diff options
| author | Jack Magne <jmagne@redhat.com> | 2012-01-21 17:39:26 -0800 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-02-13 15:48:20 -0600 |
| commit | a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8 (patch) | |
| tree | 8403b15a424a112f4209cba8e78f358bbbfd271e /pki/base/common | |
| parent | 2181aa4dbc4f04cb58af4dcc0f827d30f1526d4c (diff) | |
| download | pki-a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8.tar.gz pki-a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8.tar.xz pki-a9680c7b7097c6b715c57c6581d4f24a5e4ee8b8.zip | |
KRA changes for archiving and recovering symmetric keys and passphrases.
Ticket #66 and #68.
Add ability to archive and recover symmetric keys and passphrases using rest interface.
Enhanced test client to test out new functionality.
Provided support to return recovered data either wrapped by symmetric key or wrapped in PBE password based encryption blob.
DRM symmetric key support cleanup changes.
Consists of suggested cleanup measures based on review comments.
Diffstat (limited to 'pki/base/common')
15 files changed, 476 insertions, 23 deletions
diff --git a/pki/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/pki/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java index 010661d8b..7da212469 100644 --- a/pki/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +++ b/pki/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java @@ -40,6 +40,10 @@ public interface IKeyRecord { public static final String ATTR_MODIFY_TIME = "keyModifyTime"; public static final String ATTR_META_INFO = "keyMetaInfo"; public static final String ATTR_ARCHIVED_BY = "keyArchivedBy"; + public static final String ATTR_CLIENT_ID = "clientId"; + public static final String ATTR_DATA_TYPE = "dataType"; + public static final String ATTR_STATUS = "status"; + // key state public static final String STATUS_ANY = "ANY"; @@ -86,10 +90,35 @@ public interface IKeyRecord { public Integer getKeySize() throws EBaseException; /** + * Retrieves client ID. + * + * @return client id + * @exception EBaseException failed to retrieve client id + */ + public String getClientId() throws EBaseException; + + /** + * Retrieves key data type. + * + * @return data type + * @exception EBaseException failed to retrieve data type + */ + public String getDataType() throws EBaseException; + + /** + * Retrieves key status. + * + * @return key status + * @exception EBaseException failed to retrieve key status + */ + public String getKeyStatus() throws EBaseException; + + /** * Retrieves archiver identifier. * * @return archiver uid */ + public String getArchivedBy(); /** diff --git a/pki/base/common/src/com/netscape/certsrv/request/IRequest.java b/pki/base/common/src/com/netscape/certsrv/request/IRequest.java index 19b830898..ec1f43fb3 100644 --- a/pki/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/pki/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -69,8 +69,6 @@ public interface IRequest { public static final String CLA_UNCERT4CRL_REQUEST = "uncert4crl"; public static final String NETKEY_KEYGEN_REQUEST = "netkeyKeygen"; public static final String NETKEY_KEYRECOVERY_REQUEST = "netkeyKeyRecovery"; - public static final String SECURITY_DATA_ENROLLMENT_REQUEST = "securityDataEnrollment"; - public static final String SECURITY_DATA_RECOVERY_REQUEST = "securityDataRecovery"; public static final String REQUESTOR_NAME = "csrRequestorName"; public static final String REQUESTOR_PHONE = "csrRequestorPhone"; @@ -152,6 +150,18 @@ public interface IRequest { public final static String NETKEY_ATTR_USER_CERT = "cert"; public final static String NETKEY_ATTR_KEY_SIZE = "keysize"; + //Security Data request attributes + public static final String SECURITY_DATA_ENROLLMENT_REQUEST = "securityDataEnrollment"; + public static final String SECURITY_DATA_RECOVERY_REQUEST = "securityDataRecovery"; + public static final String SECURITY_DATA_CLIENT_ID = "clientID"; + public static final String SECURITY_DATA_TYPE = "dataType"; + public static final String SECURITY_DATA_STATUS = "status"; + public static final String SECURITY_DATA_TRANS_SESS_KEY = "transWrappedSessionKey"; + public static final String SECURITY_DATA_SESS_PASS_PHRASE = "sessionWrappedPassphrase"; + public static final String SECURITY_DATA_IV_STRING_IN = "iv_in"; + public static final String SECURITY_DATA_IV_STRING_OUT = "iv_out"; + + // requestor type values. public