diff options
author | Ade Lee <alee@redhat.com> | 2017-03-23 00:20:32 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-03-23 16:16:08 -0400 |
commit | 5b7ce994b8698dca62c23e653b7a1cfeebf959e4 (patch) | |
tree | f7673ab05610d8cc8444d4482a95b1949c9eb985 /base/util | |
parent | 58bfe7d510126609969703325d7655175be5da62 (diff) | |
download | pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.gz pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.tar.xz pki-5b7ce994b8698dca62c23e653b7a1cfeebf959e4.zip |
Refactor code that creates PKIArchiveOptions objects
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 183 | ||||
-rw-r--r-- | base/util/src/netscape/security/util/WrappingParams.java | 193 |
2 files changed, 328 insertions, 48 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 593d93f46..e3a378ebc 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -48,8 +48,8 @@ import java.util.Vector; import org.apache.commons.lang.StringUtils; import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.NoSuchTokenException; import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.NoSuchTokenException; import org.mozilla.jss.SecretDecoderRing.KeyManager; import org.mozilla.jss.asn1.ANY; import org.mozilla.jss.asn1.ASN1Util; @@ -105,7 +105,6 @@ import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange; import org.mozilla.jss.util.Base64OutputStream; import org.mozilla.jss.util.Password; -import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; @@ -119,6 +118,7 @@ import netscape.security.util.DerInputStream; import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; import netscape.security.util.ObjectIdentifier; +import netscape.security.util.WrappingParams; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateAlgorithmId; import netscape.security.x509.CertificateChain; @@ -530,19 +530,18 @@ public class CryptoUtil { /** * Generates a RSA key pair. + * @throws Exception */ - public static KeyPair generateRSAKeyPair(String token, int keysize) - throws CryptoManager.NotInitializedException, - NoSuchTokenException, - NoSuchAlgorithmException, - TokenException { - CryptoToken t = getKeyStorageToken(token); - KeyPairGenerator g = t.getKeyPairGenerator(KeyPairAlgorithm.RSA); - - g.initialize(keysize); - KeyPair pair = g.genKeyPair(); + public static KeyPair generateRSAKeyPair(String tokenName, int keysize) + throws Exception { + CryptoToken token = getKeyStorageToken(tokenName); + return generateRSAKeyPair(token, keysize); + } - return pair; + public static KeyPair generateRSAKeyPair(CryptoToken token, int keysize) throws Exception { + KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA); + kg.initialize(keysize); + return kg.genKeyPair(); } public static boolean isECCKey(X509Key key) { @@ -1919,7 +1918,7 @@ public class CryptoUtil { } /** - * Generates a nonve_iv for padding. + * Generates a nonce_iv for padding. * * @return */ @@ -1982,55 +1981,143 @@ public class CryptoUtil { return wrapUsingPublicKey(token, tcert.getPublicKey(), sk, KeyWrapAlgorithm.RSA); } - public static byte[] createPKIArchiveOptions(CryptoManager manager, CryptoToken token, String transportCert, - SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) - throws Exception { - byte[] key_data = null; - - //generate session key - SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); - - if (passphrase != null) { - key_data = wrapPassphrase(token, passphrase, IV, sk, EncryptionAlgorithm.DES3_CBC_PAD); + /* Used to create PKIArchiveOptions for wrapped private key */ + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + PrivateKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( + token, wrappingKey, null, data, null, params, aid); + } + + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + PrivateKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( + token, wrappingKey, null, data, null, params, aid); + return encodePKIArchiveOptions(opts); + } + + /* Used to create PKIArchiveOptions for wrapped symmetric key */ + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + SymmetricKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( + token, wrappingKey, null, null, data, params, aid); + } + + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + SymmetricKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( + token, wrappingKey, null, null, data, params, aid); + return encodePKIArchiveOptions(opts); + } + + /* Used to create PKIArchiveOptions for wrapped passphrase */ + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + String