KRA changes for archiving and recovering symmetric keys and passphrases.

Ticket #66 and #68.

Add ability to archive and recover symmetric keys and passphrases using rest interface.
Enhanced test client to test out new functionality.
Provided support to return recovered data either wrapped by symmetric key or wrapped in PBE password based encryption blob.

DRM symmetric key support cleanup changes.

Consists of suggested cleanup measures based on review comments.

8 files changed, 272 insertions, 21 deletions

diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java
index 887820c3f..4888d609f 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java
@@ -18,6 +18,7 @@
 
 package com.netscape.cms.servlet.key;
 
+
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MultivaluedMap;
@@ -73,11 +74,6 @@ public class KeyResourceService extends CMSResourceService implements KeyResourc
     }
     
     private String validateRequest(RecoveryRequestData data) {
-        // confirm that at least one wrapping method exists
-        if ((data.getTransWrappedSessionKey() == null) && (data.getTransWrappedSessionKey() == null)) {
-            // log error
-            throw new WebApplicationException(Response.Status.BAD_REQUEST);
-        }
         
         // confirm request exists
         String reqId = data.getRequestId();
@@ -85,6 +81,14 @@ public class KeyResourceService extends CMSResourceService implements KeyResourc
             // log error
             throw new WebApplicationException(Response.Status.BAD_REQUEST);
         }
+
+        // confirm that at least one wrapping method exists
+        // There must be at least the wrapped session key method.
+        if ((data.getTransWrappedSessionKey() == null)) {
+            // log error
+            throw new WebApplicationException(Response.Status.BAD_REQUEST);
+        }
+
         KeyRequestDAO reqDAO = new KeyRequestDAO();
         KeyRequestInfo reqInfo;
         try {
@@ -117,7 +121,7 @@ public class KeyResourceService extends CMSResourceService implements KeyResourc
         }
         
         String keyURL = reqInfo.getKeyURL();
-        return keyURL.substring(keyURL.lastIndexOf("/")); 
+        return keyURL.substring(keyURL.lastIndexOf("/") + 1);
     }
 
 }
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java
index 471abc161..b5032fa86 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java
@@ -76,7 +76,7 @@ public class KeysResourceService extends CMSResourceService implements KeysResou
         }
         
         if (clientID != null) {
-            filter += "(clientID=\'" + clientID + "\')";
+            filter += "(clientID=" + clientID + ")";
             matches ++;
         }
         
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java
index 5fd17a333..fd9d2d2c0 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java
@@ -20,8 +20,11 @@ package com.netscape.cms.servlet.key.model;
 import java.math.BigInteger;
 import java.util.ArrayList;
 import java.util.Enumeration;
+import java.util.Hashtable;
 import java.util.List;
 
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 import com.netscape.certsrv.apps.CMS;
@@ -29,7 +32,12 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.dbs.keydb.IKeyRecord;
 import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.request.IRequest;
+import com.netscape.certsrv.request.IRequestQueue;
+import com.netscape.certsrv.request.RequestId;
+import com.netscape.certsrv.request.RequestStatus;
 import com.netscape.cms.servlet.request.model.RecoveryRequestData;
+import com.netscape.kra.SecurityDataRecoveryService;
 
 /**
  * @author alee
@@ -38,11 +46,13 @@ import com.netscape.cms.servlet.request.model.RecoveryRequestData;
 public class KeyDAO {
 
     private IKeyRepository repo;
+    private IKeyRecoveryAuthority kra;
+    private IRequestQueue queue;
     
     public KeyDAO() {
-        IKeyRecoveryAuthority kra = null;
         kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" );
         repo = kra.getKeyRepository();
+        queue = kra.getRequestQueue();
     }
     /**
      * Returns list of keys meeting specified search filter.
@@ -79,18 +89,100 @@ public class KeyDAO {
     }
     
     public KeyData getKey(String keyId, RecoveryRequestData data) throws EBaseException {
-        KeyData keyData = null;
+        KeyData keyData;
         BigInteger serial = new BigInteger(keyId);
         