static final String REQUESTOR_EE = "EE"; public static final String REQUESTOR_RA = "RA"; diff --git a/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index e318188a6..0a526e582 100644 --- a/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/pki/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -20,6 +20,7 @@ package com.netscape.certsrv.security; import java.security.PublicKey; import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.base.EBaseException; @@ -48,6 +49,16 @@ public interface IEncryptionUnit extends IToken { public byte[] wrap(PrivateKey priKey) throws EBaseException; /** + * Wraps data. The given key will be wrapped by the + * private key in this unit. + * + * @param symKey symmetric key to be wrapped + * @return wrapped data + * @exception EBaseException failed to wrap + */ + public byte[] wrap(SymmetricKey symKey) throws EBaseException; + + /** * Verifies the given key pair. * * @param publicKey public key @@ -74,6 +85,46 @@ public interface IEncryptionUnit extends IToken { throws EBaseException; /** + * Unwraps symmetric key data. This method rebuilds the symmetric key by + * unwrapping the private data blob. + * + * @param wrappedKeyData symmetric key data wrapped up with session key + * @return Symmetric key object + * @exception EBaseException failed to unwrap + */ + + public SymmetricKey unwrap(byte wrappedKeyData[]) + throws EBaseException; + + /** + * Unwraps symmetric key . This method + * unwraps the symmetric key. + * + * @param sessionKey session key that unwrap the symmetric key + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param symmetricKey symmetric key data + * @return Symmetric key object + * @exception EBaseException failed to unwrap + */ + + public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID, + byte symmAlgParams[], byte symmetricKey[]) + throws EBaseException; + + /** + * Unwraps symmetric key . This method + * unwraps the symmetric key. + * + * @param encSymmKey wrapped symmetric key to be unwrapped + * @return Symmetric key object + * @exception EBaseException failed to unwrap + */ + + public SymmetricKey unwrap_sym(byte encSymmKey[], + SymmetricKey.Usage usage); + + /** * Unwraps data. This method rebuilds the private key by * unwrapping the private key data. * diff --git a/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java index 0a012e8a6..6e1c7ab4a 100644 --- a/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java +++ b/pki/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -41,16 +41,71 @@ public interface ITransportKeyUnit extends IEncryptionUnit { */ public org.mozilla.jss.crypto.X509Certificate getCertificate(); + /** + * Unwraps symmetric key . This method + * unwraps the symmetric key. + * + * @param encSymmKey wrapped symmetric key to be unwrapped + * @param usage Key usage for unwrapped key. + * @return Symmetric key object + * @exception EBaseException failed to unwrap + */ + + public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage); + + /** + * Unwraps symmetric key . This method + * unwraps the symmetric key. + * + * @param encSymmKey wrapped symmetric key to be unwrapped + * @return Symmetric key object + * @exception EBaseException failed to unwrap + */ + public SymmetricKey unwrap_sym(byte encSymmKey[]); + /** + * Unwraps symmetric key for encrypton . This method + * unwraps the symmetric key. + * + * @param encSymmKey wrapped symmetric key to be unwrapped + * @return Symmetric key object + * @exception EBaseException failed to unwrap + */ + public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]); + /** + * Unwraps temporary private key . This method + * unwraps the temporary private key. + * + * @param wrappedKeyData wrapped private key to be unwrapped + * @param pubKey public key + * @return Private key object + * @exception EBaseException failed to unwrap + */ + public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) throws EBaseException; + /** + * Returns this Unit's crypto token object. + * @return CryptoToken object. + */ public CryptoToken getToken(); + /** + * Returns this Unit's signing algorithm in String format. + * @return String of signing algorithm + * @throws EBaseException + */ + public String getSigningAlgorithm() throws EBaseException; + /** + * Sets this Unit's signing algorithm. + * @param str String of signing algorithm to set. + * @throws EBaseException + */ public void