diff options
author | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2011-12-08 21:15:59 -0500 |
commit | 171aaece4f23709d33d180cf36eb3af5e454b0c9 (patch) | |
tree | 1485f9f0a7bd10de4ff25030db575dbb8dafae74 /pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | |
parent | adad2fcee8a29fdb82376fbce07dedb11fccc182 (diff) | |
download | pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.gz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.tar.xz pki-171aaece4f23709d33d180cf36eb3af5e454b0c9.zip |
Revert "Formatting"
This reverts commit 32150d3ee32f8ac27118af7c792794b538c78a2f.
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java')
-rw-r--r-- | pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 637 |
1 files changed, 337 insertions, 300 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index f31a2de2e..f9ff8385d 100644 --- a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; + import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; @@ -51,9 +52,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.util.Cert; + /** * A class represents recovery request processor. - * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ @@ -67,10 +68,12 @@ public class TokenKeyRecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; private IKeyRecoveryAuthority mKRA = null; @@ -78,9 +81,13 @@ public class TokenKeyRecoveryService implements IService { private IStorageKeyUnit mStorageUnit = null; private ITransportKeyUnit mTransportUnit = null; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); /** @@ -90,15 +97,15 @@ public class TokenKeyRecoveryService implements IService { mKRA = kra; mStorage = mKRA.getKeyRepository(); mStorageUnit = mKRA.getStorageKeyUnit(); - mTransportUnit = kra.getTransportKeyUnit(); + mTransportUnit = kra.getTransportKeyUnit(); } - /** + /** * Process the HTTP request. - * + * * @param s The URL to decode */ - protected String URLdecode(String s) { + protected String URLdecode(String s) { if (s == null) return null; ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); @@ -118,11 +125,11 @@ public class TokenKeyRecoveryService implements IService { } } // end for return out.toString(); - } + } public static String normalizeCertStr(String s) { String val = ""; - + for (int i = 0; i < s.length(); i++) { if (s.charAt(i) == '\\') { i++; @@ -144,8 +151,11 @@ public class TokenKeyRecoveryService implements IService { // All this streaming is lame, but Base64OutputStream needs a // PrintStream ByteArrayOutputStream output = new ByteArrayOutputStream(); - Base64OutputStream b64 = new Base64OutputStream(new PrintStream( - new FilterOutputStream(output))); + Base64OutputStream b64 = new Base64OutputStream(new + PrintStream(new + FilterOutputStream(output) + ) + ); b64.write(bytes); b64.flush(); @@ -156,30 +166,35 @@ public class TokenKeyRecoveryService implements IService { } // this encrypts bytes with a symmetric key - public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, - CryptoToken token, IVParameterSpec IV) { - try { - Cipher cipher = token - .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("initEncrypt() threw exception: " + e.toString()); + public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, + IVParameterSpec IV) + { + try { + Cipher cipher = token.getCipherContext( + EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("initEncrypt() threw exception: "+e.toString()); return null; } } + /** - * Processes a recovery request. The method reads the key record from the - * database, and tries to recover the key with the storage key unit. Once - * recovered, it wraps it with desKey In the params - cert is used for - * recovery record search - cuid may be used for additional validation check - * - userid may be used for additional validation check - wrappedDesKey is - * used for wrapping recovered private key - * + * Processes a recovery request. The method reads + * the key record from the database, and tries to recover the + * key with the storage key unit. Once recovered, it wraps it + * with desKey + * In the params + * - cert is used for recovery record search + * - cuid may be used for additional validation check + * - userid may be used for additional validation check + * - wrappedDesKey is used for wrapping recovered private key + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -190,60 +205,59 @@ public class TokenKeyRecoveryService implements IService { String auditRequesterID = "TPSagent"; String auditRecoveryID = ILogger.UNIDENTIFIED; String auditPublicKey = ILogger.UNIDENTIFIED; - String iv_s = ""; + String iv_s =""; CMS.debug("KRA services token key recovery request"); byte[] wrapped_des_key; - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); + CMS.debug("TokenKeyRecoveryService.serviceRequest: "+ e.toString()); } String id = request.getRequestId().toString(); if (id != null) { auditRecoveryID = id.trim(); } - SessionContext sContext = SessionContext.getContext(); - String agentId = ""; - if (sContext != null) { - agentId = (String) sContext.get(SessionContext.USER_ID); - } + SessionContext sContext = SessionContext.getContext(); + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + Hashtable params = mKRA.getVolatileRequest( + request.getRequestId()); - Hashtable params = mKRA.getVolatileRequest(request.getRequestId()); if (params == null) { // possibly we are in recovery mode - CMS.debug("getVolatileRequest params null"); - // return true; + CMS.debug("getVolatileRequest params null"); + // return true; } wrapped_des_key = null; - PK11SymKey sk = null; + PK11SymKey sk= null; String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); - String rUserid = request - .getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rWrappedDesKeyString = request - .getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - auditSubjectID = rCUID + ":" + rUserid; - - CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key =" - + rWrappedDesKeyString); - wrapped_des_key = com.netscape.cmsutil.util.Utils - .SpecialDecode(rWrappedDesKeyString); + String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + auditSubjectID=rCUID+":"+rUserid; + + CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="+rWrappedDesKeyString); + wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); CMS.debug("TokenKeyRecoveryService: wrapped_des_key specialDecoded"); - if ((wrapped_des_key != null) && (wrapped_des_key.length > 0)) { + if ((wrapped_des_key != null) && + (wrapped_des_key.length > 0)) { // unwrap the des key - sk = (PK11SymKey) mTransportUnit - .unwrap_encrypt_sym(wrapped_des_key); + sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key); if (sk == null) { CMS.debug("TokenKeyRecoveryService: no des key"); @@ -255,8 +269,11 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: not receive des key"); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); audit(auditMessage); return false; @@ -268,8 +285,11 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: not receive cert"); request.setExtData(IRequest.RESULT, Integer.valueOf(3)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); audit(auditMessage); return false; @@ -278,13 +298,15 @@ public class TokenKeyRecoveryService implements IService { String cert = normalizeCertStr(cert_s); java.security.cert.X509Certificate x509cert = null; try { - x509cert = (java.security.cert.X509Certificate) Cert.mapCert(cert); + x509cert= (java.security.cert.X509Certificate) Cert.mapCert(cert); if (x509cert == null) { CMS.debug("cert mapping failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(5)); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); audit(auditMessage); @@ -294,289 +316,301 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: mapCert failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(6)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); audit(auditMessage); return false; } - try { - /* - * CryptoToken internalToken = - * CryptoManager.getInstance().getInternalKeyStorageToken(); - */ - CryptoToken token = mStorageUnit.getToken(); - CMS.debug("TokenKeyRecoveryService: got token slot:" - + token.getName()); - IVParameterSpec algParam = new IVParameterSpec(iv); - - Cipher cipher = token - .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - KeyRecord keyRecord = null; - CMS.debug("KRA reading key record"); - try { - keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); - if (keyRecord != null) - CMS.debug("read key record"); - else { - CMS.debug("key record not found"); - request.setExtData(IRequest.RESULT, Integer.valueOf(8)); - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRecoveryID, agentId); - - audit(auditMessage); - return false; - } - } catch (Exception e) { - com.netscape.cmscore.util.Debug.printStackTrace(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(9)); - auditMessage = CMS.getLogMessage( + try { + /* + CryptoToken internalToken = + CryptoManager.getInstance().getInternalKeyStorageToken(); + */ + CryptoToken token = mStorageUnit.getToken(); + CMS.debug("TokenKeyRecoveryService: got token slot:"+token.getName()); + IVParameterSpec algParam = new IVParameterSpec(iv); + + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + KeyRecord keyRecord = null; + CMS.debug( "KRA reading key record"); + try { + keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + if (keyRecord != null) + CMS.debug("read key record"); + else { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - - // see if the owner name matches (cuid:userid) -XXX need make this - // optional - String owner = keyRecord.getOwnerName(); - CMS.debug("TokenKeyRecoveryService: owner name on record =" + owner); - CMS.debug("TokenKeyRecoveryService: owner name from TPS =" + rCUID - + ":" + rUserid); - if (owner != null) { - if (owner.equals(rCUID + ":" + rUserid)) { - CMS.debug("TokenKeyRecoveryService: owner name matches"); - } else { - CMS.debug("TokenKeyRecoveryService: owner name mismatches"); - } - } - - // see if the certificate matches the key - byte pubData[] = keyRecord.getPublicKeyData(); - byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + return false; + } + }catch (Exception e) { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } - - for (int i = 0; i < pubData.length; i++) { - if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS - .getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, - auditRecoveryID, agentId); - - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } - } - - // Unwrap the archived private key - byte privateKeyData[] = null; - privateKeyData = recoverKey(params, keyRecord); - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + return false; + } + + // see if the owner name matches (cuid:userid) -XXX need make this optional + String owner = keyRecord.getOwnerName(); + CMS.debug("TokenKeyRecoveryService: owner name on record =" +owner); + CMS.debug("TokenKeyRecoveryService: owner name from TPS =" +rCUID+":"+rUserid); + if (owner != null) { + if (owner.equals(rCUID+":"+rUserid)) { + CMS.debug("TokenKeyRecoveryService: owner name