diff options
| author | Ade Lee <alee@redhat.com> | 2017-05-26 13:06:18 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-06-07 16:00:41 -0400 |
| commit | 38df4274214938ceece85627abb6d4fe77b960ff (patch) | |
| tree | c3361a13185302f03ddb4162aa04f5816190c27d /base | |
| parent | 9db838825b60719e6670c92957db3f33c5b12ae0 (diff) | |
Refactor client to not use keysets
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets. Therefore:
* KRAInfo and CAInfo are refactored to provide the
algorithms required for key wrapping and encryption.
* Client is modified to use these parameters to determine
which algorithms to use.
* We specify the OIDs that will be used in the PKIARchiveOptions
more correctly. The options are basically:
AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
Diffstat (limited to 'base')
7 files changed, 206 insertions, 129 deletions
diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java index f21dcd0d7..0f68c7ab7 100644 --- a/base/common/src/org/dogtagpki/common/CAInfo.java +++ b/base/common/src/org/dogtagpki/common/CAInfo.java @@ -54,7 +54,8 @@ public class CAInfo extends ResourceMessage { } String archivalMechanism; - String wrappingKeySet; + String encryptAlgorithm; + String keyWrapAlgorithm; @XmlElement(name="ArchivalMechanism") public String getArchivalMechanism() { @@ -65,13 +66,20 @@ public class CAInfo extends ResourceMessage { this.archivalMechanism = archivalMechanism; } - @XmlElement(name="WrappingKeySet") - public String getWrappingKeySet() { - return wrappingKeySet; + public String getEncryptAlgorithm() { + return encryptAlgorithm; } - public void setWrappingKeySet(String wrappingKeySet) { - this.wrappingKeySet = wrappingKeySet; + public void setEncryptAlgorithm(String encryptAlgorithm) { + this.encryptAlgorithm = encryptAlgorithm; + } + + public String getKeyWrapAlgorithm() { + return keyWrapAlgorithm; + } + + public void setKeyWrapAlgorithm(String keyWrapAlgorithm) { + this.keyWrapAlgorithm = keyWrapAlgorithm; } @Override @@ -79,7 +87,8 @@ public class CAInfo extends ResourceMessage { final int prime = 31; int result = super.hashCode(); result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); - result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode()); + result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode()); + result = prime * result + ((keyWrapAlgorithm == null) ? 0 : keyWrapAlgorithm.hashCode()); return result; } @@ -97,10 +106,15 @@ public class CAInfo extends ResourceMessage { return false; } else if (!archivalMechanism.equals(other.archivalMechanism)) return false; - if (wrappingKeySet == null) { - if (other.wrappingKeySet != null) + if (encryptAlgorithm == null) { + if (other.encryptAlgorithm != null) + return false; + } else if (!encryptAlgorithm.equals(other.encryptAlgorithm)) + return false; + if (keyWrapAlgorithm == null) { + if (other.keyWrapAlgorithm != null) return false; - } else if (!wrappingKeySet.equals(other.wrappingKeySet)) + } else if (!keyWrapAlgorithm.equals(other.keyWrapAlgorithm)) return false; return true; } diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java index e17bd642d..66fb99246 100644 --- a/base/common/src/org/dogtagpki/common/KRAInfo.java +++ b/base/common/src/org/dogtagpki/common/KRAInfo.java @@ -55,6 +55,8 @@ public class KRAInfo extends ResourceMessage { String archivalMechanism; String recoveryMechanism; + String encryptAlgorithm; + String wrapAlgorithm; @XmlElement(name="ArchivalMechanism") public String getArchivalMechanism() { @@ -74,12 +76,32 @@ public class KRAInfo extends ResourceMessage { this.recoveryMechanism = recoveryMechanism; } + @XmlElement(name="EncryptAlgorithm") + public String getEncryptAlgorithm() { + return encryptAlgorithm; + } + + public void setEncryptAlgorithm(String encryptAlgorithm) { + this.encryptAlgorithm = encryptAlgorithm; + } + + @XmlElement(name="WrapAlgorithm") + public String getWrapAlgorithm() { + return wrapAlgorithm; + } + + public void setWrapAlgorithm(String wrapAlgorithm) { + this.wrapAlgorithm = wrapAlgorithm; + } + @Override public int hashCode() { final int prime = 31; int result = super.hashCode(); result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); + result = prime * result + ((encryptAlgorithm == null) ? 0 : encryptAlgorithm.hashCode()); result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode()); + result = prime * result + ((wrapAlgorithm == null) ? 