setSigningAlgorithm(String str) throws EBaseException; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java index 887820c3f..4888d609f 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/KeyResourceService.java @@ -18,6 +18,7 @@ package com.netscape.cms.servlet.key; + import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.Context; import javax.ws.rs.core.MultivaluedMap; @@ -73,11 +74,6 @@ public class KeyResourceService extends CMSResourceService implements KeyResourc } private String validateRequest(RecoveryRequestData data) { - // confirm that at least one wrapping method exists - if ((data.getTransWrappedSessionKey() == null) && (data.getTransWrappedSessionKey() == null)) { - // log error - throw new WebApplicationException(Response.Status.BAD_REQUEST); - } // confirm request exists String reqId = data.getRequestId(); @@ -85,6 +81,14 @@ public class KeyResourceService extends CMSResourceService implements KeyResourc // log error throw new WebApplicationException(Response.Status.BAD_REQUEST); } + + // confirm that at least one wrapping method exists + // There must be at least the wrapped session key method. + if ((data.getTransWrappedSessionKey() == null)) { + // log error + throw new WebApplicationException(Response.Status.BAD_REQUEST); + } + KeyRequestDAO reqDAO = new KeyRequestDAO(); KeyRequestInfo reqInfo; try { @@ -117,7 +121,7 @@ public class KeyResourceService extends CMSResourceService implements KeyResourc } String keyURL = reqInfo.getKeyURL(); - return keyURL.substring(keyURL.lastIndexOf("/")); + return keyURL.substring(keyURL.lastIndexOf("/") + 1); } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java index 471abc161..b5032fa86 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java @@ -76,7 +76,7 @@ public class KeysResourceService extends CMSResourceService implements KeysResou } if (clientID != null) { - filter += "(clientID=\'" + clientID + "\')"; + filter += "(clientID=" + clientID + ")"; matches ++; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java index 5fd17a333..fd9d2d2c0 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyDAO.java @@ -20,8 +20,11 @@ package com.netscape.cms.servlet.key.model; import java.math.BigInteger; import java.util.ArrayList; import java.util.Enumeration; +import java.util.Hashtable; import java.util.List; +import javax.ws.rs.WebApplicationException; +import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; import com.netscape.certsrv.apps.CMS; @@ -29,7 +32,12 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.RequestId; +import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.request.model.RecoveryRequestData; +import com.netscape.kra.SecurityDataRecoveryService; /** * @author alee @@ -38,11 +46,13 @@ import com.netscape.cms.servlet.request.model.RecoveryRequestData; public class KeyDAO { private IKeyRepository repo; + private IKeyRecoveryAuthority kra; + private IRequestQueue queue; public KeyDAO() { - IKeyRecoveryAuthority kra = null; kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); repo = kra.getKeyRepository(); + queue = kra.getRequestQueue(); } /** * Returns list of keys meeting specified search filter. @@ -79,18 +89,100 @@ public class KeyDAO { } public KeyData getKey(String keyId, RecoveryRequestData data) throws EBaseException { - KeyData keyData = null; + KeyData keyData; BigInteger serial = new BigInteger(keyId); - // get wrapped key + String rId = data.getRequestId(); + + String transWrappedSessionKey; + String sessionWrappedPassphrase; + + IRequest request = queue.findRequest(new RequestId(rId)); + + if (request == null) { + return null; + } + + // get wrapped key IKeyRecord rec = repo.readKeyRecord(serial); if (rec == null) { - // key does not exist - // log the error return null; } - // TODO unwrap the key and wrap with the credential in RecoveryRequestData - // need to figure out how to do this with jmagne + + Hashtable<String, Object> requestParams = kra.getVolatileRequest( + request.getRequestId()); + + if(requestParams == null) { + throw new EBaseException("Can't obtain Volatile requestParams in KeyDAO.getKey!"); + } + + String sessWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_SESS_WRAPPED_DATA); + String passWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_PASS_WRAPPED_DATA); + String nonceData = (String) requestParams.get(IRequest.SECURITY_DATA_IV_STRING_OUT); + + if (sessWrappedKeyData != null || passWrappedKeyData != null) { + //The recovery process has already placed a valid recovery + //package, either session key wrapped or pass wrapped, into the request. + //Request already has been processed. + keyData = new KeyData(); + + } else { + // The request has not yet been processed, let's see if the RecoveryRequestData contains + // the info now needed to process the recovery request. + + transWrappedSessionKey = data.getTransWrappedSessionKey(); + sessionWrappedPassphrase = data.getSessionWrappedPassphrase(); + nonceData = data.getNonceData(); + + if(transWrappedSessionKey == null) { + //There must be at least a transWrappedSessionKey input provided. + //The command AND the request have provided insufficient data, end of the line. + throw new EBaseException("Can't retrieve key, insufficient input data!"); + } + + if (sessionWrappedPassphrase != null) { + requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, sessionWrappedPassphrase); + } + + if (transWrappedSessionKey != null) { + requestParams.put(IRequest.SECURITY_DATA_TRANS_SESS_KEY, transWrappedSessionKey); + } + + if (nonceData != null) { + requestParams.put(IRequest.SECURITY_DATA_IV_STRING_IN, nonceData); + } + + try { + // Has to be in this state or it won't go anywhere. + request.setRequestStatus(RequestStatus.BEGIN); + queue.processRequest(request); + } catch (EBaseException e) { + kra.destroyVolatileRequest(request.getRequestId()); + throw new EBaseException(e.toString()); + } + + nonceData = null; + keyData = new KeyData(); + + sessWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_SESS_WRAPPED_DATA); + passWrappedKeyData = (String) requestParams.get(SecurityDataRecoveryService.ATTR_PASS_WRAPPED_DATA); + nonceData = (String) requestParams.get(IRequest.SECURITY_DATA_IV_STRING_OUT); + + } + + if (sessWrappedKeyData != null) { + keyData.setWrappedPrivateData(sessWrappedKeyData); + } + if (passWrappedKeyData != null) { + keyData.setWrappedPrivateData(passWrappedKeyData); + } + if (nonceData != null) { + keyData.setNonceData(nonceData); + } + + kra.destroyVolatileRequest(request.getRequestId()); + + queue.markAsServiced(request); return keyData; } @@ -103,9 +195,6 @@ public class KeyDAO { UriBuilder keyBuilder = uriInfo.getBaseUriBuilder(); keyBuilder.path("/key/" + serial); ret.setKeyURL(keyBuilder.build().toString()); - - // clientID = rec.getClientID(); - // TODO add other fields as needed return ret; } diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java index 0e6e80dec..4f303e27d 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java +++ b/pki/base/common/src/com/netscape/cms/servlet/key/model/KeyData.java @@ -36,6 +36,9 @@ public class KeyData { @XmlElement String wrappedPrivateData; + @XmlElement + String nonceData; + public KeyData() { // required for JAXB (defaults) } @@ -54,4 +57,20 @@ public class KeyData { this.wrappedPrivateData = wrappedPrivateData; } + /** + * @return the nonceData + */ + + public String getNonceData() { + return nonceData; + } + + /** + * @param nonceData the nonceData to set + */ + + public void setNonceData(String nonceData) { + this.nonceData = nonceData; + } + } diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java index 146b03d89..656768f02 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java +++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResource.java @@ -14,6 +14,9 @@ import com.netscape.cms.servlet.request.model.RecoveryRequestData; @Path("/keyrequest") public interface KeyRequestResource { + public final String SYMMETRIC_KEY_TYPE = "symmetricKey"; + public final String PASS_PHRASE_TYPE = "passPhrase"; + public final String ASYMMETRIC_KEY_TYPE = "asymmetricKey"; /** * Used to retrieve key request info for a specific request diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java index da08c4d69..e18407727 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java +++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestResourceService.java @@ -69,6 +69,14 @@ public class KeyRequestResourceService extends CMSResourceService implements Key public KeyRequestInfo archiveKey(ArchivalRequestData data) { // auth and authz + // Catch this before internal server processing has to deal with it + + if (data == null || data.getClientId() == null + || data.getWrappedPrivateData() == null + || data.getDataType() == null) { + throw new