diff options
author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-04 19:36:19 +0000 |
---|---|---|
committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-04 19:36:19 +0000 |
commit | 01383ff92cecca2169eb5ee7a49eb85621503c4d (patch) | |
tree | a452478ede657705679ab0cd5ce4455864b55804 /pki/base/common/src/com/netscape/cmscore/security | |
parent | 31903443b785bc194abe27e75b5fa6021facabcc (diff) | |
download | pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.tar.gz pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.tar.xz pki-01383ff92cecca2169eb5ee7a49eb85621503c4d.zip |
Bugzilla Bug 451874 - RFE - Java console - Certificate Wizard missing e.c. support
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1473 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cmscore/security')
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java | 77 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java | 9 |
2 files changed, 86 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java index 0d3f03199..08615264e 100644 --- a/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/security/JssSubsystem.java @@ -53,6 +53,7 @@ import org.mozilla.jss.pkcs11.PK11SecureRandom; import com.netscape.cmscore.cert.*; import com.netscape.cmscore.util.Debug; import netscape.ldap.util.*; +import com.netscape.cmsutil.crypto.*; /** @@ -96,6 +97,7 @@ public final class JssSubsystem implements ICryptoSubsystem { private static final String PROP_SSL = "ssl"; private static final String PROP_SSL_CIPHERPREF = Constants.PR_CIPHER_PREF; + private static final String PROP_SSL_ECTYPE = Constants.PR_ECTYPE; private static Hashtable mCipherNames = new Hashtable(); @@ -303,6 +305,15 @@ public final class JssSubsystem implements ICryptoSubsystem { return cipherpref; } + public String getECType(String certType) throws EBaseException { + if (mSSLConfig != null) { + // for SSL server, check the value of jss.ssl.sslserver.ectype + return mSSLConfig.getString(certType + "." + PROP_SSL_ECTYPE, "ECDHE"); + } else { + return "ECDHE"; + } + } + public String isCipherFortezza() throws EBaseException { // we always display fortezza suites. // too much work to display tokens/certs corresponding to the @@ -870,6 +881,72 @@ public final class JssSubsystem implements ICryptoSubsystem { return pair; } + public KeyPair getECCKeyPair(KeyCertData properties) throws EBaseException { + String token = Constants.PR_INTERNAL_TOKEN_NAME; + String keyType = "ECC"; + String keyCurve = "nistp512"; + String certType = null; + KeyPair pair = null; + + String tmp = (String) properties.get(Constants.PR_TOKEN_NAME); + if (tmp != null) + token = tmp; + + tmp = (String) properties.get(Constants.PR_KEY_CURVENAME); + if (tmp != null) + keyCurve = tmp; + + certType = (String) properties.get(Constants.RS_ID); + + pair = getECCKeyPair(token, keyCurve, certType); + + return pair; + } + + public KeyPair getECCKeyPair(String token, String keyCurve, String certType) throws EBaseException { + KeyPair pair = null; + + if ((token == null) || (token.equals(""))) + token = Constants.PR_INTERNAL_TOKEN_NAME; + + if ((keyCurve == null) || (keyCurve.equals(""))) + keyCurve = "nistp512"; + + String ectype = getECType(certType); + + // ECDHE needs "SIGN" but no "DERIVE" + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE + }; + + // ECDH needs "DERIVE" but no any kind of "SIGN" + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage ECDH_usages_mask[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER, + }; + + try { + if (ectype.equals("ECDHE")) + pair = CryptoUtil.generateECCKeyPair(token, keyCurve, null, usages_mask); + else + pair = CryptoUtil.generateECCKeyPair(token, keyCurve, null, ECDH_usages_mask); + } catch (NotInitializedException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED")); + } catch (NoSuchTokenException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", "")); + } catch (NoSuchAlgorithmException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_NO_SUCH_ALGORITHM", e.toString())); + } catch (TokenException e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_SECURITY_GET_ECC_KEY", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", "")); + } + + return pair; + } + public void importCert(X509CertImpl signedCert, String nickname, String certType) throws EBaseException { diff --git a/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java b/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java index f233cd5f8..4f551cd26 100644 --- a/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java +++ b/pki/base/common/src/com/netscape/cmscore/security/KeyCertUtil.java @@ -59,6 +59,7 @@ import com.netscape.certsrv.security.*; import com.netscape.cmscore.cert.*; import com.netscape.cmscore.util.*; import com.netscape.cmscore.dbs.*; +import com.netscape.cmsutil.crypto.*; /** @@ -502,6 +503,8 @@ public class KeyCertUtil { if (pubk instanceof RSAPublicKey) { alg = "MD5/RSA"; + } else if (pubk instanceof PK11ECPublicKey) { + alg = "SHA256withEC"; } else { alg = "DSA"; } @@ -532,6 +535,8 @@ public class KeyCertUtil { if (pubk instanceof RSAPublicKey) { alg = "MD5/RSA"; + } else if (pubk instanceof PK11ECPublicKey) { + alg = "SHA256withEC"; } else { alg = "DSA"; } @@ -575,6 +580,10 @@ public class KeyCertUtil { xKey = new netscape.security.provider.RSAPublicKey( new BigInt(rsaKey.getModulus()), new BigInt(rsaKey.getPublicExponent())); + } else if (pubk instanceof PK11ECPublicKey) { + byte encoded[] = pubk.getEncoded(); + xKey = CryptoUtil.getPublicX509ECCKey(encoded); + } else { DSAPublicKey dsaKey = (DSAPublicKey) pubk; DSAParams params = dsaKey.getParams(); |