Server side changes to correctly parse the new PKIArchiveOptions

The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.

Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4

6 files changed, 109 insertions, 25 deletions

diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java
index 0f68c7ab7..ada809899 100644
--- a/base/common/src/org/dogtagpki/common/CAInfo.java
+++ b/base/common/src/org/dogtagpki/common/CAInfo.java
@@ -66,6 +66,7 @@ public class CAInfo extends ResourceMessage {
         this.archivalMechanism = archivalMechanism;
     }
 
+    @XmlElement(name="EncryptAlgorithm")
     public String getEncryptAlgorithm() {
         return encryptAlgorithm;
     }
@@ -74,6 +75,7 @@ public class CAInfo extends ResourceMessage {
         this.encryptAlgorithm = encryptAlgorithm;
     }
 
+    @XmlElement(name="WrapAlgorithm")
     public String getKeyWrapAlgorithm() {
         return keyWrapAlgorithm;
     }
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index b06faa6be..25de2dd60 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -191,7 +191,7 @@ public class CRMFPopClient {
         options.addOption(option);
 
         option = new Option("w", true, "Algorithm to be used for key wrapping");
-        option.setArgName("keySet");
+        option.setArgName("keywrap algorithm");
         options.addOption(option);
 
         options.addOption("y", false, "for Self-signed cmc.");
@@ -655,13 +655,23 @@ public class CRMFPopClient {
             KeyPair keyPair,
             Name subject,
             KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
-        byte[] iv = null;
-        if (keyWrapAlgorithm.getParameterClasses() != null) {
-            iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
-        }
+        byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
         OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm);
 
+        /* TODO(alee)
+         *
+         * HACK HACK!
+         * algorithms like AES KeyWrap do not require an IV, but we need to include one
+         * in the AlgorithmIdentifier above, or the creation and parsing of the
+         * PKIArchiveOptions options will fail.  So we include an IV in aid, but null it
+         * later to correctly encrypt the data
+         */
         AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv));
+
+        Class[] iv_classes = keyWrapAlgorithm.getParameterClasses();
+        if (iv_classes == null || iv_classes.length == 0)
+            iv = null;
+
         WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv);
 
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
index d0ad8b3e4..91af7cfc2 100644
--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
@@ -267,7 +267,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
      * Decrypts the user private key.  This is called on the transport unit.
      */
     public byte[] decryptExternalPrivate(byte encSymmKey[],
-            String symmAlgOID, byte symmAlgParams[], byte encValue[],
+            String wrapOID, byte wrapIV[], byte encValue[],
             org.mozilla.jss.crypto.X509Certificate transCert)
             throws Exception {
 
@@ -279,12 +279,10 @@ public class TransportKeyUnit extends EncryptionUnit implements
         CryptoToken token = getToken(transCert);
         PrivateKey wrappingKey = getPrivateKey(transCert);
         String priKeyAlgo = wrappingKey.getAlgorithm();
-        WrappingParams params = new WrappingParams(
-                symmAlgOID,
-                null,
+        WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions(
+                wrapOID,
                 priKeyAlgo,
-                new IVParameterSpec(symmAlgParams),
-                null);
+                new IVParameterSpec(wrapIV));
 
         SymmetricKey sk = CryptoUtil.unwrap(
                 token,
@@ -303,6 +301,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
                 params.getPayloadEncryptionAlgorithm());
     }
 
+
     /**
      * External unwrapping. Unwraps the symmetric key using
      * the transport private key.
@@ -342,19 +341,17 @@ public class TransportKeyUnit extends EncryptionUnit implements
      * the transport private key.
      */
     public PrivateKey unwrap(byte encSymmKey[],
-            String symmAlgOID, byte symmAlgParams[],
+            String wrapOID, byte wrapIV[],
             byte encValue[], PublicKey pubKey,
             org.mozilla.jss.crypto.X509Certificate transCert)
             throws Exception {
         CryptoToken token = getToken(transCert);
         PrivateKey wrappingKey = getPrivateKey(transCert);
         String priKeyAlgo = wrappingKey.getAlgorithm();
-        WrappingParams params = new WrappingParams(
-                symmAlgOID,
-                null,
+        WrappingParams params = WrappingParams.getWrappingParamsFromArchiveOptions(
+                wrapOID,
                 priKeyAlgo,
-                new IVParameterSpec(symmAlgParams),
-                new IVParameterSpec(symmAlgParams));
+                new IVParameterSpec(wrapIV));
 
         // (1) unwrap the session key
         SymmetricKey sk = CryptoUtil.unwrap(
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
index a9c3cdfc1..c855b2297 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
@@ -59,7 +59,7 @@ public class KRAInfoService extends PKIService implements KRAInfoResource {
         info.setArchivalMechanism(getArchivalMechanism());
         info.setRecoveryMechanism(getRecoveryMechanism());
         info.setEncryptAlgorithm(getEncryptAlgorithm());
-        info.setArchivalMechanism(getWrapAlgorithm());
+        info.setWrapAlgorithm(getWrapAlgorithm());
 
         return createOKResponse(info);
     }
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 84e4a650d..eca8dddb6 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -2713,6 +2713,10 @@ public class CryptoUtil {
         throw new NoSuchAlgorithmException();
     }
 
+    public static final OBJECT_IDENTIFIER KW_AES_KEY_WRAP_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8");
+    public static final OBJECT_IDENTIFIER KW_AES_CBC_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
+    public static final OBJECT_IDENTIFIER KW_DES_CBC_PAD = new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
+
     /*
      * Useful method to map KeyWrap algorithms to an OID.
      * This is not yet defined within JSS, although it will be valuable to do
@@ -2724,13 +2728,29 @@ public class CryptoUtil {
      * the subsequent reverse mapping method below.
      */
     public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException {
-        if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD)
-            return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8");
-        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD)
-            return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
-        if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) ||
-            (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD))
-            return new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
+        String name = kwAlg.toString();
+        if (name.equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString()))
+            return KW_AES_KEY_WRAP_PAD;
+        if (name.equals(KeyWrapAlgorithm.AES_CBC_PAD.toString()))
+            return KW_AES_CBC_PAD;
+        if (name.equals(KeyWrapAlgorithm.DES3_CBC_PAD.toString()))
+            return KW_DES_CBC_PAD;
+        if (name.equals(KeyWrapAlgorithm.DES_CBC_PAD.toString()))
+            return KW_DES_CBC_PAD;
+
+        throw new NoSuchAlgorithmException();
+    }
+
+    public static KeyWrapAlgorithm getKeyWrapAlgorithmFromOID(String wrapOID) throws NoSuchAlgorithmException {
+        OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+        if (oid.equals(KW_AES_KEY_WRAP_PAD))
+            return KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+
+        if (oid.equals(KW_AES_CBC_PAD))
+            return KeyWrapAlgorithm.AES_CBC_PAD;
+
+        if (oid.equals(KW_DES_CBC_PAD))
+            return KeyWrapAlgorithm.DES3_CBC_PAD;
 
         throw new NoSuchAlgorithmException();
     }
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
index 8fe5df670..cda887068 100644
--- a/base/util/src/netscape/security/util/WrappingParams.java
+++ b/base/util/src/netscape/security/util/WrappingParams.java
@@ -10,6 +10,8 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.SymmetricKey;
 import org.mozilla.jss.crypto.SymmetricKey.Type;
 
+import com.netscape.cmsutil.crypto.CryptoUtil;
+
 public class WrappingParams {
     // session key attributes
     SymmetricKey.Type skType;
@@ -123,6 +125,59 @@ public class WrappingParams {
         }
     }
 
+    private WrappingParams(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV)
+            throws NumberFormatException, NoSuchAlgorithmException {
+        KeyWrapAlgorithm kwAlg = CryptoUtil.getKeyWrapAlgorithmFromOID(wrapOID);
+
+        if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) {
+            skType = SymmetricKey.AES;
+            skKeyGenAlgorithm = KeyGenAlgorithm.AES;
+            payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+            payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
+            skLength = 128;
+        }
+
+        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
+            skType = SymmetricKey.AES;
+            skKeyGenAlgorithm = KeyGenAlgorithm.AES;
+            payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD;
+            payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
+            skLength = 128;
+        }
+
+        if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
+            skType = SymmetricKey.DES;
+            skKeyGenAlgorithm = KeyGenAlgorithm.DES;
+            skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
+            skLength = 0;
+        }
+
+        if (priKeyAlgo.equals("EC")) {
+            skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB;
+        } else {
+            skWrapAlgorithm = KeyWrapAlgorithm.RSA;
+        }
+
+        // set the IVs
+        payloadEncryptionIV = wrapIV;
+
+        if (payloadWrapAlgorithm == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) {
+            // TODO(alee) Hack -- if we pass in null for the iv in the
+            // PKIArchiveOptions, we fail to decode correctly when parsing a
+            // CRMFPopClient request.
+            payloadWrappingIV = null;
+        } else {
+            payloadWrappingIV = wrapIV;
+        }
+    }
+
+    public static WrappingParams getWrappingParamsFromArchiveOptions(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV)
+            throws NumberFormatException, NoSuchAlgorithmException {
+        return new WrappingParams(wrapOID, priKeyAlgo, wrapIV);
+    }
+
     public SymmetricKey.Type getSkType() {
         return skType;
     }