-        // get wrapped key
+        String rId = data.getRequestId();
+
+        String transWrappedSessionKey;
+        String sessionWrappedPassphrase;
+
+        IRequest  request = queue.findRequest(new RequestId(rId));
+
+        if (request == null) {
+            return null;
+        }
+
+     // get wrapped key
         IKeyRecord rec = repo.readKeyRecord(serial);
         if (rec == null) {
-            // key does not exist
-            // log the error
             return null;  
         }
-        // TODO unwrap the key and wrap with the credential in RecoveryRequestData
-        // need to figure out how to do this with jmagne 
+
+        Hashtable<String, Object> requestParams = kra.getVolatileRequest(
+                request.getRequestId());
+
+        if(requestParams == null) {
+            throw new EBaseException("Can't obtain Volatile requestParams in KeyDAO.getKey!");
+        }
+
+        String sessWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_SESS_WRAPPED_DATA);
+        String passWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_PASS_WRAPPED_DATA);
+        String nonceData = (String) requestParams.get(IRequest.SECURITY_DATA_IV_STRING_OUT);
+
+        if (sessWrappedKeyData != null || passWrappedKeyData != null) {
+            //The recovery process has already placed a valid recovery
+            //package, either session key wrapped or pass wrapped, into the request.
+            //Request already has been processed.
+            keyData = new KeyData();
+
+        } else {
+            // The request has not yet been processed, let's see if the RecoveryRequestData contains
+            // the info now needed to process the recovery request.
+
+            transWrappedSessionKey   = data.getTransWrappedSessionKey();
+            sessionWrappedPassphrase = data.getSessionWrappedPassphrase();
+            nonceData = data.getNonceData();
+
+            if(transWrappedSessionKey == null) {
+                 //There must be at least a transWrappedSessionKey input provided.
+                 //The command AND the request have provided insufficient data, end of the line.
+                 throw new EBaseException("Can't retrieve key, insufficient input data!");
+            }
+
+            if (sessionWrappedPassphrase != null) {
+                requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, sessionWrappedPassphrase);
+            }
+
+            if (transWrappedSessionKey != null) {
+                requestParams.put(IRequest.SECURITY_DATA_TRANS_SESS_KEY, transWrappedSessionKey);
+            }
+
+            if (nonceData != null) {
+                requestParams.put(IRequest.SECURITY_DATA_IV_STRING_IN, nonceData);
+            }
+
+            try {
+                // Has to be in this state or it won't go anywhere.
+                request.setRequestStatus(RequestStatus.BEGIN);
+                queue.processRequest(request);
+            } catch (EBaseException e) {
+                kra.destroyVolatileRequest(request.getRequestId());
+                throw new EBaseException(e.toString());
+            }
+
+            nonceData = null;
+            keyData = new KeyData();
+
+            sessWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_SESS_WRAPPED_DATA);
+            passWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_PASS_WRAPPED_DATA);
+            nonceData = (String) requestParams.get(IRequest.SECURITY_DATA_IV_STRING_OUT);
+
+        }
+
+        if (sessWrappedKeyData != null) {
+            keyData.setWrappedPrivateData(sessWrappedKeyData);
+        }
+        if (passWrappedKeyData != null) {
+            keyData.setWrappedPrivateData(passWrappedKeyData);
+        }
+        if (nonceData != null) {
+            keyData.setNonceData(nonceData);
+        }
+
+        kra.destroyVolatileRequest(request.getRequestId());
+
+        queue.markAsServiced(request);
         
         return keyData;
     }
@@ -103,9 +195,6 @@ public class KeyDAO {
         UriBuilder keyBuilder = uriInfo.getBaseUriBuilder();
         keyBuilder.path("/key/" + serial);
         ret.setKeyURL(keyBuilder.build().toString());
-        
-        // clientID = rec.getClientID();
-        // TODO add other fields as needed
         return ret;
     }
     
