PAD;
+
+            this.skType = SymmetricKey.AES;
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.AES;
+            if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+            break;
+        case "DESede":
+            this.skType = SymmetricKey.DES3;
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
+            this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            break;
+        case "DES":
+            this.skType = SymmetricKey.DES;
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES;
+            this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES_CBC_PAD;
+            break;
+        default:
+            throw new NoSuchAlgorithmException("Invalid algorithm");
+        }
+
+        this.skLength = encrypt.getKeyStrength();
+        if (priKeyAlgo.equals("EC")) {
+            this.skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB;
+        } else {
+            this.skWrapAlgorithm = KeyWrapAlgorithm.RSA;
+        }
+
+        this.payloadEncryptionAlgorithm = encrypt;
+        this.payloadEncryptionIV = encryptIV;
+        this.payloadWrappingIV = wrapIV;
+    }
+
+    public SymmetricKey.Type getSkType() {
+        return skType;
+    }
+
+    public void setSkType(SymmetricKey.Type skType) {
+        this.skType = skType;
+    }
+
+    public void setSkType(String skTypeName) throws NoSuchAlgorithmException {
+        this.skType = SymmetricKey.Type.fromName(skTypeName);
+    }
+
+    public KeyGenAlgorithm getSkKeyGenAlgorithm() {
+        return skKeyGenAlgorithm;
+    }
+
+    public void setSkKeyGenAlgorithm(KeyGenAlgorithm skKeyGenAlgorithm) {
+        this.skKeyGenAlgorithm = skKeyGenAlgorithm;
+    }
+
+    public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException {
+        // JSS mapping is not working.  Lets just do something brain-dead to
+        // handle the cases we expect.
+        if (algName.equalsIgnoreCase("AES")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.AES;
+        } else if (algName.equalsIgnoreCase("DES")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES;
+        } else if (algName.equalsIgnoreCase("DESede")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
+        } else if (algName.equalsIgnoreCase("DES3")) {
+            this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
+        }
+    }
+
+    public int getSkLength() {
+        return skLength;
+    }
+
+    public void setSkLength(int skLength) {
+        this.skLength = skLength;
+    }
+
+    public KeyWrapAlgorithm getSkWrapAlgorithm() {
+        return skWrapAlgorithm;
+    }
+
+    public void setSkWrapAlgorithm(KeyWrapAlgorithm skWrapAlgorithm) {
+        this.skWrapAlgorithm = skWrapAlgorithm;
+    }
+
+    public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException {
+        this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name);
+    }
+
+    public EncryptionAlgorithm getPayloadEncryptionAlgorithm() {
+        return payloadEncryptionAlgorithm;
+    }
+
+    public void setPayloadEncryptionAlgorithm(EncryptionAlgorithm payloadEncryptionAlgorithm) {
+        this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm;
+    }
+
+    public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength)
+            throws NoSuchAlgorithmException {
+        this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength);
+    }
+
+    public KeyWrapAlgorithm getPayloadWrapAlgorithm() {
+        return payloadWrapAlgorithm;
+    }
+
+    public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) {
+        this.payloadWrapAlgorithm = payloadWrapAlgorithm;
+    }
+
+    public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException {
+        this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name);
+    }
+
+    public IVParameterSpec getPayloadEncryptionIV() {
+        return payloadEncryptionIV;
+    }
+
+    public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) {
+        this.payloadEncryptionIV = payloadEncryptionIV;
+    }
+
+    public IVParameterSpec getPayloadWrappingIV() {
+        return payloadWrappingIV;
+    }
+
+    public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) {
+        this.payloadWrappingIV = payloadWrappingIV;
+    }
+}