diff options
| author | Ade Lee <alee@redhat.com> | 2011-12-07 16:58:12 -0500 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2011-12-07 16:58:12 -0500 |
| commit | 32150d3ee32f8ac27118af7c792794b538c78a2f (patch) | |
| tree | 52dd96f664a6fa51be25b28b6f10adc5f2c9f660 /pki/base/kra/src/com/netscape/kra | |
| parent | f05d58a46795553beb8881039cc922974b40db34 (diff) | |
| download | pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.gz pki-32150d3ee32f8ac27118af7c792794b538c78a2f.tar.xz pki-32150d3ee32f8ac27118af7c792794b538c78a2f.zip | |
Formatting
Formatted project according to eclipse project settings
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra')
11 files changed, 2377 insertions, 2279 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java b/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java index cbd3b7a3d..9eb2ae3b8 100644 --- a/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.CharConversionException; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; @@ -48,20 +47,20 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.IEncryptionUnit; import com.netscape.cmscore.util.Debug; - /** - * A class represents the transport key pair. This key pair - * is used to protected EE's private key in transit. - * + * A class represents the transport key pair. This key pair is used to protected + * EE's private key in transit. + * * @author thomask * @version $Revision$, $Date$ */ public abstract class EncryptionUnit implements IEncryptionUnit { - /* Establish one constant IV for base class, to be used for - internal operations. Constant IV acceptable for symmetric keys. - */ - private byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + /* + * Establish one constant IV for base class, to be used for internal + * operations. Constant IV acceptable for symmetric keys. + */ + private byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; protected IVParameterSpec IV = null; public EncryptionUnit() { @@ -79,84 +78,145 @@ public abstract class EncryptionUnit implements IEncryptionUnit { public abstract PrivateKey getPrivateKey(); /** - * Protects the private key so that it can be stored in - * internal database. + * Protects the private key so that it can be stored in internal database. */ - public byte[] encryptInternalPrivate(byte priKey[]) - throws EBaseException { + public byte[] encryptInternalPrivate(byte priKey[]) throws EBaseException { try { CMS.debug("EncryptionUnit.encryptInternalPrivate"); CryptoToken token = getToken(); CryptoToken internalToken = getInternalToken(); // (1) generate session key - org.mozilla.jss.crypto.KeyGenerator kg = - internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + org.mozilla.jss.crypto.KeyGenerator kg = internalToken + .getKeyGenerator(KeyGenAlgorithm.DES3); SymmetricKey sk = kg.generate(); // (2) wrap private key with session key - Cipher cipher = internalToken.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); + Cipher cipher = internalToken + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); cipher.initEncrypt(sk, IV); byte pri[] = cipher.doFinal(priKey); // (3) wrap session with transport public - KeyWrapper rsaWrap = internalToken.getKeyWrapper( - KeyWrapAlgorithm.RSA); + KeyWrapper rsaWrap = internalToken + .getKeyWrapper(KeyWrapAlgorithm.RSA); rsaWrap.initWrap(getPublicKey(), null); byte session[] = rsaWrap.wrap(sk); // use MY own structure for now: // SEQUENCE { - // encryptedSession OCTET STRING, - // encryptedPrivate OCTET STRING + // encryptedSession OCTET STRING, + // encryptedPrivate OCTET STRING // } - + DerOutputStream tmp = new DerOutputStream(); DerOutputStream out = new DerOutputStream(); tmp.putOctetString(session); tmp.putOctetString(pri); out.write(DerValue.tag_Sequence, tmp); - + return out.toByteArray(); } catch (TokenException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (NoSuchAlgorithmException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (CharConversionException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (InvalidKeyException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (BadPaddingException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (IllegalBlockSizeException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (IOException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); - Debug.trace("EncryptionUnit::encryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::encryptInternalPrivate " + + e.toString()); return null; } } @@ -171,92 +231,133 @@ public abstract class EncryptionUnit implements IEncryptionUnit { CryptoToken token = getToken(); // (1) generate session key - org.mozilla.jss.crypto.KeyGenerator kg = - token.getKeyGenerator(KeyGenAlgorithm.DES3); - // internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + org.mozilla.jss.crypto.KeyGenerator kg = token + .getKeyGenerator(KeyGenAlgorithm.DES3); + // internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2]; usages[0] = SymmetricKey.Usage.WRAP; usages[1] = SymmetricKey.Usage.UNWRAP; kg.setKeyUsages(usages); kg.temporaryKeys(true); SymmetricKey sk = kg.generate(); - CMS.debug("EncryptionUnit:wrap() session key generated on slot: "+token.getName()); + CMS.debug("EncryptionUnit:wrap() session key generated on slot: " + + token.getName()); // (2) wrap private key with session key // KeyWrapper wrapper = internalToken.getKeyWrapper( - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapper wrapper = token + .getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); wrapper.initWrap(sk, IV); byte pri[] = wrapper.wrap(priKey); - CMS.debug("EncryptionUnit:wrap() privKey wrapped"); + CMS.debug("EncryptionUnit:wrap() privKey wrapped"); // (3) wrap session with transport public - KeyWrapper rsaWrap = token.getKeyWrapper( - KeyWrapAlgorithm.RSA); + KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); rsaWrap.initWrap(getPublicKey(), null); byte session[] = rsaWrap.wrap(sk); - CMS.debug("EncryptionUnit:wrap() sessin key wrapped"); + CMS.debug("EncryptionUnit:wrap() sessin key wrapped"); // use MY own structure for now: // SEQUENCE { - // encryptedSession OCTET STRING, - // encryptedPrivate OCTET STRING + // encryptedSession OCTET STRING, + // encryptedPrivate OCTET STRING // } - + DerOutputStream tmp = new DerOutputStream(); DerOutputStream out = new DerOutputStream(); tmp.putOctetString(session); tmp.putOctetString(pri); out.write(DerValue.tag_Sequence, tmp); - + return out.toByteArray(); } catch (TokenException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } catch (NoSuchAlgorithmException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } catch (CharConversionException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } catch (InvalidKeyException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } catch (IOException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", + e.toString())); Debug.trace("EncryptionUnit::wrap " + e.toString()); return null; } } /** - * External unwrapping. Unwraps the data using - * the transport private key. + * External unwrapping. Unwraps the data using the transport private key. */ - public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage) - { + public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage) { try { CryptoToken token = getToken(); // (1) unwrap the session PrivateKey priKey = getPrivateKey(); String priKeyAlgo = priKey.getAlgorithm(); - CMS.debug("EncryptionUnit::unwrap_sym() private key algo: " + priKeyAlgo); + CMS.debug("EncryptionUnit::unwrap_sym() private key algo: " + + priKeyAlgo); KeyWrapper keyWrapper = null; if (priKeyAlgo.equals("EC")) { keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); @@ -266,117 +367,152 @@ public abstract class EncryptionUnit implements IEncryptionUnit { keyWrapper.initUnwrap(priKey, null); } SymmetricKey sk = keyWrapper.unwrapSymmetric(encSymmKey, - SymmetricKey.DES3, usage, - 0); - CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: " - +token.getName()); + SymmetricKey.DES3, usage, 0); + CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: " + + token.getName()); return sk; } catch (Exception e) { - CMS.debug("EncryptionUnit::unwrap_sym() error:" + - e.toString()); + CMS.debug("EncryptionUnit::unwrap_sym() error:" + e.toString()); return null; } } - public SymmetricKey unwrap_sym(byte encSymmKey[]) - { + public SymmetricKey unwrap_sym(byte encSymmKey[]) { return unwrap_sym(encSymmKey, SymmetricKey.Usage.WRAP); } - - public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]) - { + + public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]) { return unwrap_sym(encSymmKey, SymmetricKey.Usage.ENCRYPT); } /** * Decrypts the user private key. */ - public byte[] decryptExternalPrivate(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[]) - throws EBaseException { + public byte[] decryptExternalPrivate(byte encSymmKey[], String symmAlgOID, + byte symmAlgParams[], byte encValue[]) throws EBaseException { try { CMS.debug("EncryptionUnit.decryptExternalPrivate"); CryptoToken token = getToken(); // (1) unwrap the session - KeyWrapper rsaWrap = token.getKeyWrapper( - KeyWrapAlgorithm.RSA); + KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); rsaWrap.initUnwrap(getPrivateKey(), null); SymmetricKey sk = rsaWrap.unwrapSymmetric(encSymmKey, - SymmetricKey.DES3, SymmetricKey.Usage.DECRYPT, - 0); + SymmetricKey.DES3, SymmetricKey.Usage.DECRYPT, 0); // (2) unwrap the pri - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD // XXX - ); + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD // XXX + ); - cipher.initDecrypt(sk, new IVParameterSpec( - symmAlgParams)); + cipher.initDecrypt(sk, new IVParameterSpec(symmAlgParams)); return cipher.doFinal(encValue); } catch (IllegalBlockSizeException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } catch (BadPaddingException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } catch (TokenException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } catch (NoSuchAlgorithmException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } catch (InvalidKeyException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", e.toString())); - Debug.trace("EncryptionUnit::decryptExternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_EXTERNAL", + e.toString())); + Debug.trace("EncryptionUnit::decryptExternalPrivate " + + e.toString()); return null; } } /** - * External unwrapping. Unwraps the data using - * the transport private key. + * External unwrapping. Unwraps the data using the transport private key. */ - public PrivateKey unwrap(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, + byte symmAlgParams[], byte encValue[], PublicKey pubKey) + throws EBaseException { try { CryptoToken token = getToken(); // (1) unwrap the session - KeyWrapper rsaWrap = token.getKeyWrapper( - KeyWrapAlgorithm.RSA); + KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); rsaWrap.initUnwrap(getPrivateKey(), null); SymmetricKey sk = rsaWrap.unwrapSymmetric(encSymmKey, - SymmetricKey.DES3, SymmetricKey.Usage.UNWRAP, - 0); + SymmetricKey.DES3, SymmetricKey.Usage.UNWRAP, 0); // (2) unwrap the pri - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD // XXX - ); + KeyWrapper wrapper = token + .getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD // XXX + ); - wrapper.initUnwrap(sk, new IVParameterSpec( - symmAlgParams)); + wrapper.initUnwrap(sk, new IVParameterSpec(symmAlgParams)); - PrivateKey.Type keytype = null; + PrivateKey.Type keytype = null; String alg = pubKey.getAlgorithm(); if (alg.equals("DSA")) { keytype = PrivateKey.DSA; @@ -385,34 +521,58 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } else { keytype = PrivateKey.RSA; } - PrivateKey pk = wrapper.unwrapTemporaryPrivate(encValue, - keytype , pubKey); + PrivateKey pk = wrapper.unwrapTemporaryPrivate(encValue, keytype, + pubKey); return pk; } catch (TokenException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (NoSuchAlgorithmException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (InvalidKeyException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (Exception e) { - CMS.debug("EncryptionUnit.unwrap : Exception:"+e.toString()); + CMS.debug("EncryptionUnit.unwrap : Exception:" + e.toString()); return null; } } - public byte[] decryptInternalPrivate(byte wrappedKeyData[]) - throws EBaseException { + public byte[] decryptInternalPrivate(byte wrappedKeyData[]) + throws EBaseException { try { CMS.debug("EncryptionUnit.decryptInternalPrivate"); DerValue val = new DerValue(wrappedKeyData); @@ -426,51 +586,107 @@ public abstract class EncryptionUnit implements IEncryptionUnit { CryptoToken token = getToken(); // (1) unwrap the session - CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:"+ token.getName()); - KeyWrapper rsaWrap = token.getKeyWrapper( - KeyWrapAlgorithm.RSA); + CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + + token.getName()); + KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); rsaWrap.initUnwrap(getPrivateKey(), null); SymmetricKey sk = rsaWrap.unwrapSymmetric(session, SymmetricKey.DES3, SymmetricKey.Usage.DECRYPT, 0); // (2) unwrap the pri - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); cipher.initDecrypt(sk, IV); return cipher.doFinal(pri); } catch (IllegalBlockSizeException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (BadPaddingException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (TokenException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (NoSuchAlgorithmException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (InvalidKeyException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (IOException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } catch (Exception e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", e.toString())); - Debug.trace("EncryptionUnit::decryptInternalPrivate " + e.toString()); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_DECRYPT", + e.toString())); + Debug.trace("EncryptionUnit::decryptInternalPrivate " + + e.toString()); return null; } } @@ -478,25 +694,24 @@ public abstract class EncryptionUnit implements IEncryptionUnit { /** * Internal unwrapping. */ - public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) + throws EBaseException { return _unwrap(wrappedKeyData, pubKey, true); } /** * Internal unwrapping. */ - public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) + throws EBaseException { return _unwrap(wrappedKeyData, pubKey, false); } /** * Internal unwrapping. */ - private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey - pubKey, boolean temporary) - throws EBaseException { + private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey pubKey, + boolean temporary) throws EBaseException { try { DerValue val = new DerValue(wrappedKeyData); // val.tag == DerValue.tag_Sequence @@ -508,60 +723,87 @@ public abstract class EncryptionUnit implements IEncryptionUnit { CryptoToken token = getToken(); // (1) unwrap the session - KeyWrapper rsaWrap = token.getKeyWrapper( - KeyWrapAlgorithm.RSA); + KeyWrapper rsaWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA); rsaWrap.initUnwrap(getPrivateKey(), null); SymmetricKey sk = rsaWrap.unwrapSymmetric(session, SymmetricKey.DES3, SymmetricKey.Usage.UNWRAP, 0); // (2) unwrap the pri - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapper wrapper = token + .getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); wrapper.initUnwrap(sk, IV); PrivateKey pk = null; if (temporary) { - pk = wrapper.unwrapTemporaryPrivate(pri, - PrivateKey.RSA, pubKey); + pk = wrapper + .unwrapTemporaryPrivate(pri, PrivateKey.RSA, pubKey); } else { - pk = wrapper.unwrapPrivate(pri, - PrivateKey.RSA, pubKey); + pk = wrapper.unwrapPrivate(pri, PrivateKey.RSA, pubKey); } return pk; } catch (TokenException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); CMS.debug(e); return null; } catch (NoSuchAlgorithmException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (InvalidKeyException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.printStackTrace(e); return null; } catch (IOException e) { - CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); + CMS.getLogger().log( + ILogger.EV_SYSTEM, + null, + ILogger.S_KRA, + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", + e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (Exception e) { Debug.printStackTrace(e); - return null; + return null; } } /** * Verify the given key pair. */ - public void verify(PublicKey publicKey, PrivateKey privateKey) throws - EBaseException { + public void verify(PublicKey publicKey, PrivateKey privateKey) + throws EBaseException { } } - diff --git a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java index 397793bfc..84307d0be 100644 --- a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; @@ -76,21 +75,17 @@ import com.netscape.cmscore.crmf.CRMFParser; import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer; import com.netscape.cmscore.dbs.KeyRecord; - /** - * A class represents archival request processor. It - * passes the request to the policy processor, and - * process the request according to the policy decision. + * A class represents archival request processor. It passes the request to the + * policy processor, and process the request according to the policy decision. * <P> - * If policy returns ACCEPTED, the request will be - * processed immediately. + * If policy returns ACCEPTED, the request will be processed immediately. * <P> - * Upon processing, the incoming user key is unwrapped - * with the transport key of KRA, and then wrapped - * with the storage key. The encrypted key is stored - * in the internal database for long term storage. + * Upon processing, the incoming user key is unwrapped with the transport key of + * KRA, and then wrapped with the storage key. The encrypted key is stored in + * the internal database for long term storage. * <P> - * + * * @author thomask (original) * @author cfu (non-RSA keys; private keys secure handling); * @version $Revision$, $Date$ @@ -100,27 +95,20 @@ public class EnrollmentService implements IService { // constants public static final String CRMF_REQUEST = "CRMFRequest"; public final static String ATTR_KEY_RECORD = "keyRecord"; - public final static String ATTR_PROOF_OF_ARCHIVAL = - "proofOfArchival"; + public final static String ATTR_PROOF_OF_ARCHIVAL = "proofOfArchival"; - // private + // private private IKeyRecoveryAuthority mKRA = null; private ITransportKeyUnit mTransportUnit = null; private IStorageKeyUnit mStorageUnit = null; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + /** * Constructs request processor. * <P> @@ -138,28 +126,27 @@ public class EnrollmentService implements IService { PKIArchiveOptions archOpts = null; try { - archOpts = (PKIArchiveOptions) - (new PKIArchiveOptions.Template()).decode(bis); + archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template()) + .decode(bis); } catch (Exception e) { CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString()); } return archOpts; } - + /** * Services an enrollment/archival request. * <P> - * + * * @param request enrollment request * @return serving successful or not * @exception EBaseException failed to serve */ - public boolean serviceRequest(IRequest request) - throws EBaseException { + public boolean serviceRequest(IRequest request) throws EBaseException { - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("archival", true /* main action */); + statsSub.startTiming("archival", true /* main action */); } String auditMessage = null; @@ -177,7 +164,8 @@ public class EnrollmentService implements IService { SessionContext sContext = SessionContext.getContext(); String agentId = (String) sContext.get(SessionContext.USER_ID); - AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); + AuthToken authToken = (AuthToken) sContext + .get(SessionContext.AUTH_TOKEN); mKRA.log(ILogger.LL_INFO, "KRA services enrollment request"); // unwrap user key with transport @@ -188,15 +176,14 @@ public class EnrollmentService implements IService { if (profileId == null || profileId.equals("")) { try { - aOpts = CRMFParser.getPKIArchiveOptions( - request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST)); + aOpts = CRMFParser + .getPKIArchiveOptions(request.getExtDataInString( + IRequest.HTTP_PARAMS, CRMF_REQUEST)); } catch (IOException e) { auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -205,44 +192,39 @@ public class EnrollmentService implements IService { } } else { // profile-based request - PKIArchiveOptions options = (PKIArchiveOptions) - toPKIArchiveOptions( - request.getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS)); + PKIArchiveOptions options = (PKIArchiveOptions) toPKIArchiveOptions(request + .getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS)); aOpts = new PKIArchiveOptionsContainer[1]; - aOpts[0] = new PKIArchiveOptionsContainer(options, - 0/* not matter */); + aOpts[0] = new PKIArchiveOptionsContainer(options, 0/* not matter */); request.setExtData("dbStatus", "NOT_UPDATED"); - } + } for (int i = 0; i < aOpts.length; i++) { ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); if (statsSub != null) { - statsSub.startTiming("decrypt_user_key"); + statsSub.startTiming("decrypt_user_key"); } mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); if (CMS.debugOn()) - CMS.debug("EnrollmentService::about to decryptExternalPrivate"); + CMS.debug("EnrollmentService::about to decryptExternalPrivate"); unwrapped = mTransportUnit.decryptExternalPrivate( - opts.getEncSymmKey(), - opts.getSymmAlgOID(), - opts.getSymmAlgParams(), - opts.getEncValue()); + opts.getEncSymmKey(), opts.getSymmAlgOID(), + opts.getSymmAlgParams(), opts.getEncValue()); if (statsSub != null) { - statsSub.endTiming("decrypt_user_key"); + statsSub.endTiming("decrypt_user_key"); } if (CMS.debugOn()) - CMS.debug("EnrollmentService::finished decryptExternalPrivate"); + CMS.debug("EnrollmentService::finished decryptExternalPrivate"); if (unwrapped == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -255,15 +237,12 @@ public class EnrollmentService implements IService { byte publicKeyData[] = publicKey.getEncoded(); if (publicKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -271,21 +250,21 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } - /* Bugscape #54948 - verify public and private key before archiving key */ + /* + * Bugscape #54948 - verify public and private key before archiving + * key + */ if (statsSub != null) { - statsSub.startTiming("verify_key"); + statsSub.startTiming("verify_key"); } if (verifyKeyPair(publicKeyData, unwrapped) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -293,53 +272,52 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } if (statsSub != null) { - statsSub.endTiming("verify_key"); + statsSub.endTiming("verify_key"); } /** - mTransportKeyUnit.verify(pKey, unwrapped); + * mTransportKeyUnit.verify(pKey, unwrapped); **/ // retrieve owner name String owner = getOwnerName(request, aOpts[i].mReqPos); if (owner == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } // // privateKeyData ::= SEQUENCE { - // sessionKey OCTET_STRING, - // encKey OCTET_STRING, - // } + // sessionKey OCTET_STRING, + // encKey OCTET_STRING, + // } // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); if (statsSub != null) { - statsSub.startTiming("encrypt_user_key"); + statsSub.startTiming("encrypt_user_key"); } - byte privateKeyData[] = mStorageUnit.encryptInternalPrivate( - unwrapped); + byte privateKeyData[] = mStorageUnit + .encryptInternalPrivate(unwrapped); if (statsSub != null) { - statsSub.endTiming("encrypt_user_key"); + statsSub.endTiming("encrypt_user_key"); } if (privateKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -348,9 +326,9 @@ public class EnrollmentService implements IService { } // create key record - KeyRecord rec = new KeyRecord(null, publicKeyData, - privateKeyData, owner, - publicKey.getAlgorithmId().getOID().toString(), agentId); + KeyRecord rec = new KeyRecord(null, publicKeyData, privateKeyData, + owner, publicKey.getAlgorithmId().getOID().toString(), + agentId); // we