WebApplicationException(Response.Status.BAD_REQUEST); + } + KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestInfo info; try { @@ -89,6 +97,15 @@ public class KeyRequestResourceService extends CMSResourceService implements Key public KeyRequestInfo recoverKey(RecoveryRequestData data) { // auth and authz + + //Check for entirely illegal data combination here + //Catch this before the internal server processing has to deal with it + //If data has been provided, we need at least the wrapped session key, + //or the command is invalid. + if (data == null || (data.getTransWrappedSessionKey() == null + && data.getSessionWrappedPassphrase() != null)) { + throw new WebApplicationException(Response.Status.BAD_REQUEST); + } KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestInfo info; try { @@ -102,6 +119,9 @@ public class KeyRequestResourceService extends CMSResourceService implements Key } public void approveRequest(@PathParam("id") String id) { + if ( id == null) { + throw new WebApplicationException(Response.Status.BAD_REQUEST); + } // auth and authz KeyRequestDAO dao = new KeyRequestDAO(); try { @@ -114,6 +134,9 @@ public class KeyRequestResourceService extends CMSResourceService implements Key } public void rejectRequest(@PathParam("id") String id) { + if ( id == null) { + throw new WebApplicationException(Response.Status.BAD_REQUEST); + } // auth and authz KeyRequestDAO dao = new KeyRequestDAO(); try { @@ -126,6 +149,9 @@ public class KeyRequestResourceService extends CMSResourceService implements Key } public void cancelRequest(@PathParam("id") String id) { + if ( id == null) { + throw new WebApplicationException(Response.Status.BAD_REQUEST); + } // auth and authz KeyRequestDAO dao = new KeyRequestDAO(); try { diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java b/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java index 16da23d8b..623fa941f 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java +++ b/pki/base/common/src/com/netscape/cms/servlet/request/model/KeyRequestDAO.java @@ -19,9 +19,12 @@ package com.netscape.cms.servlet.request.model; import java.net.URI; import java.util.ArrayList; +import java.util.Hashtable; import java.util.List; +import javax.ws.rs.WebApplicationException; import javax.ws.rs.core.MultivaluedMap; +import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; @@ -35,6 +38,9 @@ import com.netscape.certsrv.request.IRequestVirtualList; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import com.netscape.cms.servlet.base.model.Link; +import com.netscape.cms.servlet.key.model.KeyDAO; +import com.netscape.cms.servlet.key.model.KeyDataInfos; +import com.netscape.certsrv.profile.IEnrollProfile; /** * @author alee @@ -42,6 +48,9 @@ import com.netscape.cms.servlet.base.model.Link; */ public class KeyRequestDAO { private IRequestQueue queue; + private IKeyRecoveryAuthority kra; + + private static String REQUEST_ARCHIVE_OPTIONS = IEnrollProfile.REQUEST_ARCHIVE_OPTIONS; private String[] vlvFilters = { "(requeststate=*)", "(requesttype=enrollment)", @@ -56,8 +65,9 @@ public class KeyRequestDAO { "(&(requeststate=complete)(requesttype=recovery))" }; + public static final String ATTR_SERIALNO = "serialNumber"; + public KeyRequestDAO() { - IKeyRecoveryAuthority kra = null; kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); queue = kra.getRequestQueue(); } @@ -104,6 +114,10 @@ public class KeyRequestDAO { // We should think about whether they should be, or if we need to // limit the number of results returned. IRequestList requests = queue.listRequestsByFilter(filter, maxResults, maxTime); + + if (requests == null) { + return null; + } while (requests.hasMoreElements()) { RequestId rid = (RequestId) requests.nextElement(); IRequest request = queue.findRequest(rid); @@ -168,10 +182,26 @@ public class KeyRequestDAO { * @throws EBaseException */ public KeyRequestInfo submitRequest(ArchivalRequestData data, UriInfo uriInfo) throws EBaseException { + String clientId = data.getClientId(); + String wrappedSecurityData = data.getWrappedPrivateData(); + String dataType = data.getDataType(); + + boolean keyExists = doesKeyExist(clientId, "active", uriInfo); + + if(keyExists == true) { + throw new EBaseException("Can not archive already active existing key!"); + } + IRequest request = queue.newRequest(IRequest.SECURITY_DATA_ENROLLMENT_REQUEST); - //TODO : - //set data using