diff options
author | Ade Lee <alee@redhat.com> | 2017-03-08 23:46:30 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-03-14 17:10:28 -0400 |
commit | 7e42ef2f63a73931610252db3e30b8a7357e4425 (patch) | |
tree | 719b1af07a52931038993c12633c8963165dff6f /base/util | |
parent | 5fb045fe888000d447cf56079b0404410adea70a (diff) | |
download | pki-7e42ef2f63a73931610252db3e30b8a7357e4425.tar.gz pki-7e42ef2f63a73931610252db3e30b8a7357e4425.tar.xz pki-7e42ef2f63a73931610252db3e30b8a7357e4425.zip |
Refactor crypto code
Move some of the crypto functions in EncryptionUnit to CryptoUtil.
Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 166 | ||||
-rw-r--r-- | base/util/src/netscape/security/pkcs/PKCS12Util.java | 31 |
2 files changed, 86 insertions, 111 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 57119ce2c..f98dcc80b 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -19,7 +19,6 @@ package com.netscape.cmsutil.crypto; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; -import java.io.CharConversionException; import java.io.FilterOutputStream; import java.io.IOException; import java.io.PrintStream; @@ -1614,25 +1613,18 @@ public class CryptoUtil { } } - /** - * Generates a symmetric key. - */ - public static SymmetricKey generateKey(CryptoToken token, - KeyGenAlgorithm alg, int keySize) - throws TokenException, NoSuchAlgorithmException, - IllegalStateException, InvalidAlgorithmParameterException { - try { - KeyGenerator kg = token.getKeyGenerator(alg); - if (alg == KeyGenAlgorithm.AES || alg == KeyGenAlgorithm.RC4 - || alg == KeyGenAlgorithm.RC2) { - kg.initialize(keySize); - } - - return kg.generate(); - } catch (CharConversionException e) { - throw new RuntimeException( - "CharConversionException while generating symmetric key"); + public static SymmetricKey generateKey(CryptoToken token, KeyGenAlgorithm alg, int keySize, + SymmetricKey.Usage[] usages, boolean temporary) throws Exception { + KeyGenerator kg = token.getKeyGenerator(alg); + if (usages != null) + kg.setKeyUsages(usages); + kg.temporaryKeys(temporary); + if (alg == KeyGenAlgorithm.AES || alg == KeyGenAlgorithm.RC4 + || alg == KeyGenAlgorithm.RC2) { + kg.initialize(keySize); } + + return kg.generate(); } /** @@ -1908,18 +1900,6 @@ public class CryptoUtil { return decodedData; } - public static byte[] unwrapUsingSymmetricKey(CryptoToken token, IVParameterSpec IV, byte[] wrappedRecoveredKey, - SymmetricKey recoveryKey, EncryptionAlgorithm alg) throws NoSuchAlgorithmException, TokenException, - BadPaddingException, - IllegalBlockSizeException, InvalidKeyException, InvalidAlgorithmParameterException { - - Cipher decryptor = token.getCipherContext(alg); - decryptor.initDecrypt(recoveryKey, IV); - byte[] unwrappedData = decryptor.doFinal(wrappedRecoveredKey); - - return unwrappedData; - } - public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, EncryptionAlgorithm alg) throws NoSuchAlgorithmException, TokenException, InvalidKeyException, @@ -1940,56 +1920,25 @@ public class CryptoUtil { } public static byte[] wrapSymmetricKey(CryptoManager manager, CryptoToken token, String transportCert, - SymmetricKey sk) throws CertificateEncodingException, TokenException, NoSuchAlgorithmException, - InvalidKeyException, InvalidAlgorithmParameterException { + SymmetricKey sk) throws Exception { byte transport[] = Utils.base64decode(transportCert); X509Certificate tcert = manager.importCACertPackage(transport); - KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - rsaWrap.initWrap(tcert.getPublicKey(), null); - byte session_data[] = rsaWrap.wrap(sk); - return session_data; - } - - /** - * Wrap a symmetric Key with a SymmetricKey - * - * @param token - * @param secret - * @param wrapper - * @return - * @throws TokenException - * @throws NoSuchAlgorithmException - * @throws InvalidAlgorithmParameterException - * @throws InvalidKeyException - */ - public static byte[] wrapSymmetricKey(CryptoToken token, SymmetricKey secret, SymmetricKey wrapper, - IVParameterSpec IV) throws NoSuchAlgorithmException, TokenException, InvalidKeyException, - InvalidAlgorithmParameterException { - KeyWrapper wrapper1 = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper1.initWrap(wrapper, IV); - byte[] keyData = wrapper1.wrap(secret); - - return keyData; + return wrapUsingPublicKey(token, tcert.getPublicKey(), sk, KeyWrapAlgorithm.RSA); } public static byte[] createPKIArchiveOptions(CryptoManager manager, CryptoToken token, String transportCert, - SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) throws TokenException, - CharConversionException, - NoSuchAlgorithmException, InvalidKeyException, InvalidAlgorithmParameterException, - CertificateEncodingException, IOException, IllegalStateException, IllegalBlockSizeException, - BadPaddingException, InvalidBERException { + SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) + throws Exception { byte[] key_data = null; //generate session key - SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize); + SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); if (passphrase != null) { key_data = wrapPassphrase(token, passphrase, IV, sk, EncryptionAlgorithm.DES3_CBC_PAD); } else { // wrap payload using session key - KeyWrapper wrapper1 = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper1.initWrap(sk, IV); - key_data = wrapper1.wrap(vek); + key_data = wrapUsingSymmetricKey(token, sk, vek, IV, KeyWrapAlgorithm.DES3_CBC_PAD); } // wrap session key using transport key @@ -2001,19 +1950,11 @@ public class CryptoUtil { public static byte[] createPKIArchiveOptions( CryptoToken token, PublicKey wrappingKey, PrivateKey toBeWrapped, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) - throws TokenException, NoSuchAlgorithmException, - InvalidAlgorithmParameterException, InvalidKeyException, - IOException, InvalidBERException { - SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize); - - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(sessionKey, IV); - byte[] key_data = wrapper.wrap(toBeWrapped); - - wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - wrapper.initWrap(wrappingKey, null); - byte session_data[] = wrapper.wrap(sessionKey); + throws Exception { + SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); + byte[] key_data = wrapUsingSymmetricKey(token, sessionKey, toBeWrapped, IV, KeyWrapAlgorithm.DES3_CBC_PAD); + byte[] session_data = wrapUsingPublicKey(token, wrappingKey, sessionKey, KeyWrapAlgorithm.RSA); return createPKIArchiveOptions(IV, session_data, key_data); } @@ -2098,22 +2039,22 @@ public class CryptoUtil { km.deleteUniqueNamedKey(nickname); } - // Return a list of two wrapped keys: first element: temp DES3 key wrapped by cert , second element: shared secret wrapped by temp DES3 key - public static List<byte[]> exportSharedSecret(String nickname, java.security.cert.X509Certificate wrappingCert,SymmetricKey wrappingKey) - throws NotInitializedException, TokenException, IOException, NoSuchAlgorithmException, InvalidKeyException, - InvalidAlgorithmParameterException, InvalidKeyFormatException { + // Return a list of two wrapped keys: + // first element: temp DES3 key wrapped by cert , + // second element: shared secret wrapped by temp DES3 key + public static List<byte[]> exportSharedSecret(String nickname, java.security.cert.X509Certificate wrappingCert, + SymmetricKey wrappingKey) throws Exception { CryptoManager cm = CryptoManager.getInstance(); CryptoToken token = cm.getInternalKeyStorageToken(); List<byte[]> listWrappedKeys = new ArrayList<byte[]>(); - KeyManager km = new KeyManager(token); if (!km.uniqueNamedKeyExists(nickname)) { throw new IOException("Shared secret " + nickname + " does not exist"); } - SymmetricKey sharedSecretKey = null; + SymmetricKey sharedSecretKey = null; try { sharedSecretKey = getSymKeyByName(token, nickname); @@ -2125,25 +2066,18 @@ public class CryptoUtil { throw new IOException("Shared secret " + nickname + " does not exist"); } - KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); PublicKey pub = wrappingCert.getPublicKey(); PK11PubKey pubK = PK11PubKey.fromSPKI(pub.getEncoded()); - keyWrap.initWrap(pubK, null); //Wrap the temp DES3 key with the cert - byte[] wrappedKey = keyWrap.wrap(wrappingKey); - + byte[] wrappedKey = wrapUsingPublicKey(token, pubK, wrappingKey, KeyWrapAlgorithm.RSA); listWrappedKeys.add(wrappedKey); //Use the DES3 key to wrap the shared secret - KeyWrapper keyWrapSharedSecret = token.getKeyWrapper(KeyWrapAlgorithm.DES3_ECB); - keyWrapSharedSecret.initWrap(wrappingKey,null); - - byte[] wrappedSharedSecret = keyWrapSharedSecret.wrap(sharedSecretKey); - + byte[] wrappedSharedSecret = wrapUsingSymmetricKey(token, wrappingKey, sharedSecretKey, null, KeyWrapAlgorithm.DES3_ECB); listWrappedKeys.add(wrappedSharedSecret); - if(listWrappedKeys.size() != 