deal with RSA key only try { @@ -361,49 +339,44 @@ public class EnrollmentService implements IService { auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } - // if record alreay has a serial number, yell out. if (rec.getSerialNumber() != null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", - rec.getSerialNumber().toString())); - + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec + .getSerialNumber().toString())); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } IKeyRepository storage = mKRA.getKeyRepository(); BigInteger serialNo = storage.getNextSerialNumber(); if (serialNo == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } if (i == 0) { rec.set(KeyRecord.ATTR_ID, serialNo); @@ -415,67 +388,57 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_INFO, "KRA adding key record " + serialNo); if (statsSub != null) { - statsSub.startTiming("store_key"); + statsSub.startTiming("store_key"); } storage.addKeyRecord(rec); if (statsSub != null) { - statsSub.endTiming("store_key"); + statsSub.endTiming("store_key"); } - + if (CMS.debugOn()) - CMS.debug("EnrollmentService: key record 0x" + serialNo.toString(16) - + " (" + owner + ") archived"); + CMS.debug("EnrollmentService: key record 0x" + + serialNo.toString(16) + " (" + owner + ") archived"); - mKRA.log(ILogger.LL_INFO, "key record 0x" + - serialNo.toString(16) - + " (" + owner + ") archived"); + mKRA.log(ILogger.LL_INFO, "key record 0x" + serialNo.toString(16) + + " (" + owner + ") archived"); // for audit log String authMgr = AuditFormat.NOAUTH; - + if (authToken != null) { - authMgr = - authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken + .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_KRA, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - IRequest.KEYARCHIVAL_REQUEST, - request.getRequestId(), - AuditFormat.FROMAGENT + " agentID: " + agentId, - authMgr, - "completed", - owner, - "serial number: 0x" + serialNo.toString(16)} - ); - - + CMS.getLogger().log( + ILogger.EV_AUDIT, + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { IRequest.KEYARCHIVAL_REQUEST, + request.getRequestId(), + AuditFormat.FROMAGENT + " agentID: " + agentId, + authMgr, "completed", owner, + "serial number: 0x" + serialNo.toString(16) }); + // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.SUCCESS, auditRequesterID, + auditArchiveID); audit(auditMessage); // store a message in the signed audit log file auditPublicKey = auditPublicKey(rec); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, ILogger.SUCCESS, auditPublicKey); audit(auditMessage); // Xxx - should sign this proof of archival - ProofOfArchival mProof = new ProofOfArchival(serialNo, - owner, mKRA.getX500Name().toString(), - rec.getCreateTime()); + ProofOfArchival mProof = new ProofOfArchival(serialNo, owner, mKRA + .getX500Name().toString(), rec.getCreateTime()); DerOutputStream mProofOut = new DerOutputStream(); mProof.encode(mProofOut); @@ -486,16 +449,16 @@ public class EnrollmentService implements IService { request.setExtData(ATTR_PROOF_OF_ARCHIVAL + i, mProofOut.toByteArray()); } - + } // for /* - request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME); - request.delete(IEnrollProfile.REQUEST_EXTENSIONS); - request.delete(IEnrollProfile.REQUEST_VALIDITY); - request.delete(IEnrollProfile.REQUEST_KEY); - request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM); - request.delete(IEnrollProfile.REQUEST_LOCALE); + * request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME); + * request.delete(IEnrollProfile.REQUEST_EXTENSIONS); + * request.delete(IEnrollProfile.REQUEST_VALIDITY); + * request.delete(IEnrollProfile.REQUEST_KEY); + * request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM); + * request.delete(IEnrollProfile.REQUEST_LOCALE); */ request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); @@ -505,92 +468,94 @@ public class EnrollmentService implements IService { mKRA.getRequestQueue().updateRequest(request); if (statsSub != null) { - statsSub.endTiming("archival"); + statsSub.endTiming("archival"); } - + return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + + publicKeyModulus + " privateKeyModulus=" + + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + + publicKeyExponent + " privateKeyExponent=" + + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } - private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = - new OBJECT_IDENTIFIER(new long[] {1, 3, 6, 1, 5, 5, 7, 5, 1, 4} - ); + private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = new OBJECT_IDENTIFIER( + new long[] { 1, 3, 6, 1, 5, 5, 7, 5, 1, 4 }); /** * Retrieves PKIArchiveOptions from CRMF request. - * + * * @param crmfBlob CRMF request * @return PKIArchiveOptions * @exception EBaseException failed to extrace option */ - public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(String crmfBlob) - throws EBaseException { + public static PKIArchiveOptionsContainer[] getPKIArchiveOptions( + String crmfBlob) throws EBaseException { Vector options = new Vector(); if (CMS.debugOn()) - CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob=" + crmfBlob); + CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob=" + + crmfBlob); byte[] crmfBerBlob = null; crmfBerBlob = com.netscape.osutil.OSUtil.AtoB(crmfBlob); - ByteArrayInputStream crmfBerBlobIn = new - ByteArrayInputStream(crmfBerBlob); + ByteArrayInputStream crmfBerBlobIn = new ByteArrayInputStream( + crmfBerBlob); SEQUENCE crmfmsgs = null; try { - crmfmsgs = (SEQUENCE) new - SEQUENCE.OF_Template(new - CertReqMsg.Template()).decode( - crmfBerBlobIn); + crmfmsgs = (SEQUENCE) new SEQUENCE.OF_Template( + new CertReqMsg.Template()).decode(crmfBerBlobIn); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); } catch (InvalidBERException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); } for (int z = 0; z < crmfmsgs.size(); z++) { - CertReqMsg certReqMsg = (CertReqMsg) - crmfmsgs.elementAt(z); - CertRequest certReq = certReqMsg.getCertReq(); - + CertReqMsg certReqMsg = (CertReqMsg) crmfmsgs.elementAt(z); + CertRequest certReq = certReqMsg.getCertReq(); + // try to locate PKIArchiveOption control AVA archAva = null; @@ -605,29 +570,38 @@ public class EnrollmentService implements IService { } } } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "no PKIArchiveOptions found " + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", + "no PKIArchiveOptions found " + e.toString())); } if (archAva != null) { ASN1Value archVal = archAva.getValue(); - ByteArrayInputStream bis = new ByteArrayInputStream(ASN1Util.encode(archVal)); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(archVal)); PKIArchiveOptions archOpts = null; try { - archOpts = (PKIArchiveOptions) - (new PKIArchiveOptions.Template()).decode(bis); + archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template()) + .decode(bis); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + + e.toString())); } catch (InvalidBERException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + + e.toString())); } options.addElement(new PKIArchiveOptionsContainer(archOpts, z)); } } if (options.size() == 0) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found")); } else { - PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options.size()]; + PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options + .size()]; options.copyInto(p); return p; @@ -636,7 +610,7 @@ public class EnrollmentService implements IService { /** * Retrieves public key from request. - * + * * @param request CRMF request * @return JSS public key * @exception EBaseException failed to retrieve public key @@ -645,7 +619,8 @@ public class EnrollmentService implements IService { String profileId = request.getExtDataInString("profileId"); if (profileId != null && !profileId.equals("")) { - byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); + byte[] certKeyData = request + .getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); if (certKeyData != null) { try { CertificateX509Key x509key = new CertificateX509Key( @@ -653,78 +628,95 @@ public class EnrollmentService implements IService { return (X509Key) x509key.get(CertificateX509Key.KEY); } catch (Exception e1) { - CMS.debug("EnrollService: (Archival) getPublicKey " + - e1.toString()); + CMS.debug("EnrollService: (Archival) getPublicKey " + + e1.toString()); } } return null; } // retrieve x509 Key from request - X509CertInfo certInfo[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = request + .getExtDataInCertInfoArray(IRequest.CERT_INFO); CertificateX509Key pX509Key = null; try { - pX509Key = (CertificateX509Key) - certInfo[i].get(X509CertInfo.KEY); + pX509Key = (CertificateX509Key) certInfo[i].get(X509CertInfo.KEY); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + + e.toString())); } catch (CertificateException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + + e.toString())); } X509Key pKey = null; try { - pKey = (X509Key) pX509Key.get( - CertificateX509Key.KEY); + pKey = (X509Key) pX509Key.get(CertificateX509Key.KEY); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + + "]" + e.toString())); } return pKey; } /** * Retrieves key's owner name from request. - * + * * @param request CRMF request * @return owner name (subject name) * @exception EBaseException failed to retrieve public key */ - private String getOwnerName(IRequest request, int i) - throws EBaseException { + private String getOwnerName(IRequest request, int i) throws EBaseException { String profileId = request.getExtDataInString("profileId"); if (profileId != null && !profileId.equals("")) { - CertificateSubjectName sub = request.getExtDataInCertSubjectName( - IEnrollProfile.REQUEST_SUBJECT_NAME); + CertificateSubjectName sub = request + .getExtDataInCertSubjectName(IEnrollProfile.REQUEST_SUBJECT_NAME); if (sub != null) { return sub.toString(); } } - X509CertInfo certInfo[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = request + .getExtDataInCertInfoArray(IRequest.CERT_INFO); CertificateSubjectName pSub = null; try { - pSub = (CertificateSubjectName) - certInfo[0].get(X509CertInfo.SUBJECT); + pSub = (CertificateSubjectName) certInfo[0] + .get(X509CertInfo.SUBJECT); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + + "]" + e.toString())); } catch (CertificateException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + + "]" + e.toString())); } String owner = pSub.toString(); @@ -733,11 +725,11 @@ public class EnrollmentService implements IService { /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "KeyRecord" for a signed audit log message. * <P> - * + * * @param rec a Key Record * @return key string containing the certificate's public key */ @@ -770,29 +762,30 @@ public class EnrollmentService implements IService { // extract all line separators from the "base64Data" StringTokenizer st = new StringTokenizer(base64Data, "\r\n"); while (st.hasMoreTokens()) { - key += st.nextToken(); + key += st.nextToken(); } } key = key.trim(); - if (key.equals("")) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } else { - return key; - } + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } } + /** * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for - * a signed audit log message. + * + * This method is called to obtain the "SubjectID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ - private String auditSubjectID() { + private String auditSubjectID() { // if no signed audit object exists, bail if (mSignedAuditLogger == null) { return null; @@ -804,8 +797,7 @@ public class EnrollmentService implements IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); + subjectID = (String) auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); @@ -818,13 +810,14 @@ public class EnrollmentService implements IService { return subjectID; } + /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for - * a signed audit log message. + * + * This method is called to obtain the "RequesterID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RequesterID */ private String auditRequesterID() { @@ -839,8 +832,8 @@ public class EnrollmentService implements IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - requesterID = (String) - auditContext.get(SessionContext.REQUESTER_ID); + requesterID = (String) auditContext + .get(SessionContext.REQUESTER_ID); if (requesterID != null) { requesterID = requesterID.trim(); @@ -856,11 +849,11 @@ public class EnrollmentService implements IService { /** * Signed Audit Log Recovery ID - * - * This method is called to obtain the "RecoveryID" for - * a signed audit log message. + * + * This method is called to obtain the "RecoveryID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RecoveryID */ private String auditRecoveryID() { @@ -875,8 +868,7 @@ public class EnrollmentService implements IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - recoveryID = (String) - auditContext.get(SessionContext.RECOVERY_ID); + recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); if (recoveryID != null) { recoveryID = recoveryID.trim(); @@ -890,13 +882,12 @@ public class EnrollmentService implements IService { return recoveryID; } - /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -907,15 +898,11 @@ public class EnrollmentService implements IService { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } } - /** * Parsed and Flattened structure of PKIArchiveOptions. */ @@ -924,6 +911,7 @@ class ArchiveOptions { private byte mSymmAlgParams[] = null; private byte mEncSymmKey[] = null; private byte mEncValue[] = null; + public ArchiveOptions(PKIArchiveOptions opts) throws EBaseException { try { EncryptedKey key = opts.getEncryptedKey(); @@ -938,21 +926,24 @@ class ArchiveOptions { enveloped_val = key.getEnvelopedData(); byte[] env_b = enveloped_val.getEncoded(); EnvelopedData.Template env_template = new EnvelopedData.Template(); - EnvelopedData env_data = - (EnvelopedData) env_template.decode(new ByteArrayInputStream(env_b)); + EnvelopedData env_data = (EnvelopedData) env_template + .decode(new ByteArrayInputStream(env_b)); EncryptedContentInfo eCI = env_data.getEncryptedContentInfo(); symmAlg = eCI.getContentEncryptionAlgorithm(); mSymmAlgOID = symmAlg.getOID().toString(); - mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray(); + mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()) + .decodeWith(OCTET_STRING.getTemplate())).toByteArray(); SET recipients = env_data.getRecipientInfos(); if (recipients.size() <= 0) { - CMS.debug("EnrollService: ArchiveOptions() - missing recipient information "); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] missing recipient information ")); + CMS.debug("EnrollService: ArchiveOptions() - missing recipient information "); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", + "[PKIArchiveOptions] missing recipient information ")); } - //check recpient - later - //we only handle one recipient here anyways. so, either the key - //can be decrypted or it can't. No risk here. + // check recpient - later + // we only handle one recipient here anyways. so, either the key + // can be decrypted or it can't. No risk here. RecipientInfo ri = (RecipientInfo) recipients.elementAt(0); OCTET_STRING key_o = ri.getEncryptedKey(); mEncSymmKey = key_o.toByteArray(); @@ -967,7 +958,8 @@ class ArchiveOptions { val = key.getEncryptedValue(); symmAlg = val.getSymmAlg(); mSymmAlgOID = symmAlg.getOID().toString(); - mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray(); + mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()) + .decodeWith(OCTET_STRING.getTemplate())).toByteArray(); BIT_STRING encSymmKey = val.getEncSymmKey(); mEncSymmKey = encSymmKey.getBits(); @@ -977,20 +969,24 @@ class ArchiveOptions { CMS.debug("EnrollService: ArchiveOptions() EncryptedKey type= ENCRYPTED_VALUE done"); } else { CMS.debug("EnrollService: ArchiveOptions() invalid EncryptedKey type"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] type " + key.getType())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", + "[PKIArchiveOptions] type " + key.getType())); } } catch (InvalidBERException e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", + "[PKIArchiveOptions]" + e.toString())); } catch (IOException e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException("ArchiveOptions() exception caught: "+ - e.toString()); + throw new EBaseException("ArchiveOptions() exception caught: " + + e.toString()); } catch (Exception e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException("ArchiveOptions() exception caught: "+ - e.toString()); + throw new EBaseException("ArchiveOptions() exception caught: " + + e.toString()); } } diff --git a/pki/base/kra/src/com/netscape/kra/KRANotify.java b/pki/base/kra/src/com/netscape/kra/KRANotify.java index 33c16456d..abf7887e7 100644 --- a/pki/base/kra/src/com/netscape/kra/KRANotify.java +++ b/pki/base/kra/src/com/netscape/kra/KRANotify.java @@ -17,16 +17,13 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.request.ARequestNotifier; - /** - * A class represents a KRA request queue notify. This - * object will be invoked by the request subsystem - * when a request is requested for processing. - * + * A class represents a KRA request queue notify. This object will be invoked by + * the request subsystem when a request is requested for processing. + * * @author thomask * @version $Revision$, $Date$ */ diff --git a/pki/base/kra/src/com/netscape/kra/KRAPolicy.java b/pki/base/kra/src/com/netscape/kra/KRAPolicy.java index dee18da4c..f7d2ba134 100644 --- a/pki/base/kra/src/com/netscape/kra/KRAPolicy.java +++ b/pki/base/kra/src/com/netscape/kra/KRAPolicy.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; @@ -30,7 +29,6 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.cmscore.policy.GenericPolicyProcessor; import com.netscape.cmscore.util.Debug; - /** * KRA Policy. * @@ -46,7 +44,7 @@ public class KRAPolicy implements IPolicy { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mKRA = (IKeyRecoveryAuthority) owner; mConfig = config; mPolicies.init(mKRA, mConfig); @@ -77,4 +75,3 @@ public class KRAPolicy implements IPolicy { } } - diff --git a/pki/base/kra/src/com/netscape/kra/KRAService.java b/pki/base/kra/src/com/netscape/kra/KRAService.java index a312a655d..ad7ccc850 100644 --- a/pki/base/kra/src/com/netscape/kra/KRAService.java +++ b/pki/base/kra/src/com/netscape/kra/KRAService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.util.Hashtable; import com.netscape.certsrv.apps.CMS; @@ -28,23 +27,19 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.cmscore.util.Debug; - /** - * A class represents a KRA request queue service. This - * is the service object that is registered with - * the request queue. And it acts as a broker to - * distribute request into different KRA specific - * services. This service registration allows us to support - * new request easier. + * A class represents a KRA request queue service. This is the service object + * that is registered with the request queue. And it acts as a broker to + * distribute request into different KRA specific services. This service + * registration allows us to support new request easier. * <P> - * + * * @author thomask * @version $Revision$, $Date$ */ public class KRAService implements IService { - public final static String ENROLLMENT = - IRequest.ENROLLMENT_REQUEST; + public final static String ENROLLMENT = IRequest.ENROLLMENT_REQUEST; public final static String RECOVERY = IRequest.KEYRECOVERY_REQUEST; public final static String NETKEY_KEYGEN = IRequest.NETKEY_KEYGEN_REQUEST; public final static String NETKEY_KEYRECOVERY = IRequest.NETKEY_KEYRECOVERY_REQUEST; @@ -60,30 +55,29 @@ public class KRAService implements IService { mKRA = kra; mServices.put(ENROLLMENT, new EnrollmentService(kra)); mServices.put(RECOVERY, new RecoveryService(kra)); - mServices.put(NETKEY_KEYGEN, new NetkeyKeygenService(kra)); - mServices.put(NETKEY_KEYRECOVERY, new TokenKeyRecoveryService(kra)); + mServices.put(NETKEY_KEYGEN, new NetkeyKeygenService(kra)); + mServices.put(NETKEY_KEYRECOVERY, new TokenKeyRecoveryService(kra)); } /** - * Processes a KRA request. This method is invoked by - * request subsystem. - * + * Processes a KRA request. This method is invoked by request subsystem. + * * @param r request from request subsystem * @exception EBaseException failed to serve */ public boolean serviceRequest(IRequest r) throws EBaseException { if (Debug.ON) - Debug.trace("KRA services request " + - r.getRequestId().toString()); - mKRA.log(ILogger.LL_INFO, "KRA services request " + - r.getRequestId().toString()); - IService s = (IService) mServices.get( - r.getRequestType()); + Debug.trace("KRA services request " + r.getRequestId().toString()); + mKRA.log(ILogger.LL_INFO, "KRA services request " + + r.getRequestId().toString()); + IService s = (IService) mServices.get(r.getRequestType()); if (s == null) { r.setExtData(IRequest.RESULT, IRequest.RES_ERROR); - r.setExtData(IRequest.ERROR, new EBaseException( - CMS.getUserMessage("CMS_BASE_INVALID_OPERATION"))); + r.setExtData( + IRequest.ERROR, + new EBaseException(CMS + .getUserMessage("CMS_BASE_INVALID_OPERATION"))); return true; } try { @@ -91,7 +85,7 @@ public class KRAService implements IService { } catch (EBaseException e) { r.setExtData(IRequest.RESULT, IRequest.RES_ERROR); r.setExtData(IRequest.ERROR, e); - // return true; + // return true; // #546508 return false; } diff --git a/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 3339d31fb..e079036b7 100644 --- a/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; @@ -74,18 +73,17 @@ import com.netscape.cmscore.dbs.KeyRepository; import com.netscape.cmscore.dbs.ReplicaIDRepository; import com.netscape.cmscore.request.RequestSubsystem; - /** - * A class represents an key recovery authority (KRA). A KRA - * is responsible to maintain key pairs that have been - * escrowed. It provides archive and recovery key pairs - * functionalities. + * A class represents an key recovery authority (KRA). A KRA is responsible to + * maintain key pairs that have been escrowed. It provides archive and recovery + * key pairs functionalities. * <P> - * + * * @author thomask * @version $Revision$, $Date$ */ -public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecoveryAuthority { +public class KeyRecoveryAuthority implements IAuthority, IKeyService, + IKeyRecoveryAuthority { public final static String OFFICIAL_NAME = "Data Recovery Manager"; @@ -127,15 +125,13 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove protected org.mozilla.jss.crypto.X509Certificate mJssCert = null; protected CryptoToken mKeygenToken = null; - // holds the number of bits of entropy to collect for each keygen - private int mEntropyBitsPerKeyPair=0; - - // the number of milliseconds which it is acceptable to block while - // getting entropy - anything longer will cause a warning. - // 0 means this warning is disabled - private int mEntropyBlockWarnMilliseconds = 0; - + // holds the number of bits of entropy to collect for each keygen + private int mEntropyBitsPerKeyPair = 0; + // the number of milliseconds which it is acceptable to block while + // getting entropy - anything longer will cause a warning. + // 0 means this warning is disabled + private int mEntropyBlockWarnMilliseconds = 0; // for the notification listener public IRequestListener mReqInQListener = null; @@ -143,20 +139,12 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); private final static byte EOL[] = { Character.LINE_SEPARATOR }; private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; /** * Constructs an escrow authority. @@ -177,7 +165,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Sets subsystem identifier. - * + * * @param id subsystem id * @exception EBaseException failed to set id */ @@ -190,87 +178,84 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } // initialize entropy collection parameters - private void initEntropy(IConfigStore config) - { + private void initEntropy(IConfigStore