request.setExtData(field, data) + + request.setExtData(REQUEST_ARCHIVE_OPTIONS, wrappedSecurityData); + request.setExtData(IRequest.SECURITY_DATA_CLIENT_ID, clientId); + request.setExtData(IRequest.SECURITY_DATA_TYPE, dataType); + queue.processRequest(request); + + queue.markAsServiced(request); + return createKeyRequestInfo(request, uriInfo); } /** @@ -181,25 +211,61 @@ public class KeyRequestDAO { * @throws EBaseException */ public KeyRequestInfo submitRequest(RecoveryRequestData data, UriInfo uriInfo) throws EBaseException { - IRequest request = queue.newRequest(IRequest.SECURITY_DATA_RECOVERY_REQUEST); + // set data using request.setExtData(field, data) + + String wrappedSessionKeyStr = data.getTransWrappedSessionKey(); + String wrappedPassPhraseStr = data.getSessionWrappedPassphrase(); + String nonceDataStr = data.getNonceData(); + + IRequest request = queue.newRequest(IRequest.SECURITY_DATA_RECOVERY_REQUEST); + + String keyId = data.getKeyId(); + + Hashtable<String, Object> requestParams; + requestParams = kra.createVolatileRequest(request.getRequestId()); + + if(requestParams == null) { + throw new EBaseException("Can not create Volatile params in submitRequest!"); + } + + CMS.debug("Create volatile params for recovery request. " + requestParams); + + if (wrappedPassPhraseStr != null) { + requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr); + } + + if (wrappedSessionKeyStr != null) { + requestParams.put(IRequest.SECURITY_DATA_TRANS_SESS_KEY, wrappedSessionKeyStr); + } + + if (nonceDataStr != null) { + requestParams.put(IRequest.SECURITY_DATA_IV_STRING_IN, nonceDataStr); + } + + request.setExtData(ATTR_SERIALNO,keyId); + queue.processRequest(request); + return createKeyRequestInfo(request, uriInfo); } public void approveRequest(String id) throws EBaseException { IRequest request = queue.findRequest(new RequestId(id)); request.setRequestStatus(RequestStatus.APPROVED); + queue.updateRequest(request); } public void rejectRequest(String id) throws EBaseException { IRequest request = queue.findRequest(new RequestId(id)); request.setRequestStatus(RequestStatus.CANCELED); + queue.updateRequest(request); } public void cancelRequest(String id) throws EBaseException { IRequest request = queue.findRequest(new RequestId(id)); request.setRequestStatus(RequestStatus.REJECTED); + queue.updateRequest(request); } public KeyRequestInfo createKeyRequestInfo(IRequest request, UriInfo uriInfo) { @@ -229,4 +295,27 @@ public class KeyRequestDAO { } return false; } + + //We only care if the key exists or not + private boolean doesKeyExist(String clientId, String keyStatus, UriInfo uriInfo) { + boolean ret = false; + String state = "active"; + + KeyDAO keys = new KeyDAO(); + + KeyDataInfos existingKeys; + String filter = "(&(" + IRequest.SECURITY_DATA_CLIENT_ID + "=" + clientId + ")" + + "(" + IRequest.SECURITY_DATA_STATUS + "=" + state + "))"; + try { + existingKeys = keys.listKeys(filter, 1, 10, uriInfo); + + if(existingKeys != null && existingKeys.getKeyInfos().size() > 0) { + ret = true; + } + } catch (EBaseException e) { + ret= false; + } + + return ret; + } } diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java b/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java index c84d8f491..ae8417542 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java +++ b/pki/base/common/src/com/netscape/cms/servlet/request/model/RecoveryRequestData.java @@ -39,6 +39,7 @@ public class RecoveryRequestData { private static final String REQUEST_ID = "requestId"; private static final String TRANS_WRAPPED_SESSION_KEY = "transWrappedSessionKey"; private static final String SESSION_WRAPPED_PASSPHRASE = "sessionWrappedPassphrase"; + private static final String NONCE_DATA = "nonceData"; @XmlElement protected String keyId; @@ -52,6 +53,9 @@ public class RecoveryRequestData { @XmlElement protected String sessionWrappedPassphrase; + @XmlElement + protected String nonceData; + public RecoveryRequestData() { // required for JAXB (defaults) } @@ -61,6 +65,7 @@ public class RecoveryRequestData { requestId = form.getFirst(REQUEST_ID); transWrappedSessionKey = form.getFirst(TRANS_WRAPPED_SESSION_KEY); sessionWrappedPassphrase = form.getFirst(SESSION_WRAPPED_PASSPHRASE); + nonceData = form.getFirst(NONCE_DATA); } /** @@ -119,4 +124,20 @@ public class RecoveryRequestData { this.sessionWrappedPassphrase = sessionWrappedPassphrase; } + /** + * @return nonceData + */ + + public String getNonceData() { + return