matches"); + } else { + CMS.debug("TokenKeyRecoveryService: owner name mismatches"); + } + } + + // see if the certificate matches the key + byte pubData[] = keyRecord.getPublicKeyData(); + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); + + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); - - iv_s = /* base64Encode(iv); */com.netscape.cmsutil.util.Utils - .SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - - CMS.debug("request.setExtData: iv_s: " + iv_s); - - /* LunaSA returns data with padding which we need to remove */ - ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); - DerValue dv = new DerValue(dis); - byte p[] = dv.toByteArray(); - int l = p.length; - CMS.debug("length different data length=" + l + " real length=" - + privateKeyData.length); - if (l != privateKeyData.length) { - privateKeyData = p; - } + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } - if (verifyKeyPair(pubData, privateKeyData) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } else { - CMS.debug("TokenKeyRecoveryService: private key verified with public key"); - } - - // encrypt and put in private key - cipher.initEncrypt(sk, algParam); - byte wrapped[] = cipher.doFinal(privateKeyData); - - String wrappedPrivKeyString = com.netscape.cmsutil.util.Utils - .SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); - audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); - request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - CMS.debug("TokenKeyRecoveryService: key for " + rCUID + ":" - + rUserid + " recovered"); - } - - // convert and put in the public key - String b64PKey = base64Encode(pubData); + audit(auditMessage); + return false; + } + CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); + + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + CMS.debug("request.setExtData: iv_s: " + iv_s); + + /* LunaSA returns data with padding which we need to remove */ + ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); + DerValue dv = new DerValue(dis); + byte p[] = dv.toByteArray(); + int l = p.length; + CMS.debug("length different data length=" + l + + " real length=" + privateKeyData.length ); + if (l != privateKeyData.length) { + privateKeyData = p; + } + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, auditSubjectID, - ILogger.SUCCESS, auditRecoveryID, b64PKey); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); audit(auditMessage); - - if (b64PKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); - auditMessage = CMS.getLogMessage( + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { + CMS.debug("TokenKeyRecoveryService: private key verified with public key"); + } + + //encrypt and put in private key + cipher.initEncrypt(sk, algParam); + byte wrapped[] = cipher.doFinal(privateKeyData); + + String wrappedPrivKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, agentId); + audit(auditMessage); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); + request.setExtData("wrappedUserPrivate", + wrappedPrivKeyString); + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered"); + } + + //convert and put in the public key + String b64PKey = base64Encode(pubData); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + b64PKey); + audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " - + b64PKey); - } - request.setExtData("public_key", b64PKey); + + if (b64PKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, ILogger.SUCCESS, auditRecoveryID, agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); audit(auditMessage); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = "+ + b64PKey); + } + request.setExtData("public_key", b64PKey); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + agentId); + + audit(auditMessage); - return true; + return true; - } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService: " + e.toString()); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - } + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService: " + e.toString()); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" - + publicKeyModulus + " privateKeyModulus=" - + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" - + publicKeyExponent + " privateKeyExponent=" - + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) + { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } - + /** * Recovers key. */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { - /* - * Credential creds[] = (Credential[]) - * request.get(ATTR_AGENT_CREDENTIALS); - * - * mStorageUnit.login(creds); - */ - CMS.debug("KRA decrypts internal private"); - byte privateKeyData[] = mStorageUnit.decryptInternalPrivate(keyRecord - .getPrivateKeyData()); - /* - * mStorageUnit.logout(); - */ + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { + /* + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); + + mStorageUnit.login(creds); + */ + CMS.debug( "KRA decrypts internal private"); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); + /* + mStorageUnit.logout(); + */ if (privateKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_RECOVERY_FAILED_1", "no private key")); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } - /** - * Signed Audit Log y This method is called to store messages to the signed - * audit log. + * Signed Audit Log + *y + * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -587,8 +621,11 @@ public class TokenKeyRecoveryService implements IService { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, - ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } } |