diff options
author | Jack Magne <jmagne@redhat.com> | 2012-01-21 17:39:26 -0800 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-02-13 15:48:20 -0600 |
commit | a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8 (patch) | |
tree | 8403b15a424a112f4209cba8e78f358bbbfd271e /pki/base/common/src/com/netscape/cms/servlet/key/model | |
parent | 2181aa4dbc4f04cb58af4dcc0f827d30f1526d4c (diff) | |
download | pki-a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8.tar.gz pki-a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8.tar.xz pki-a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8.zip |
KRA changes for archiving and recovering symmetric keys and passphrases.
Ticket #66 and #68.
Add ability to archive and recover symmetric keys and passphrases using rest interface.
Enhanced test client to test out new functionality.
Provided support to return recovered data either wrapped by symmetric key or wrapped in PBE password based encryption blob.
DRM symmetric key support cleanup changes.
Consists of suggested cleanup measures based on review comments.
Diffstat (limited to 'pki/base/common/src/com/netscape/cms/servlet/key/model')
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java | 109 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java | 19 |
2 files changed, 118 insertions, 10 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java index 5fd17a333..fd9d2d2c0 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java @@ -20,8 +20,11 @@ package com.netscape.cms.servlet.key.model; import java.math.BigInteger; import java.util.ArrayList; import java.util.Enumeration; +import java.util.Hashtable; import java.util.List; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import com.netscape.certsrv.apps.CMS; @@ -29,7 +32,12 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.RequestId; +import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.request.model.RecoveryRequestData; +import com.netscape.kra.SecurityDataRecoveryService; /** * @author alee @@ -38,11 +46,13 @@ import com.netscape.cms.servlet.request.model.RecoveryRequestData; public class KeyDAO { private IKeyRepository repo; + private IKeyRecoveryAuthority kra; + private IRequestQueue queue; public KeyDAO() { - IKeyRecoveryAuthority kra = null; kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); repo = kra.getKeyRepository(); + queue = kra.getRequestQueue(); } /** * Returns list of keys meeting specified search filter. @@ -79,18 +89,100 @@ public class KeyDAO { } public KeyData getKey(String keyId, RecoveryRequestData data) throws EBaseException { - KeyData keyData = null; + KeyData keyData; BigInteger serial = new BigInteger(keyId); - // get wrapped key + String rId = data.getRequestId(); + + String transWrappedSessionKey; + String sessionWrappedPassphrase; + + IRequest request = queue.findRequest(new RequestId(rId)); + + if (request == null) { + return null; + } + + // get wrapped key IKeyRecord rec = repo.readKeyRecord(serial); if (rec == null) { - // key does not exist - // log the error return null; } - // TODO unwrap the key and wrap with the credential in RecoveryRequestData - // need to figure out how to do this with jmagne + + Hashtable<String, Object> requestParams = kra.getVolatileRequest( + request.getRequestId()); + + if(requestParams == null) { + throw new EBaseException("Can't obtain Volatile requestParams in KeyDAO.getKey!"); + } + + String sessWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_SESS_WRAPPED_DATA); + String passWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_PASS_WRAPPED_DATA); + String nonceData = (String) requestParams.get(IRequest.SECURITY_DATA_IV_STRING_OUT); + + if (sessWrappedKeyData != null || passWrappedKeyData != null) { + //The recovery process has already placed a valid recovery + //package, either session key wrapped or pass wrapped, into the request. + //Request already has been processed. + keyData = new KeyData(); + + } else { + // The request has not yet been processed, let's see if the RecoveryRequestData contains + // the info now needed to process the recovery request. + + transWrappedSessionKey = data.getTransWrappedSessionKey(); + sessionWrappedPassphrase = data.getSessionWrappedPassphrase(); + nonceData = data.getNonceData(); + + if(transWrappedSessionKey == null) { + //There must be at least a transWrappedSessionKey input provided. + //The command AND the request have provided insufficient data, end of the line. + throw new EBaseException("Can't retrieve key, insufficient input data!"); + } + + if (sessionWrappedPassphrase != null) { + requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, sessionWrappedPassphrase); + } + + if (transWrappedSessionKey != null) { + requestParams.put(IRequest.SECURITY_DATA_TRANS_SESS_KEY, transWrappedSessionKey); + } + + if (nonceData != null) { + requestParams.put(IRequest.SECURITY_DATA_IV_STRING_IN, nonceData); + } + + try { + // Has to be in this state or it won't go anywhere. + request.setRequestStatus(RequestStatus.BEGIN); + queue.processRequest(request); + } catch (EBaseException e) { + kra.destroyVolatileRequest(request.getRequestId()); + throw new EBaseException(e.toString()); + } + + nonceData = null; + keyData = new KeyData(); + + sessWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_SESS_WRAPPED_DATA); + passWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_PASS_WRAPPED_DATA); + nonceData = (String) requestParams.get(IRequest.SECURITY_DATA_IV_STRING_OUT); + + } + + if (sessWrappedKeyData != null) { + keyData.setWrappedPrivateData(sessWrappedKeyData); + } + if (passWrappedKeyData != null) { + keyData.setWrappedPrivateData(passWrappedKeyData); + } + if (nonceData != null) { + keyData.setNonceData(nonceData); + } + + kra.destroyVolatileRequest(request.getRequestId()); + + queue.markAsServiced(request); return keyData; } @@ -103,9 +195,6 @@ public class KeyDAO { UriBuilder keyBuilder = uriInfo.getBaseUriBuilder(); keyBuilder.path("/key/" + serial); ret.setKeyURL(keyBuilder.build().toString()); - - // clientID = rec.getClientID(); - // TODO add other fields as needed return ret; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java index 0e6e80dec..4f303e27d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java @@ -36,6 +36,9 @@ public class KeyData { @XmlElement String wrappedPrivateData; + @XmlElement + String nonceData; + public KeyData() { // required for JAXB (defaults) } @@ -54,4 +57,20 @@ public class KeyData { this.wrappedPrivateData = wrappedPrivateData; } + /** + * @return the nonceData + */ + + public String getNonceData() { + return nonceData; + } + + /** + * @param nonceData the nonceData to set + */ + + public void setNonceData(String nonceData) { + this.nonceData = nonceData; + } + } |