2) { + if (listWrappedKeys.size() != 2) { throw new IOException("Can't write out shared secret data to export for nickname: " + nickname); } @@ -2236,6 +2170,46 @@ public class CryptoUtil { return vect; } + + ////////////////////////////////////////////////////////////////////////////////////////////// + //generic crypto operations + ////////////////////////////////////////////////////////////////////////////////////////////// + + public static byte[] decryptUsingSymmetricKey(CryptoToken token, IVParameterSpec ivspec, byte[] encryptedData, + SymmetricKey wrappingKey, EncryptionAlgorithm encryptionAlgorithm) throws Exception { + Cipher decryptor = token.getCipherContext(encryptionAlgorithm); + decryptor.initDecrypt(wrappingKey, ivspec); + return decryptor.doFinal(encryptedData); + } + + public static byte[] encryptUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, byte[] data, + EncryptionAlgorithm alg, IVParameterSpec ivspec) + throws Exception { + Cipher cipher = token.getCipherContext(alg); + cipher.initEncrypt(wrappingKey, ivspec); + return cipher.doFinal(data); + } + + public static byte[] wrapUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, SymmetricKey data, + IVParameterSpec ivspec, KeyWrapAlgorithm alg) throws Exception { + KeyWrapper wrapper = token.getKeyWrapper(alg); + wrapper.initWrap(wrappingKey, ivspec); + return wrapper.wrap(data); + } + + public static byte[] wrapUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, PrivateKey data, + IVParameterSpec ivspec, KeyWrapAlgorithm alg) throws Exception { + KeyWrapper wrapper = token.getKeyWrapper(alg); + wrapper.initWrap(wrappingKey, ivspec); + return wrapper.wrap(data); + } + + public static byte[] wrapUsingPublicKey(CryptoToken token, PublicKey wrappingKey, SymmetricKey data, + KeyWrapAlgorithm alg) throws Exception { + KeyWrapper rsaWrap = token.getKeyWrapper(alg); + rsaWrap.initWrap(wrappingKey, null); + return rsaWrap.wrap(data); + } } // START ENABLE_ECC diff --git a/base/util/src/netscape/security/pkcs/PKCS12Util.java b/base/util/src/netscape/security/pkcs/PKCS12Util.java index 9adb62972..0b164aafc 100644 --- a/base/util/src/netscape/security/pkcs/PKCS12Util.java +++ b/base/util/src/netscape/security/pkcs/PKCS12Util.java @@ -47,7 +47,6 @@ import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.InternalCertificate; import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.NoSuchItemOnTokenException; @@ -68,6 +67,8 @@ import org.mozilla.jss.util.Password; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.netscape.cmsutil.crypto.CryptoUtil; + import netscape.ldap.LDAPDN; import netscape.ldap.util.DN; import netscape.security.x509.X509CertImpl; @@ -114,18 +115,19 @@ public class PKCS12Util { } byte[] getEncodedKey(PrivateKey privateKey) throws Exception { - CryptoManager cm = CryptoManager.getInstance(); CryptoToken token = cm.getInternalKeyStorageToken(); - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - - KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; IVParameterSpec param = new IVParameterSpec(iv); - wrapper.initWrap(sk, param); - byte[] enckey = wrapper.wrap(privateKey); + + SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); + byte[] enckey = CryptoUtil.wrapUsingSymmetricKey( + token, + sk, + privateKey, + param, + KeyWrapAlgorithm.DES3_CBC_PAD); Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); c.initDecrypt(sk, param); @@ -592,6 +594,9 @@ public class PKCS12Util { logger.debug("Importing private key " + keyInfo.subjectDN); + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + IVParameterSpec param = new IVParameterSpec(iv); + PrivateKeyInfo privateKeyInfo = keyInfo.privateKeyInfo; // encode private key @@ -622,13 +627,9 @@ public class PKCS12Util { } // encrypt private key - KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sk = kg.generate(); - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - IVParameterSpec param = new IVParameterSpec(iv); - Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - c.initEncrypt(sk, param); - byte[] encpkey = c.doFinal(privateKey); + SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true); + byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey( + token, sk, privateKey, EncryptionAlgorithm.DES3_CBC_PAD, param); // unwrap private key to load into database KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); |