diff options
author | Christina Fu <cfu@redhat.com> | 2015-07-10 11:41:22 -0700 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2015-07-13 18:21:22 -0700 |
commit | e62b40b9249d0f0b394275da35fa7c2ee99842b5 (patch) | |
tree | 51267f762c56cb74c603c6ddc682982f18d82a13 /base/util | |
parent | 8c9e59cfaff9ecda1483c07238ad0b58ea4f5f73 (diff) | |
download | pki-e62b40b9249d0f0b394275da35fa7c2ee99842b5.tar.gz pki-e62b40b9249d0f0b394275da35fa7c2ee99842b5.tar.xz pki-e62b40b9249d0f0b394275da35fa7c2ee99842b5.zip |
Ticket 1459 Dogtag clients cannot connect when CS is configured with ECC
clients are: cli, HttpClient, and java console
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 3b1041a74..8ef96d564 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -24,6 +24,7 @@ import java.io.FilterOutputStream; import java.io.IOException; import java.io.PrintStream; import java.math.BigInteger; +import java.net.SocketException; import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyException; import java.security.KeyPair; @@ -36,9 +37,12 @@ import java.security.cert.CertificateException; import java.security.interfaces.DSAParams; import java.security.interfaces.DSAPublicKey; import java.security.interfaces.RSAPublicKey; +import java.util.ArrayList; +import java.util.Arrays; import java.util.Date; import java.util.Enumeration; import java.util.HashMap; +import java.util.List; import java.util.Random; import java.util.StringTokenizer; import java.util.Vector; @@ -122,6 +126,7 @@ import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; import org.mozilla.jss.pkix.primitive.Name; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; +import org.mozilla.jss.ssl.SSLSocket; import org.mozilla.jss.util.Base64OutputStream; import org.mozilla.jss.util.Password; @@ -136,6 +141,17 @@ public class CryptoUtil { public static final String CERT_BEGIN_HEADING = "-----BEGIN CERTIFICATE-----"; public static final String CERT_END_HEADING = "-----END CERTIFICATE-----"; + static public final Integer[] clientECCiphers = { + SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + }; + static public List<Integer> clientECCipherList = new ArrayList<Integer>(Arrays.asList(clientECCiphers)); + private static final String[] ecCurves = { "nistp256", "nistp384", "nistp521", "sect163k1", "nistk163", "sect163r1", "sect163r2", "nistb163", "sect193r1", "sect193r2", "sect233k1", "nistk233", "sect233r1", "nistb233", "sect239k1", @@ -676,6 +692,34 @@ public class CryptoUtil { return pair; } + public static void setClientCiphers() + throws SocketException { + int ciphers[] = SSLSocket.getImplementedCipherSuites(); + for (int j = 0; ciphers != null && j < ciphers.length; j++) { + boolean enabled = SSLSocket.getCipherPreferenceDefault(ciphers[j]); + //System.out.println("CryptoUtil: cipher '0x" + + // Integer.toHexString(ciphers[j]) + "'" + " enabled? " + + // enabled); + // make sure SSLv2 ciphers are not enabled + if ((ciphers[j] & 0xfff0) ==0xff00) { + if (enabled) { + //System.out.println("CryptoUtil: disabling SSL2 NSS Cipher '0x" + + // Integer.toHexString(ciphers[j]) + "'"); + SSLSocket.setCipherPreferenceDefault(ciphers[j], false); + } + } else { + /* + * unlike RSA ciphers, ECC ciphers are not enabled by default + */ + if ((!enabled) && clientECCipherList.contains(ciphers[j])) { + //System.out.println("CryptoUtil: enabling ECC NSS Cipher '0x" + + // Integer.toHexString(ciphers[j]) + "'"); + SSLSocket.setCipherPreferenceDefault(ciphers[j], true); + } + } + } + } + public static byte[] getModulus(PublicKey pubk) { RSAPublicKey rsaKey = (RSAPublicKey) pubk; |