diff options
| author | Ade Lee <alee@redhat.com> | 2017-05-01 18:25:59 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-05-06 10:06:42 -0400 |
| commit | bea446868e282955d9c70028be657530eaccbe29 (patch) | |
| tree | 7cca08320ae943614b893649fafe99e09a2f6cd3 /base | |
| parent | f84bfab30647ae1492fcdca0a026bfa4d91350c9 (diff) | |
| download | pki-bea446868e282955d9c70028be657530eaccbe29.tar.gz pki-bea446868e282955d9c70028be657530eaccbe29.tar.xz pki-bea446868e282955d9c70028be657530eaccbe29.zip | |
Use AES-CBC in storage unit for archival in key wrapping
When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap. This would
be AES-CBC. Removes some TODOs.
Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.
Part of Bugzilla BZ# 1386303
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
Diffstat (limited to 'base')
10 files changed, 32 insertions, 23 deletions
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index add15cb81..e55713dd6 100644 --- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -63,7 +63,5 @@ public interface IEncryptionUnit extends IToken { SymmetricKey.Usage usage, WrappingParams params) throws Exception; - public WrappingParams getWrappingParams() throws Exception; - public WrappingParams getOldWrappingParams(); } diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java index cd941438a..bfc601202 100644 --- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java @@ -174,4 +174,10 @@ public interface IStorageKeyUnit extends IEncryptionUnit { public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary, WrappingParams params) throws Exception; + /** + * Get the wrapping parameters for this storage unit + * + */ + public WrappingParams getWrappingParams(boolean encrypt) throws Exception; + } diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java index 7351d50be..cfee504ef 100644 --- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java @@ -20,7 +20,6 @@ package com.netscape.kra; import java.math.BigInteger; import java.security.KeyPair; -import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.KeyPairGeneratorSpi; import org.mozilla.jss.crypto.PrivateKey; @@ -68,7 +67,7 @@ public class AsymKeyGenService implements IService { @Override public boolean serviceRequest(IRequest request) throws EBaseException { - IConfigStore cs = CMS.getConfigStore(); + IConfigStore configStore = CMS.getConfigStore(); String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID); String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM); @@ -77,7 +76,7 @@ public class AsymKeyGenService implements IService { String realm = request.getRealm(); - boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); + boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); KeyPairGeneratorSpi.Usage[] usageList = null; String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES); @@ -130,9 +129,6 @@ public class AsymKeyGenService implements IService { String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); String auditSubjectID = owner; - // Get the token - CryptoToken token = kra.getKeygenToken(); - // Generating the asymmetric keys KeyPair kp = null; @@ -162,8 +158,7 @@ public class AsymKeyGenService implements IService { WrappingParams params = null; try { - // TODO(alee) What happens if key wrap algorithm is not supported? - params = storageUnit.getWrappingParams(); + params = storageUnit.getWrappingParams(allowEncDecrypt_archival); privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params); } catch (Exception e) { CMS.debug("Failed to generate security data to archive: " + e); diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 02a4ca143..b460c9e27 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -67,8 +67,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit { public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); - public abstract WrappingParams getWrappingParams() throws Exception; - public WrappingParams getOldWrappingParams() { return new WrappingParams( SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index a200c342f..e413a06b5 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -396,7 +396,7 @@ public class EnrollmentService implements IService { WrappingParams params = null; try { - params = mStorageUnit.getWrappingParams(); + params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); if (allowEncDecrypt_archival == true) { privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped, params); } else { diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index f068a4a81..636e93ed0 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; @@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService { IVParameterSpec algParam = new IVParameterSpec(iv); + IConfigStore configStore = CMS.getConfigStore(); + boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); + wrapped_des_key = null; boolean archive = true; byte[] publicKeyData = null; @@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService { WrappingParams params = null; try { - // TODO(alee) What happens if key wrap algorithm is not supported? - params = mStorageUnit.getWrappingParams(); + params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); } catch (Exception e) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 701b6110b..95d07c4f4 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -217,7 +217,7 @@ public class SecurityDataProcessor { boolean doEncrypt = false; try { - params = storageUnit.getWrappingParams(); + params = storageUnit.getWrappingParams(allowEncDecrypt_archival); if (securitySymKey != null && unwrapped == null) { privateSecurityData = storageUnit.wrap(securitySymKey, params); } else if (unwrapped != null && allowEncDecrypt_archival == true) { diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java index 3e7f1deb9..1df30f658 100644 --- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -133,7 +133,7 @@ public class StorageKeyUnit extends EncryptionUnit implements throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION")); } - public WrappingParams getWrappingParams() throws Exception { + public WrappingParams getWrappingParams(boolean encrypt) throws Exception { String choice = null; try { choice = mConfig.getString(PROP_WRAPPING_CHOICE); @@ -177,6 +177,16 @@ public class StorageKeyUnit extends EncryptionUnit implements KeyRecordParser.OUT_PL_WRAP_IV_LEN); if (iv != null) params.setPayloadWrappingIV(new IVParameterSpec(iv)); + if (encrypt) { + // Some HSMs have not yet implemented AES-KW. Use AES-CBC-PAD instead + if (params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP) || + params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD)) { + params.setPayloadWrapAlgorithm(KeyWrapAlgorithm.AES_CBC_PAD); + iv = CryptoUtil.getNonceData(16); + params.setPayloadWrappingIV(new IVParameterSpec(iv)); + } + } + return params; } diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index c1830ec6c..bf350d5f5 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -29,6 +29,7 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -107,6 +108,9 @@ public class SymKeyGenService implements IService { throw new EBaseException("Bad data in SymKeyGenService.serviceRequest"); } + IConfigStore configStore = CMS.getConfigStore(); + boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); + CryptoToken token = mStorageUnit.getToken(); KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm); if (kgAlg == null) { @@ -170,8 +174,7 @@ public class SymKeyGenService implements IService { } try { - // TODO(alee) what happens if key wrap algorithm is not supported? - params = mStorageUnit.getWrappingParams(); + params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); privateSecurityData = mStorageUnit.wrap(sk, params); } catch (Exception e) { CMS.debug("Failed to generate security data to archive: " + e); diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java index 513c0b252..fc66e662b 100644 --- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -115,10 +115,6 @@ public class TransportKeyUnit extends EncryptionUnit implements } } - public WrappingParams getWrappingParams() { - return getOldWrappingParams(); - } - public CryptoToken getInternalToken() { try { return CryptoManager.getInstance().getInternalKeyStorageToken(); |