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java
index 0e6e80dec..4f303e27d 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java
@@ -36,6 +36,9 @@ public class KeyData {
     @XmlElement
     String wrappedPrivateData;
     
+    @XmlElement
+    String nonceData;
+
     public KeyData() {
         // required for JAXB (defaults)
     }
@@ -54,4 +57,20 @@ public class KeyData {
         this.wrappedPrivateData = wrappedPrivateData;
     }
     
+    /**
+     * @return the nonceData
+     */
+
+    public String getNonceData() {
+        return nonceData;
+    }
+
+    /**
+     * @param nonceData the nonceData to set
+     */
+
+    public void setNonceData(String nonceData) {
+        this.nonceData = nonceData;
+    }
+
 }
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java
index 146b03d89..656768f02 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java
@@ -14,6 +14,9 @@ import com.netscape.cms.servlet.request.model.RecoveryRequestData;
 
 @Path("/keyrequest")
 public interface KeyRequestResource {
+    public final String SYMMETRIC_KEY_TYPE = "symmetricKey";
+    public final String PASS_PHRASE_TYPE = "passPhrase";
+    public final String ASYMMETRIC_KEY_TYPE = "asymmetricKey";
 
     /**
      * Used to retrieve key request info for a specific request
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java
index da08c4d69..e18407727 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java
@@ -69,6 +69,14 @@ public class KeyRequestResourceService extends CMSResourceService implements Key
 
     public KeyRequestInfo archiveKey(ArchivalRequestData data) {
         // auth and authz
+        // Catch this before internal server processing has to deal with it
+
+        if (data == null || data.getClientId() == null
+                || data.getWrappedPrivateData() == null
+                || data.getDataType() == null) {
+            throw new WebApplicationException(Response.Status.BAD_REQUEST);
+        }
+
         KeyRequestDAO dao = new KeyRequestDAO();
         KeyRequestInfo info;
         try {
@@ -89,6 +97,15 @@ public class KeyRequestResourceService extends CMSResourceService implements Key
 
     public KeyRequestInfo recoverKey(RecoveryRequestData data) {
         // auth and authz
+
+        //Check for entirely illegal data combination here
+        //Catch this before the internal server processing has to deal with it
+        //If data has been provided, we need at least the wrapped session key,
+        //or the command is invalid.
+        if (data == null || (data.getTransWrappedSessionKey() == null
+                && data.getSessionWrappedPassphrase() != null)) {
+            throw new WebApplicationException(Response.Status.BAD_REQUEST);
+        }
         KeyRequestDAO dao = new KeyRequestDAO();
         KeyRequestInfo info;
         try {
@@ -102,6 +119,9 @@ public class KeyRequestResourceService extends CMSResourceService implements Key
     }
     
     public void approveRequest(@PathParam("id") String id) {
+        if ( id == null) {
+            throw new WebApplicationException(Response.Status.BAD_REQUEST);
+        }
         // auth and authz
         KeyRequestDAO dao = new KeyRequestDAO();
         try {
@@ -114,6 +134,9 @@ public class KeyRequestResourceService extends CMSResourceService implements Key
     }
     
     public void rejectRequest(@PathParam("id") String id) {
+        if ( id == null) {
+            throw new WebApplicationException(Response.Status.BAD_REQUEST);
+        }
         // auth and authz
         KeyRequestDAO dao = new KeyRequestDAO();
         try {
@@ -126,6 +149,9 @@ public class KeyRequestResourceService extends CMSResourceService implements Key
     }
          
     public void cancelRequest(@PathParam("id") String id) {
+        if ( id == null) {
+            throw new WebApplicationException(Response.Status.BAD_REQUEST);
+        }
         // auth and authz
         KeyRequestDAO dao = new KeyRequestDAO();
         try {
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java b/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java
index 16da23d8b..623fa941f 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java
@@ -19,9 +19,12 @@ package com.netscape.cms.servlet.request.model;
 
 import java.net.URI;
 import java.util.ArrayList;
+import java.util.Hashtable;
 import java.util.List;
 
