Bugzilla Bug 451874 - RFE - Java console - Certificate Wizard missing e.c. support

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1473 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-04 19:36:19 +0000
committer: vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2010-11-04 19:36:19 +0000
commit: 01383ff92cecca2169eb5ee7a49eb85621503c4d (patch)
tree: a452478ede657705679ab0cd5ce4455864b55804 /pki/base/common/src/com/netscape/cmscore/security
parent: 31903443b785bc194abe27e75b5fa6021facabcc (diff)
download: pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.tar.gz
pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.tar.xz
pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.zip
2 files changed, 86 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java
index 0d3f03199..08615264e 100644
--- a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java
+++ b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java
@@ -53,6 +53,7 @@ import org.mozilla.jss.pkcs11.PK11SecureRandom;
 import com.netscape.cmscore.cert.*;
 import com.netscape.cmscore.util.Debug;
 import netscape.ldap.util.*;
+import com.netscape.cmsutil.crypto.*;
 
 
 /**
@@ -96,6 +97,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
 
     private static final String PROP_SSL = "ssl";
     private static final String PROP_SSL_CIPHERPREF = Constants.PR_CIPHER_PREF;
+    private static final String PROP_SSL_ECTYPE = Constants.PR_ECTYPE;
 
     private static Hashtable mCipherNames = new Hashtable();
 
@@ -303,6 +305,15 @@ public final class JssSubsystem implements ICryptoSubsystem {
         return cipherpref;
     }
 
+    public String getECType(String certType) throws EBaseException {
+        if (mSSLConfig != null) {
+            // for SSL server, check the value of jss.ssl.sslserver.ectype
+            return mSSLConfig.getString(certType + "." + PROP_SSL_ECTYPE, "ECDHE");
+        } else {
+            return "ECDHE";
+        }
+    }
+
     public String isCipherFortezza() throws EBaseException {
         // we always display fortezza suites. 
         // too much work to display tokens/certs corresponding to the 
@@ -870,6 +881,72 @@ public final class JssSubsystem implements ICryptoSubsystem {
         return pair;
     }
 
+    public KeyPair getECCKeyPair(KeyCertData properties) throws EBaseException {
+        String token = Constants.PR_INTERNAL_TOKEN_NAME;
+        String keyType = "ECC";
+        String keyCurve = "nistp512";
+        String certType = null;
+        KeyPair pair = null;
+
+        String tmp = (String) properties.get(Constants.PR_TOKEN_NAME);
+        if (tmp != null) 
+            token = tmp;
+    
+        tmp = (String) properties.get(Constants.PR_KEY_CURVENAME);
+        if (tmp != null)
+            keyCurve = tmp;
+
+        certType = (String) properties.get(Constants.RS_ID);
+
+        pair = getECCKeyPair(token, keyCurve, certType);
+
+        return pair;
+    }
+ 
+    public KeyPair getECCKeyPair(String token, String keyCurve, String certType) throws EBaseException {
+        KeyPair pair = null;
+
+        if ((token == null) || (token.equals("")))
+            token = Constants.PR_INTERNAL_TOKEN_NAME;
+
+        if ((keyCurve == null) || (keyCurve.equals("")))
+             keyCurve = "nistp512";
+
+        String ectype = getECType(certType);
+
+        // ECDHE needs "SIGN" but no "DERIVE"
+        org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = {
+            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
+        };
+
+        // ECDH needs "DERIVE" but no any kind of "SIGN"
+        org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage ECDH_usages_mask[] = {
+            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
+            org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER,
+        };
+
+        try {
+            if (ectype.equals("ECDHE")) 
+                pair =  CryptoUtil.generateECCKeyPair(token, keyCurve, null, usages_mask);
+            else
+                pair =  CryptoUtil.generateECCKeyPair(token, keyCurve, null, ECDH_usages_mask);
+        } catch (NotInitializedException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED"));
+        } catch (NoSuchTokenException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
+        } catch (NoSuchAlgorithmException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_NO_SUCH_ALGORITHM", e.toString()));
+        } catch (TokenException e) {
+            log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString()));
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", ""));
+        }
+
+        return pair;
+    } 
+
     public void importCert(X509CertImpl signedCert, String nickname,
         String certType) throws EBaseException {
 
diff --git a/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java b/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java
index f233cd5f8..4f551cd26 100644
--- a/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java
+++ b/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java
@@ -59,6 +59,7 @@ import com.netscape.certsrv.security.*;
 import com.netscape.cmscore.cert.*;
 import com.netscape.cmscore.util.*;
 import com.netscape.cmscore.dbs.*;
+import com.netscape.cmsutil.crypto.*;
 
 
 /**
@@ -502,6 +503,8 @@ public class KeyCertUtil {
 
         if (pubk instanceof RSAPublicKey) {
             alg = "MD5/RSA";
+        } else if (pubk instanceof PK11ECPublicKey) {
+            alg = "SHA256withEC";
         } else {
             alg = "DSA";
         }
@@ -532,6 +535,8 @@ public class KeyCertUtil {
 
         if (pubk instanceof RSAPublicKey) {
             alg = "MD5/RSA";
+        } else if (pubk instanceof PK11ECPublicKey) {
+            alg = "SHA256withEC";
         } else {
             alg = "DSA";
         }
@@ -575,6 +580,10 @@ public class KeyCertUtil {
             xKey = new netscape.security.provider.RSAPublicKey(
                         new BigInt(rsaKey.getModulus()),
                         new BigInt(rsaKey.getPublicExponent()));
+        } else if (pubk instanceof PK11ECPublicKey) {
+            byte encoded[] = pubk.getEncoded();
+            xKey = CryptoUtil.getPublicX509ECCKey(encoded);
+
         } else {
             DSAPublicKey dsaKey = (DSAPublicKey) pubk;
             DSAParams params = dsaKey.getParams();
author	vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-04 19:36:19 +0000
committer	vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2010-11-04 19:36:19 +0000
commit	01383ff92cecca2169eb5ee7a49eb85621503c4d (patch)
tree	a452478ede657705679ab0cd5ce4455864b55804 /pki/base/common/src/com/netscape/cmscore/security
parent	31903443b785bc194abe27e75b5fa6021facabcc (diff)
download	pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.tar.gz pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.tar.xz pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.zip