0 : wrapAlgorithm.hashCode()); return result; } @@ -97,11 +119,21 @@ public class KRAInfo extends ResourceMessage { return false; } else if (!archivalMechanism.equals(other.archivalMechanism)) return false; + if (encryptAlgorithm == null) { + if (other.encryptAlgorithm != null) + return false; + } else if (!encryptAlgorithm.equals(other.encryptAlgorithm)) + return false; if (recoveryMechanism == null) { if (other.recoveryMechanism != null) return false; } else if (!recoveryMechanism.equals(other.recoveryMechanism)) return false; + if (wrapAlgorithm == null) { + if (other.wrapAlgorithm != null) + return false; + } else if (!wrapAlgorithm.equals(other.wrapAlgorithm)) + return false; return true; } @@ -125,6 +157,8 @@ public class KRAInfo extends ResourceMessage { KRAInfo before = new KRAInfo(); before.setArchivalMechanism("encrypt"); before.setRecoveryMechanism("keywrap"); + before.setEncryptAlgorithm("AES/CBC/Pad"); + before.setWrapAlgorithm("AES KeyWrap/Padding"); String string = before.toString(); System.out.println(string); diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 0057a1d52..b06faa6be 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -190,11 +190,7 @@ public class CRMFPopClient { option.setArgName("extractable"); options.addOption(option); - option = new Option("g", true, "KeyWrap"); - option.setArgName("keyWrap"); - options.addOption(option); - - option = new Option("w", true, "Wrapping Keyset"); + option = new Option("w", true, "Algorithm to be used for key wrapping"); option.setArgName("keySet"); options.addOption(option); @@ -231,10 +227,7 @@ public class CRMFPopClient { System.out.println(" - POP_NONE: without POP"); System.out.println(" - POP_SUCCESS: with valid POP"); System.out.println(" - POP_FAIL: with invalid POP (for testing)"); - System.out.println(" -g <true|false> Use KeyWrapping to wrap private key (default: true)"); - System.out.println(" - true: use a key wrapping algorithm"); - System.out.println(" - false: use an encryption algorithm"); - System.out.println(" -w <keyset_id> Key set ID to use when wrapping the private key"); + System.out.println(" -w <keywrap algorithm> Algorithm to use for key wrapping"); System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)"); System.out.println(" -v, --verbose Run in verbose mode."); System.out.println(" --help Show help message."); @@ -329,20 +322,17 @@ public class CRMFPopClient { boolean self_sign = cmd.hasOption("y"); - // get the key wrapping mechanism - boolean keyWrap = true; - if (cmd.hasOption("g")) { - keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); + // get the keywrap algorithm + KeyWrapAlgorithm keyWrapAlgorithm = null; + String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString(); + if (cmd.hasOption("w")) { + kwAlg = cmd.getOptionValue("w"); } else { - String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); - if (useKeyWrap != null) { - keyWrap = Boolean.parseBoolean(useKeyWrap); + String alg = System.getenv("KEY_ARCHIVAL_KEYWRAP_ALGORITHM"); + if (alg != null) { + kwAlg = alg; } } - String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : - KRAInfoResource.ENCRYPT_MECHANISM; - - String wrappingKeySet = cmd.getOptionValue("w"); String output = cmd.getOptionValue("o"); @@ -351,12 +341,11 @@ public class CRMFPopClient { String requestor = cmd.getOptionValue("r"); if (hostPort != null) { - if (cmd.hasOption("g") || cmd.hasOption("w")) { - printError("Wrapping Key Set (-g) and keywrap (-w) options should " + - "not be specified when hostport is specified. " + - "CRMFPopClient will contact the server to " + - "determine the correct values for these parameters"); - System.exit(1); + if (cmd.hasOption("w")) { + printError("Any value specified for the key wrap parameter (-w) " + + "will be overriden. CRMFPopClient will contact the " + + "CA to determine the supported algorithm when " + + "hostport is specified"); } } @@ -493,9 +482,9 @@ public class CRMFPopClient { System.out.println("Keypair private key id: " + kid); if (hostPort != null) { - // check the CA for the required keyset and archival mechanism + // check the CA for the required key wrap algorithm // if found, override whatever has been set by the command line - // options or environment for archivalMechanism and wrappingKeySet + // options for the key wrap algorithm ClientConfig config = new