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 
@@ -35,6 +38,9 @@ import com.netscape.certsrv.request.IRequestVirtualList;
 import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.request.RequestStatus;
 import com.netscape.cms.servlet.base.model.Link;
+import com.netscape.cms.servlet.key.model.KeyDAO;
+import com.netscape.cms.servlet.key.model.KeyDataInfos;
+import com.netscape.certsrv.profile.IEnrollProfile;
 
 /**
  * @author alee
@@ -42,6 +48,9 @@ import com.netscape.cms.servlet.base.model.Link;
  */
 public class KeyRequestDAO {
     private IRequestQueue queue;
+    private IKeyRecoveryAuthority kra;
+
+    private static String REQUEST_ARCHIVE_OPTIONS = IEnrollProfile.REQUEST_ARCHIVE_OPTIONS;
     
     private String[] vlvFilters = {
             "(requeststate=*)", "(requesttype=enrollment)",
@@ -56,8 +65,9 @@ public class KeyRequestDAO {
             "(&(requeststate=complete)(requesttype=recovery))"
     };
     
+    public static final String ATTR_SERIALNO = "serialNumber";
+
     public KeyRequestDAO() {
-        IKeyRecoveryAuthority kra = null;
         kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" );
         queue = kra.getRequestQueue();
     }
@@ -104,6 +114,10 @@ public class KeyRequestDAO {
             // We should think about whether they should be, or if we need to
             // limit the number of results returned.
             IRequestList requests = queue.listRequestsByFilter(filter, maxResults, maxTime);
+
+            if (requests == null) {
+                return null;
+            }
             while (requests.hasMoreElements()) {
                 RequestId rid = (RequestId) requests.nextElement();
                 IRequest request = queue.findRequest(rid);
@@ -168,10 +182,26 @@ public class KeyRequestDAO {
      * @throws EBaseException 
      */
     public KeyRequestInfo submitRequest(ArchivalRequestData data, UriInfo uriInfo) throws EBaseException {
+        String clientId = data.getClientId();
+        String wrappedSecurityData = data.getWrappedPrivateData();
+        String dataType = data.getDataType();
+
+        boolean keyExists = doesKeyExist(clientId, "active", uriInfo);
+
+        if(keyExists == true) {
+            throw new EBaseException("Can not archive already active existing key!");
+        }
+
         IRequest request = queue.newRequest(IRequest.SECURITY_DATA_ENROLLMENT_REQUEST);
-        //TODO : 
-        //set data using request.setExtData(field, data)
+
+        request.setExtData(REQUEST_ARCHIVE_OPTIONS, wrappedSecurityData);
+        request.setExtData(IRequest.SECURITY_DATA_CLIENT_ID, clientId);
+        request.setExtData(IRequest.SECURITY_DATA_TYPE, dataType);
+
         queue.processRequest(request);
+
+        queue.markAsServiced(request);
+
         return createKeyRequestInfo(request, uriInfo);
     }
     /**
@@ -181,25 +211,61 @@ public class KeyRequestDAO {
      * @throws EBaseException 
      */
     public KeyRequestInfo submitRequest(RecoveryRequestData data, UriInfo uriInfo) throws EBaseException { 
-        IRequest request = queue.newRequest(IRequest.SECURITY_DATA_RECOVERY_REQUEST);
+
         // set data using request.setExtData(field, data)
+
+        String wrappedSessionKeyStr = data.getTransWrappedSessionKey();
+        String wrappedPassPhraseStr = data.getSessionWrappedPassphrase();
+        String nonceDataStr = data.getNonceData();
+
+        IRequest request = queue.newRequest(IRequest.SECURITY_DATA_RECOVERY_REQUEST);
+
+        String keyId = data.getKeyId();
+
+        Hashtable<String, Object> requestParams;
+        requestParams = kra.createVolatileRequest(request.getRequestId());
+
+        if(requestParams == null) {
+            throw new EBaseException("Can not create Volatile params in submitRequest!");
+        }
+
+        CMS.debug("Create volatile  params for recovery request. " + requestParams);
+
+        if (wrappedPassPhraseStr != null) {
+            requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr);
+        }
+
+        if (wrappedSessionKeyStr != null) {
+            requestParams.put(IRequest.SECURITY_DATA_TRANS_SESS_KEY, wrappedSessionKeyStr);
+        }
+
+        if (nonceDataStr != null) {
+            requestParams.put(IRequest.SECURITY_DATA_IV_STRING_IN, nonceDataStr);
+        }
+
+        request.setExtData(ATTR_SERIALNO,keyId);
+
         queue.processRequest(request);
+
         return createKeyRequestInfo(request, uriInfo);
     }
 