data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( + token, wrappingKey, data, null, null, params, aid); + } + + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + String data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( + token, wrappingKey, data, null, null, params, aid); + return encodePKIArchiveOptions(opts); + } + + private static PKIArchiveOptions createPKIArchiveOptionsInternal( + CryptoToken token, + PublicKey wrappingKey, + String passphraseData, + PrivateKey privKeyData, + SymmetricKey symKeyData, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + SymmetricKey sessionKey = CryptoUtil.generateKey( + token, + params.getSkKeyGenAlgorithm(), + params.getSkLength(), + null, + false); + + byte[] key_data; + if (passphraseData != null) { + key_data = wrapPassphrase( + token, + passphraseData, + params.getPayloadEncryptionIV(), + sessionKey, + params.getPayloadEncryptionAlgorithm()); + } else if (privKeyData != null) { + key_data = wrapUsingSymmetricKey( + token, + sessionKey, + privKeyData, + params.getPayloadWrappingIV(), + params.getPayloadWrapAlgorithm()); + } else if (symKeyData != null) { + key_data = wrapUsingSymmetricKey( + token, + sessionKey, + symKeyData, + params.getPayloadWrappingIV(), + params.getPayloadWrapAlgorithm()); } else { - // wrap payload using session key - key_data = wrapUsingSymmetricKey(token, sk, vek, IV, KeyWrapAlgorithm.DES3_CBC_PAD); + throw new IOException("No data to package in PKIArchiveOptions!"); } - // wrap session key using transport key - byte[] session_data = wrapSymmetricKey(manager, token, transportCert, sk); - - return createPKIArchiveOptions(IV, session_data, key_data); - } - - public static byte[] createPKIArchiveOptions( - CryptoToken token, PublicKey wrappingKey, PrivateKey toBeWrapped, - KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) - throws Exception { - SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); - byte[] key_data = wrapUsingSymmetricKey(token, sessionKey, toBeWrapped, IV, KeyWrapAlgorithm.DES3_CBC_PAD); + byte[] session_data = wrapUsingPublicKey( + token, + wrappingKey, + sessionKey, + params.getSkWrapAlgorithm()); - byte[] session_data = wrapUsingPublicKey(token, wrappingKey, sessionKey, KeyWrapAlgorithm.RSA); - return createPKIArchiveOptions(IV, session_data, key_data); + return createPKIArchiveOptions(session_data, key_data, aid); } - private static byte[] createPKIArchiveOptions( - IVParameterSpec IV, byte[] session_data, byte[] key_data) - throws IOException, InvalidBERException { + public static PKIArchiveOptions createPKIArchiveOptions( + byte[] session_data, byte[] key_data, AlgorithmIdentifier aid) { // create PKIArchiveOptions structure - AlgorithmIdentifier algS = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), - new OCTET_STRING(IV.getIV())); - EncryptedValue encValue = new EncryptedValue(null, algS, new BIT_STRING(session_data, 0), null, null, + EncryptedValue encValue = new EncryptedValue( + null, + aid, + new BIT_STRING(session_data, 0), + null, + null, new BIT_STRING(key_data, 0)); EncryptedKey key = new EncryptedKey(encValue); - PKIArchiveOptions opt = new PKIArchiveOptions(key); + return new PKIArchiveOptions(key); + } + public static byte[] encodePKIArchiveOptions(PKIArchiveOptions opts) throws Exception { byte[] encoded = null; //Let's make sure we can decode the encoded PKIArchiveOptions.. ByteArrayOutputStream oStream = new ByteArrayOutputStream(); - opt.encode(oStream); + opts.encode(oStream); encoded = oStream.toByteArray(); ByteArrayInputStream inStream = new ByteArrayInputStream(encoded); diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java new file mode 100644 index 000000000..e73832638 --- /dev/null +++ b/base/util/src/netscape/security/util/WrappingParams.java @@ -0,0 +1,193 @@ +package netscape.security.util; + +import java.security.NoSuchAlgorithmException; + +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; +import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.SymmetricKey.Type; + +public class WrappingParams { + // session key attributes + SymmetricKey.Type skType; + KeyGenAlgorithm skKeyGenAlgorithm; + int skLength; + + // wrapping algorithm for session key + KeyWrapAlgorithm skWrapAlgorithm; + + // Encryption algorithm for payload + EncryptionAlgorithm payloadEncryptionAlgorithm; + + //wrapping algorithm for payload + KeyWrapAlgorithm payloadWrapAlgorithm; + + // payload encryption IV + IVParameterSpec payloadEncryptionIV; + + // payload wrapping IV + IVParameterSpec