ClientConfig(); String host = hostPort.substring(0, hostPort.indexOf(':')); @@ -503,31 +492,17 @@ public class CRMFPopClient { config.setServerURL("http", host, port); PKIClient pkiclient = new PKIClient(config); - - // get archival mechanism - CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); - try { - CAInfo info = infoClient.getInfo(); - archivalMechanism = info.getArchivalMechanism(); - wrappingKeySet = info.getWrappingKeySet(); - } catch (PKIException e) { - if (e.getCode() == 404) { - // assume this is an older server, - archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; - wrappingKeySet = "0"; - } else { - throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); - } - } catch (Exception e) { - throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); - } + kwAlg = getKeyWrapAlgotihm(pkiclient); } + if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg); + keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); + if (verbose) System.out.println("Creating certificate request"); CertRequest certRequest = client.createCertRequest( self_sign, token, transportCert, algorithm, keyPair, - subject, archivalMechanism, wrappingKeySet); + subject, keyWrapAlgorithm); ProofOfPossession pop = null; @@ -592,6 +567,36 @@ public class CRMFPopClient { } } + public static String getKeyWrapAlgotihm(PKIClient pkiclient) + throws Exception { + String kwAlg = null; + CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); + String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + + try { + CAInfo info = infoClient.getInfo(); + archivalMechanism = info.getArchivalMechanism(); + kwAlg = info.getKeyWrapAlgorithm(); + } catch (PKIException e) { + if (e.getCode() == 404) { + // assume this is an older server, + archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + kwAlg = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); + } else { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + } catch (Exception e) { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + + if (!archivalMechanism.equals(KRAInfoResource.KEYWRAP_MECHANISM)) { + // new server with encryption set. Use something we know will + // work. AES-128-CBC + kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString(); + } + return kwAlg; + } + public void setVerbose(boolean verbose) { this.verbose = verbose; } @@ -637,10 +642,9 @@ public class CRMFPopClient { String algorithm, KeyPair keyPair, Name subject, - String archivalMechanism, - String wrappingKeySet) throws Exception { + KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { return createCertRequest(false, token, transportCert, algorithm, keyPair, - subject, archivalMechanism, wrappingKeySet); + subject, keyWrapAlgorithm); } public CertRequest createCertRequest( @@ -650,24 +654,15 @@ public class CRMFPopClient { String algorithm, KeyPair keyPair, Name subject, - String archivalMechanism, - String wrappingKeySet) throws Exception { - EncryptionAlgorithm encryptAlg = null; - - if (wrappingKeySet == null) { - wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); + KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { + byte[] iv = null; + if (keyWrapAlgorithm.getParameterClasses() != null) { + iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); } + OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); - if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { - // talking to an old server? - encryptAlg = EncryptionAlgorithm.DES3_CBC; - } else { - encryptAlg = EncryptionAlgorithm.AES_128_CBC; - } - - byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); - AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); - WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism); + AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); + WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( token, @@ -698,29 +693,21 @@ public class CRMFPopClient { return new CertRequest(new INTEGER(1), certTemplate, seq); } - private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV, - String archivalMechanism) throws Exception { - if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) { - KeyWrapAlgorithm wrapAlg = null; - IVParameterSpec wrapIVS = null; - if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) { - // We will use AES_CBC_PAD as the a key wrap mechanism. This - // can be decrypted using the same mechanism on the server. - wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD; - wrapIVS = new IVParameterSpec(wrapIV); - } else { - wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; - } + private WrappingParams getWrappingParams(KeyWrapAlgorithm kwAlg, byte[] iv) throws Exception { + IVParameterSpec ivps = iv != null ? new IVParameterSpec(iv): null; + + if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD || + kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { return new WrappingParams( SymmetricKey.AES, KeyGenAlgorithm.AES, 128, - KeyWrapAlgorithm.RSA, encryptAlg, - wrapAlg, wrapIVS, wrapIVS); - } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) { + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.AES_128_CBC_PAD, + kwAlg, ivps, ivps); + } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { return new WrappingParams( SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, KeyWrapAlgorithm.DES3_CBC_PAD, - new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV)); + ivps, ivps); } else { throw new Exception("Invalid encryption algorithm"); } diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index a14bb242d..9a0cfcc4b 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -29,18 +29,15 @@ import java.util.Vector; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.apache.commons.io.FileUtils; -import org.dogtagpki.common.CAInfo; -import org.dogtagpki.common.CAInfoClient; -import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.ProofOfPossession; import org.mozilla.jss.pkix.primitive.Name; -import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.cert.CertClient; import com.netscape.certsrv.cert.CertEnrollmentRequest; import com.netscape.certsrv.cert.CertRequestInfos; @@ -249,29 +246,13 @@ public class ClientCertRequestCLI extends CLI { CryptoManager manager = CryptoManager.getInstance(); X509Certificate transportCert = manager.importCACertPackage(transportCertData); - // get archival mechanism - CAInfoClient infoClient = new CAInfoClient(client, "ca"); - String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; - String wrappingKeySet = "1"; - try { - CAInfo info = infoClient.getInfo(); - archivalMechanism = info.getArchivalMechanism(); - wrappingKeySet = info.getWrappingKeySet(); - } catch (PKIException e) { - if (e.getCode() == 404) { - // assume this is an older server, - archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; - wrappingKeySet = "0"; - } else { - throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); - } - } catch (Exception e) { - throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); - } + // get archival and key wrap mechanisms from CA + String kwAlg = CRMFPopClient.getKeyWrapAlgotihm(client); + KeyWrapAlgorithm keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, - archivalMechanism, wrappingKeySet); + keyWrapAlgorithm); } else { throw new Exception("Unknown request type: " + requestType); @@ -411,8 +392,7 @@ public class ClientCertRequestCLI extends CLI { int sensitive, int extractable, boolean withPop, - String archivalMechanism, - String wrappingKeySet + KeyWrapAlgorithm keyWrapAlgorithm ) throws Exception { CryptoManager manager = CryptoManager.getInstance(); @@ -434,7 +414,7 @@ public class ClientCertRequestCLI extends CLI { } CertRequest certRequest = client.createCertRequest( - token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); + token, transportCert, algorithm, keyPair, subject, keyWrapAlgorithm); ProofOfPossession pop = null; if (withPop) { diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java index 398f49982..52c9ca00f 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java @@ -28,6 +28,8 @@ import org.dogtagpki.common.CAInfo; import org.dogtagpki.common.CAInfoResource; import org.dogtagpki.common.KRAInfo; import org.dogtagpki.common.KRAInfoClient; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -73,7 +75,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { // KRA-related fields (the initial values are only used if we // did not yet receive authoritative info from KRA) private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM; - private static String wrappingKeySet = "0"; + private static String encryptAlgorithm; + private static String keyWrapAlgorithm; @Override public Response getInfo() throws Exception { @@ -116,7 +119,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { } info.setArchivalMechanism(archivalMechanism); - info.setWrappingKeySet(wrappingKeySet); + info.setEncryptAlgorithm(encryptAlgorithm); + info.setKeyWrapAlgorithm(keyWrapAlgorithm); } } @@ -125,10 +129,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo(); archivalMechanism = kraInfo.getArchivalMechanism(); - - // request succeeded; the KRA is 10.4 or higher, - // therefore supports key set v1 - wrappingKeySet = "1"; + encryptAlgorithm = kraInfo.getEncryptAlgorithm(); + keyWrapAlgorithm = kraInfo.getWrapAlgorithm(); // mark info as authoritative kraInfoAuthoritative = true; @@ -137,8 +139,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { // The KRAInfoResource was added in 10.4, // so we are talking to a pre-10.4 KRA - // pre-10.4 only supports key set v0 - wrappingKeySet = "0"; + encryptAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD.toString(); + keyWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD.toString(); // pre-10.4 KRA does not advertise the archival // mechanism; look for the old knob in CA's config diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java index c4b3252b2..a9c3cdfc1 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java @@ -29,14 +29,25 @@ import org.slf4j.LoggerFactory; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.cms.servlet.base.PKIService; +import netscape.security.util.WrappingParams; + /** * @author Ade Lee */ public class KRAInfoService extends PKIService implements KRAInfoResource { private static Logger logger = LoggerFactory.getLogger(InfoService.class); + private IKeyRecoveryAuthority kra; + private IStorageKeyUnit storageUnit; + + public KRAInfoService() { + kra = (IKeyRecoveryAuthority) CMS.getSubsystem("kra"); + storageUnit = kra.getStorageKeyUnit(); + } @Override public Response getInfo() throws Exception { @@ -47,7 +58,8 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { KRAInfo info = new KRAInfo(); info.setArchivalMechanism(getArchivalMechanism()); info.setRecoveryMechanism(getRecoveryMechanism()); - + info.setEncryptAlgorithm(getEncryptAlgorithm()); + info.setArchivalMechanism(getWrapAlgorithm()); return createOKResponse(info); } @@ -63,5 +75,31 @@ public class KRAInfoService extends PKIService implements KRAInfoResource { boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false); return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM; } + + String getWrapAlgorithm() throws EBaseException { + IConfigStore cs = CMS.getConfigStore(); + boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); + WrappingParams params = null; + try { + params = storageUnit.getWrappingParams(encrypt_archival); + } catch (Exception e) { + // return something that should always work + return "AES/CBC/Padding"; + } + return params.getPayloadWrapAlgorithm().toString(); + } + + String getEncryptAlgorithm() throws EBaseException { + IConfigStore cs = CMS.getConfigStore(); + boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); + WrappingParams params = null; + try { + params = storageUnit.getWrappingParams(encrypt_archival); + } catch (Exception e) { + // return something that should always work + return "AES/CBC/Padding"; + } + return params.getPayloadEncryptionAlgorithm().toString(); + } } diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 95b8f815b..84e4a650d 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -2713,6 +2713,28 @@ public class CryptoUtil { throw new NoSuchAlgorithmException(); } + /* + * Useful method to map KeyWrap algorithms to an OID. + * This is not yet defined within JSS, although it will be valuable to do + * so. The hard thing though is that the KeyWrapAlgorithms in JSS do not take + * KEK key size into account for algorithms like AES. We assume 128 bits in + * this case. + * + * This is used in the generation of CRMF requests, and will be correlated to + * the subsequent reverse mapping method below. + */ + public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { + if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) + return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); + if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) + return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); + if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || + (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) + return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); + + throw new NoSuchAlgorithmException(); + } + } // START ENABLE_ECC |