     public void approveRequest(String id) throws EBaseException {
         IRequest request = queue.findRequest(new RequestId(id));
         request.setRequestStatus(RequestStatus.APPROVED);
+        queue.updateRequest(request);
     }
     
     public void rejectRequest(String id) throws EBaseException {
         IRequest request = queue.findRequest(new RequestId(id));
         request.setRequestStatus(RequestStatus.CANCELED);
+        queue.updateRequest(request);
     }
     
     public void cancelRequest(String id) throws EBaseException {
         IRequest request = queue.findRequest(new RequestId(id));
         request.setRequestStatus(RequestStatus.REJECTED);
+        queue.updateRequest(request);
     }
     
     public KeyRequestInfo createKeyRequestInfo(IRequest request, UriInfo uriInfo) {
@@ -229,4 +295,27 @@ public class KeyRequestDAO {
         }
         return false;
     }
+
+    //We only care if the key exists or not
+    private boolean doesKeyExist(String clientId, String keyStatus, UriInfo uriInfo) {
+        boolean ret = false;
+        String state = "active";
+
+        KeyDAO  keys = new KeyDAO();
+
+        KeyDataInfos existingKeys;
+        String filter = "(&(" + IRequest.SECURITY_DATA_CLIENT_ID + "=" + clientId + ")"
+                    + "(" + IRequest.SECURITY_DATA_STATUS + "=" + state + "))";
+        try {
+            existingKeys =  keys.listKeys(filter, 1, 10,  uriInfo);
+
+            if(existingKeys != null && existingKeys.getKeyInfos().size() > 0) {
+                ret = true;
+            }
+        } catch (EBaseException e) {
+            ret= false;
+        }
+
+        return ret;
+    }
 }
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java b/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java
index c84d8f491..ae8417542 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java
@@ -39,6 +39,7 @@ public class RecoveryRequestData {
     private static final String REQUEST_ID = "requestId";
     private static final String TRANS_WRAPPED_SESSION_KEY = "transWrappedSessionKey";
     private static final String SESSION_WRAPPED_PASSPHRASE = "sessionWrappedPassphrase";
+    private static final String NONCE_DATA = "nonceData";
 
     @XmlElement
     protected String keyId;
@@ -52,6 +53,9 @@ public class RecoveryRequestData {
     @XmlElement
     protected String sessionWrappedPassphrase;
     
+    @XmlElement
+    protected String nonceData;
+
     public RecoveryRequestData() {
         // required for JAXB (defaults)
     }
@@ -61,6 +65,7 @@ public class RecoveryRequestData {
         requestId = form.getFirst(REQUEST_ID);
         transWrappedSessionKey = form.getFirst(TRANS_WRAPPED_SESSION_KEY);
         sessionWrappedPassphrase = form.getFirst(SESSION_WRAPPED_PASSPHRASE);
+        nonceData = form.getFirst(NONCE_DATA);
     }
 
     /**
@@ -119,4 +124,20 @@ public class RecoveryRequestData {
         this.sessionWrappedPassphrase = sessionWrappedPassphrase;
     }
 
+    /**
+     * @return nonceData
+     */
+
+    public String getNonceData() {
+        return nonceData;
+    }
+
+    /**
+     * @param nonceData the nonceData to set
+     */
+
+    public void setNonceData(String nonceData) {
+        this.nonceData = nonceData;
+    }
+
 }