payloadWrappingIV; + + public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, + KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm, + KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) { + super(); + this.skType = skType; + this.skKeyGenAlgorithm = skKeyGenAlgorithm; + this.skLength = skLength; + this.skWrapAlgorithm = skWrapAlgorithm; + this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; + this.payloadWrapAlgorithm = payloadWrapAlgorithm; + this.payloadEncryptionIV = payloadEncryptIV; + this.payloadWrappingIV = payloadWrapIV; + } + + public WrappingParams() {} + + public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV) + throws NumberFormatException, NoSuchAlgorithmException { + EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); + + KeyWrapAlgorithm wrap = null; + if (wrapName != null) { + wrap = KeyWrapAlgorithm.fromString(wrapName); + this.payloadWrapAlgorithm = wrap; + } + + switch (encrypt.getAlg().toString()) { + case "AES": + // TODO(alee) - Terrible hack till we figure out why GCM is not working + // or a way to detect the padding. + // We are going to assume AES-128-PAD + encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; + + this.skType = SymmetricKey.AES; + this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; + if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + break; + case "DESede": + this.skType = SymmetricKey.DES3; + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + break; + case "DES": + this.skType = SymmetricKey.DES; + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; + this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES_CBC_PAD; + break; + default: + throw new NoSuchAlgorithmException("Invalid algorithm"); + } + + this.skLength = encrypt.getKeyStrength(); + if (priKeyAlgo.equals("EC")) { + this.skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB; + } else { + this.skWrapAlgorithm = KeyWrapAlgorithm.RSA; + } + + this.payloadEncryptionAlgorithm = encrypt; + this.payloadEncryptionIV = encryptIV; + this.payloadWrappingIV = wrapIV; + } + + public SymmetricKey.Type getSkType() { + return skType; + } + + public void setSkType(SymmetricKey.Type skType) { + this.skType = skType; + } + + public void setSkType(String skTypeName) throws NoSuchAlgorithmException { + this.skType = SymmetricKey.Type.fromName(skTypeName); + } + + public KeyGenAlgorithm getSkKeyGenAlgorithm() { + return skKeyGenAlgorithm; + } + + public void setSkKeyGenAlgorithm(KeyGenAlgorithm skKeyGenAlgorithm) { + this.skKeyGenAlgorithm = skKeyGenAlgorithm; + } + + public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException { + // JSS mapping is not working. Lets just do something brain-dead to + // handle the cases we expect. + if (algName.equalsIgnoreCase("AES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; + } else if (algName.equalsIgnoreCase("DES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; + } else if (algName.equalsIgnoreCase("DESede")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } else if (algName.equalsIgnoreCase("DES3")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } + } + + public int getSkLength() { + return skLength; + } + + public void setSkLength(int skLength) { + this.skLength = skLength; + } + + public KeyWrapAlgorithm getSkWrapAlgorithm() { + return skWrapAlgorithm; + } + + public void setSkWrapAlgorithm(KeyWrapAlgorithm skWrapAlgorithm) { + this.skWrapAlgorithm = skWrapAlgorithm; + } + + public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + + public EncryptionAlgorithm getPayloadEncryptionAlgorithm() { + return payloadEncryptionAlgorithm; + } + + public void setPayloadEncryptionAlgorithm(EncryptionAlgorithm payloadEncryptionAlgorithm) { + this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; + } + + public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength) + throws NoSuchAlgorithmException { + this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength); + } + + public KeyWrapAlgorithm getPayloadWrapAlgorithm() { + return payloadWrapAlgorithm; + } + + public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) { + this.payloadWrapAlgorithm = payloadWrapAlgorithm; + } + + public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + + public IVParameterSpec getPayloadEncryptionIV() { + return payloadEncryptionIV; + } + + public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) { + this.payloadEncryptionIV = payloadEncryptionIV; + } + + public IVParameterSpec getPayloadWrappingIV() { + return payloadWrappingIV; + } + + public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) { + this.payloadWrappingIV = payloadWrappingIV; + } +} |