nonceData; + } + + /** + * @param nonceData the nonceData to set + */ + + public void setNonceData(String nonceData) { + this.nonceData = nonceData; + } + } diff --git a/pki/base/common/src/com/netscape/cmscore/dbs/KeyDBSchema.java b/pki/base/common/src/com/netscape/cmscore/dbs/KeyDBSchema.java index ca9db779b..50b3badc3 100644 --- a/pki/base/common/src/com/netscape/cmscore/dbs/KeyDBSchema.java +++ b/pki/base/common/src/com/netscape/cmscore/dbs/KeyDBSchema.java @@ -45,4 +45,7 @@ public class KeyDBSchema { public static final String LDAP_ATTR_PUBLIC_KEY_FORMAT = "publicKeyFormat"; public static final String LDAP_ATTR_ARCHIVED_BY = "archivedBy"; + public static final String LDAP_ATTR_CLIENT_ID = "clientId"; + public static final String LDAP_ATTR_STATUS = "status"; + public static final String LDAP_ATTR_DATA_TYPE = "dataType"; } diff --git a/pki/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java b/pki/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java index 8f2888715..f7773e3fa 100644 --- a/pki/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java +++ b/pki/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java @@ -56,6 +56,10 @@ public class KeyRecord implements IDBObj, IKeyRecord { private Date mCreateTime = null; private Date mModifyTime = null; private String mArchivedBy = null; + private String mClientId = null; + private String mStatus = null; + private String mDataType = null; + protected static Vector<String> mNames = new Vector<String>(); static { @@ -71,6 +75,9 @@ public class KeyRecord implements IDBObj, IKeyRecord { mNames.addElement(ATTR_CREATE_TIME); mNames.addElement(ATTR_MODIFY_TIME); mNames.addElement(ATTR_ARCHIVED_BY); + mNames.addElement(ATTR_CLIENT_ID); + mNames.addElement(ATTR_STATUS); + mNames.addElement(ATTR_DATA_TYPE); } /** @@ -128,6 +135,12 @@ public class KeyRecord implements IDBObj, IKeyRecord { mModifyTime = (Date) object; } else if (name.equalsIgnoreCase(ATTR_ARCHIVED_BY)) { mArchivedBy = (String) object; + } else if (name.equalsIgnoreCase(ATTR_CLIENT_ID)) { + mClientId = (String) object; + } else if (name.equalsIgnoreCase(ATTR_DATA_TYPE)) { + mDataType = (String) object; + } else if (name.equalsIgnoreCase(ATTR_STATUS)) { + mStatus = (String) object; } else { throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -162,6 +175,12 @@ public class KeyRecord implements IDBObj, IKeyRecord { return mMetaInfo; } else if (name.equalsIgnoreCase(ATTR_ARCHIVED_BY)) { return mArchivedBy; + } else if (name.equalsIgnoreCase(ATTR_CLIENT_ID)) { + return mClientId; + } else if (name.equalsIgnoreCase(ATTR_DATA_TYPE)) { + return mDataType; + } else if (name.equalsIgnoreCase(ATTR_STATUS)) { + return mStatus; } else { throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -342,4 +361,26 @@ public class KeyRecord implements IDBObj, IKeyRecord { public Date getModifyTime() { return mModifyTime; } + + /** + * Retrieves the client ID of this record. + */ + public String getClientId() throws EBaseException { + return mClientId ; + } + + /** + * Retrieves the key status of this record. + */ + public String getKeyStatus() throws EBaseException { + return mStatus; + + } + + /** + * Retrieves the key data type of this record. + */ + public String getDataType() throws EBaseException { + return mDataType; + } } diff --git a/pki/base/common/src/com/netscape/cmscore/dbs/KeyRepository.java b/pki/base/common/src/com/netscape/cmscore/dbs/KeyRepository.java index 269a94c9d..6219bab0c 100644 --- a/pki/base/common/src/com/netscape/cmscore/dbs/KeyRepository.java +++ b/pki/base/common/src/com/netscape/cmscore/dbs/KeyRepository.java @@ -129,6 +129,19 @@ public class KeyRepository extends Repository implements IKeyRepository { reg.registerAttribute(KeyRecord.ATTR_ARCHIVED_BY, new StringMapper(KeyDBSchema.LDAP_ATTR_ARCHIVED_BY)); } + if (!reg.isAttributeRegistered(KeyRecord.ATTR_CLIENT_ID)) { + reg.registerAttribute(KeyRecord.ATTR_CLIENT_ID, new + StringMapper(KeyDBSchema.LDAP_ATTR_CLIENT_ID)); + } + if (!reg.isAttributeRegistered(KeyRecord.ATTR_STATUS)) { + reg.registerAttribute(KeyRecord.ATTR_STATUS, new + StringMapper(KeyDBSchema.LDAP_ATTR_STATUS)); + } + if (!reg.isAttributeRegistered(KeyRecord.ATTR_DATA_TYPE)) { + reg.registerAttribute(KeyRecord.ATTR_DATA_TYPE, new + StringMapper(KeyDBSchema.LDAP_ATTR_DATA_TYPE)); + } + } public void setKeyStatusUpdateInterval(IRepository requestRepo, int interval) { |