config) { mEntropyBitsPerKeyPair = 0; mEntropyBlockWarnMilliseconds = 50; // initialize entropy collection IConfigStore ecs = config.getSubStore("entropy"); if (ecs != null) { try { - mEntropyBitsPerKeyPair = ecs.getInteger("bitsperkeypair",0); - mEntropyBlockWarnMilliseconds = ecs.getInteger("blockwarnms",50); + mEntropyBitsPerKeyPair = ecs.getInteger("bitsperkeypair", 0); + mEntropyBlockWarnMilliseconds = ecs.getInteger("blockwarnms", + 50); } catch (EBaseException eb) { // ok - we deal with missing parameters above } } - CMS.debug("KeyRecoveryAuthority Entropy bits = "+mEntropyBitsPerKeyPair); + CMS.debug("KeyRecoveryAuthority Entropy bits = " + + mEntropyBitsPerKeyPair); if (mEntropyBitsPerKeyPair == 0) { - //log(ILogger.LL_INFO, - //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_DISABLED")); + // log(ILogger.LL_INFO, + // CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_DISABLED")); } else { - //log(ILogger.LL_INFO, - //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_ENABLED")); - CMS.debug("KeyRecoveryAuthority about to add Entropy"); + // log(ILogger.LL_INFO, + // CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_ENABLED")); + CMS.debug("KeyRecoveryAuthority about to add Entropy"); addEntropy(false); - CMS.debug("KeyRecoveryAuthority back from add Entropy"); + CMS.debug("KeyRecoveryAuthority back from add Entropy"); } } - public void addEntropy(boolean logflag) { - CMS.debug("KeyRecoveryAuthority addEntropy()"); + CMS.debug("KeyRecoveryAuthority addEntropy()"); if (mEntropyBitsPerKeyPair == 0) { - CMS.debug("KeyRecoveryAuthority returning - disabled()"); - return; - } + CMS.debug("KeyRecoveryAuthority returning - disabled()"); + return; + } long start = System.currentTimeMillis(); try { - com.netscape.cmscore.security.JssSubsystem.getInstance(). - addEntropy(mEntropyBitsPerKeyPair); + com.netscape.cmscore.security.JssSubsystem.getInstance() + .addEntropy(mEntropyBitsPerKeyPair); } catch (Exception e) { - CMS.debug("KeyRecoveryAuthority returning - error - see log file"); - CMS.debug("exception: "+e.getMessage()); - CMS.debug(e); - if (logflag) { - log(ILogger.LL_INFO, - CMS.getLogMessage("CMSCORE_KRA_ENTROPY_ERROR", - e.getMessage())); - } + CMS.debug("KeyRecoveryAuthority returning - error - see log file"); + CMS.debug("exception: " + e.getMessage()); + CMS.debug(e); + if (logflag) { + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_ENTROPY_ERROR", + e.getMessage())); + } } - long end = System.currentTimeMillis(); - long duration = end-start; - - if (mEntropyBlockWarnMilliseconds > 0 && - duration > mEntropyBlockWarnMilliseconds) { - - CMS.debug("KeyRecoveryAuthority returning - warning - entropy took too long (ms="+ - duration+")"); - if (logflag) { - log(ILogger.LL_INFO, - CMS.getLogMessage("CMSCORE_KRA_ENTROPY_BLOCKED_WARNING", - ""+(int)duration)); - } + long end = System.currentTimeMillis(); + long duration = end - start; + + if (mEntropyBlockWarnMilliseconds > 0 + && duration > mEntropyBlockWarnMilliseconds) { + + CMS.debug("KeyRecoveryAuthority returning - warning - entropy took too long (ms=" + + duration + ")"); + if (logflag) { + log(ILogger.LL_INFO, CMS.getLogMessage( + "CMSCORE_KRA_ENTROPY_BLOCKED_WARNING", "" + + (int) duration)); + } } - CMS.debug("KeyRecoveryAuthority returning "); + CMS.debug("KeyRecoveryAuthority returning "); } - - - /** - * Starts this subsystem. It loads and initializes all - * necessary components. This subsystem is started by - * KRASubsystem. + /** + * Starts this subsystem. It loads and initializes all necessary components. + * This subsystem is started by KRASubsystem. * <P> * * @param owner owner of this subsystem * @param config configuration store for this subsystem * @exception EBaseException failed to start subsystem */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { - CMS.debug("KeyRecoveryAuthority init() begins"); + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + CMS.debug("KeyRecoveryAuthority init() begins"); if (mInitialized) return; @@ -284,92 +269,96 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // create key repository int keydb_inc = mConfig.getInteger(PROP_KEYDB_INC, 5); - mKeyDB = new KeyRepository(getDBSubsystem(), - keydb_inc, - "ou=" + KEY_RESP_NAME + ",ou=" + - getId() + "," + - getDBSubsystem().getBaseDN()); + mKeyDB = new KeyRepository(getDBSubsystem(), keydb_inc, "ou=" + + KEY_RESP_NAME + ",ou=" + getId() + "," + + getDBSubsystem().getBaseDN()); // read transport key from internal database mTransportKeyUnit = new TransportKeyUnit(); try { - mTransportKeyUnit.init(this, mConfig.getSubStore( - PROP_TRANSPORT_KEY)); + mTransportKeyUnit.init(this, + mConfig.getSubStore(PROP_TRANSPORT_KEY)); } catch (EBaseException e) { - CMS.debug("KeyRecoveryAuthority: transport unit exception " + e.toString()); -//XXX throw e; - return; + CMS.debug("KeyRecoveryAuthority: transport unit exception " + + e.toString()); + // XXX throw e; + return; } // retrieve the authority name from transport cert try { mJssCert = mTransportKeyUnit.getCertificate(); - X509CertImpl certImpl = new - X509CertImpl(mJssCert.getEncoded()); + X509CertImpl certImpl = new X509CertImpl(mJssCert.getEncoded()); mName = (X500Name) certImpl.getSubjectDN(); } catch (CertificateEncodingException e) { CMS.debug("KeyRecoveryAuthority: " + e.toString()); throw new EBaseException(CMS.getUserMessage("CMS_BASE_LOAD_FAILED", - "transport cert " + e.toString())); + "transport cert " + e.toString())); } catch (CertificateException e) { CMS.debug("KeyRecoveryAuthority: " + e.toString()); throw new EBaseException(CMS.getUserMessage("CMS_BASE_LOAD_FAILED", - "transport cert " + e.toString())); + "transport cert " + e.toString())); } // read transport key from storage key mStorageKeyUnit = new StorageKeyUnit(); try { - mStorageKeyUnit.init(this, - mConfig.getSubStore(PROP_STORAGE_KEY)); + mStorageKeyUnit.init(this, mConfig.getSubStore(PROP_STORAGE_KEY)); } catch (EBaseException e) { - CMS.debug("KeyRecoveryAuthority: storage unit exception " + e.toString()); + CMS.debug("KeyRecoveryAuthority: storage unit exception " + + e.toString()); throw e; } - // setup token for server-side key generation for user enrollments - String serverKeygenTokenName = mConfig.getString("serverKeygenTokenName", null); - if (serverKeygenTokenName == null) { - CMS.debug("serverKeygenTokenName set to nothing"); - if (mStorageKeyUnit.getToken() != null) { - try { - String storageToken = mStorageKeyUnit.getToken().getName(); - if (!storageToken.equals("internal")) { - CMS.debug("Auto set serverKeygenTokenName to " + storageToken); - serverKeygenTokenName = storageToken; - } - } catch (Exception e) { - } - } - } - if (serverKeygenTokenName == null) { - serverKeygenTokenName = "internal"; - } + // setup token for server-side key generation for user enrollments + String serverKeygenTokenName = mConfig.getString( + "serverKeygenTokenName", null); + if (serverKeygenTokenName == null) { + CMS.debug("serverKeygenTokenName set to nothing"); + if (mStorageKeyUnit.getToken() != null) { + try { + String storageToken = mStorageKeyUnit.getToken().getName(); + if (!storageToken.equals("internal")) { + CMS.debug("Auto set serverKeygenTokenName to " + + storageToken); + serverKeygenTokenName = storageToken; + } + } catch (Exception e) { + } + } + } + if (serverKeygenTokenName == null) { + serverKeygenTokenName = "internal"; + } if (serverKeygenTokenName.equalsIgnoreCase(PR_INTERNAL_TOKEN_NAME)) serverKeygenTokenName = PR_INTERNAL_TOKEN_NAME; try { if (serverKeygenTokenName.equalsIgnoreCase(PR_INTERNAL_TOKEN_NAME)) { - CMS.debug("KeyRecoveryAuthority: getting internal crypto token for serverkeygen"); - mKeygenToken = CryptoManager.getInstance().getInternalKeyStorageToken(); + CMS.debug("KeyRecoveryAuthority: getting internal crypto token for serverkeygen"); + mKeygenToken = CryptoManager.getInstance() + .getInternalKeyStorageToken(); } else { - CMS.debug("KeyRecoveryAuthority: getting HSM token for serverkeygen"); - mKeygenToken = CryptoManager.getInstance().getTokenByName(serverKeygenTokenName); + CMS.debug("KeyRecoveryAuthority: getting HSM token for serverkeygen"); + mKeygenToken = CryptoManager.getInstance().getTokenByName( + serverKeygenTokenName); } - CMS.debug("KeyRecoveryAuthority: set up keygenToken"); + CMS.debug("KeyRecoveryAuthority: set up keygenToken"); } catch (NoSuchTokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", serverKeygenTokenName)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_TOKEN_NOT_FOUND", serverKeygenTokenName)); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED")); } - CMS.debug("KeyRecoveryAuthority: about to init entropy"); - initEntropy(mConfig); - CMS.debug("KeyRecoveryAuthority: completed init of entropy"); + CMS.debug("KeyRecoveryAuthority: about to init entropy"); + initEntropy(mConfig); + CMS.debug("KeyRecoveryAuthority: completed init of entropy"); - getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, - ILogger.LL_INFO, mName.toString() + " is started"); + getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, ILogger.LL_INFO, + mName.toString() + " is started"); // setup the KRA request queue IService service = new KRAService(this); @@ -379,22 +368,22 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove IRequestSubsystem reqSub = RequestSubsystem.getInstance(); int reqdb_inc = mConfig.getInteger("reqdbInc", 5); - mRequestQueue = reqSub.getRequestQueue(getId(), reqdb_inc, - mPolicy, service, mNotify, mPNotify); + mRequestQueue = reqSub.getRequestQueue(getId(), reqdb_inc, mPolicy, + service, mNotify, mPNotify); - // set KeyStatusUpdateInterval to be 10 minutes if serial management is enabled. - mKeyDB.setKeyStatusUpdateInterval( - mRequestQueue.getRequestRepository(), - mConfig.getInteger("keyStatusUpdateInterval", 10 * 60)); + // set KeyStatusUpdateInterval to be 10 minutes if serial management is + // enabled. + mKeyDB.setKeyStatusUpdateInterval(mRequestQueue.getRequestRepository(), + mConfig.getInteger("keyStatusUpdateInterval", 10 * 60)); // init request scheduler if configured - String schedulerClass = - mConfig.getString("requestSchedulerClass", null); + String schedulerClass = mConfig + .getString("requestSchedulerClass", null); if (schedulerClass != null) { try { - IRequestScheduler scheduler = (IRequestScheduler) - Class.forName(schedulerClass).newInstance(); + IRequestScheduler scheduler = (IRequestScheduler) Class + .forName(schedulerClass).newInstance(); mRequestQueue.setRequestScheduler(scheduler); } catch (Exception e) { @@ -405,17 +394,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String replicaReposDN = mConfig.getString(PROP_REPLICAID_DN, null); if (replicaReposDN == null) { - replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); + replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); } - mReplicaRepot = new ReplicaIDRepository( - DBSubsystem.getInstance(), 1, replicaReposDN); + mReplicaRepot = new ReplicaIDRepository(DBSubsystem.getInstance(), 1, + replicaReposDN); CMS.debug("Replica Repot inited"); } public CryptoToken getKeygenToken() { - return mKeygenToken; + return mKeygenToken; } public IRequestListener getRequestInQListener() { @@ -434,28 +423,27 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Starts this service. When this method is called, all - * service - * + * Starts this service. When this method is called, all service + * * @exception EBaseException failed to startup this subsystem */ public void startup() throws EBaseException { - CMS.debug("KeyRecoveryAuthority startup() begins"); + CMS.debug("KeyRecoveryAuthority startup() begins"); - if (mRequestQueue != null) { - // setup administration operations if everything else is fine - mRequestQueue.recover(); - CMS.debug("KeyRecoveryAuthority startup() call request Q recover"); + if (mRequestQueue != null) { + // setup administration operations if everything else is fine + mRequestQueue.recover(); + CMS.debug("KeyRecoveryAuthority startup() call request Q recover"); - // Note that we use our instance id for registration. - // This helps us to support multiple instances - // of a subsystem within server. + // Note that we use our instance id for registration. + // This helps us to support multiple instances + // of a subsystem within server. - // register remote admin interface - mInitialized = true; - } else { - CMS.debug("KeyRecoveryAuthority: mRequestQueue is null, could be in preop mode"); - } + // register remote admin interface + mInitialized = true; + } else { + CMS.debug("KeyRecoveryAuthority: mRequestQueue is null, could be in preop mode"); + } } /** @@ -471,15 +459,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove mKeyDB.shutdown(); mKeyDB = null; } - getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, - ILogger.LL_INFO, mName.toString() + " is stopped"); + getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, ILogger.LL_INFO, + mName.toString() + " is stopped"); mInitialized = false; } /** * Retrieves the configuration store of this subsystem. * <P> - * + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -488,7 +476,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Changes the auto recovery state. - * + * * @param cs list of recovery agent credentials * @param on turn of auto recovery or not * @return operation success or not @@ -509,7 +497,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves the current auto recovery state. - * + * * @return enable or not */ public boolean getAutoRecoveryState() { @@ -518,11 +506,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Returns a list of users who are in auto - * recovery mode. - * - * @return list of user IDs that are accepted in the - * auto recovery mode + * Returns a list of users who are in auto recovery mode. + * + * @return list of user IDs that are accepted in the auto recovery mode */ public Enumeration getAutoRecoveryIDs() { return mAutoRecovery.keys(); @@ -530,7 +516,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Adds auto recovery mode to the given user id. - * + * * @param id new identifier to the auto recovery mode * @param creds list of credentials */ @@ -540,9 +526,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Removes auto recovery mode from the given user id. - * - * @param id id of user to be removed from auto - * recovery mode + * + * @param id id of user to be removed from auto recovery mode */ public void removeAutoRecovery(String id) { mAutoRecovery.remove(id); @@ -550,7 +535,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves logger from escrow authority. - * + * * @return logger */ public ILogger getLogger() { @@ -558,29 +543,28 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Retrieves number of required agents for - * recovery operation. - * + * Retrieves number of required agents for recovery operation. + * * @return number of required agents * @exception EBaseException failed to retrieve info */ public int getNoOfRequiredAgents() throws EBaseException { if (mConfig.getBoolean("keySplitting", false)) { - return mStorageKeyUnit.getNoOfRequiredAgents(); + return mStorageKeyUnit.getNoOfRequiredAgents(); } else { int ret = -1; - ret = mConfig.getInteger("noOfRequiredRecoveryAgents", 1); + ret = mConfig.getInteger("noOfRequiredRecoveryAgents", 1); if (ret <= 0) { - throw new EBaseException("Invalid parameter noOfRequiredecoveryAgents"); + throw new EBaseException( + "Invalid parameter noOfRequiredecoveryAgents"); } return ret; } } /** - * Sets number of required agents for - * recovery operation - * + * Sets number of required agents for recovery operation + * * @return none * @exception EBaseException invalid setting */ @@ -588,7 +572,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove if (mConfig.getBoolean("keySplitting")) { mStorageKeyUnit.setNoOfRequiredAgents(number); } else { - mConfig.putInteger("noOfRequiredRecoveryAgents", number); + mConfig.putInteger("noOfRequiredRecoveryAgents", number); } } @@ -599,8 +583,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return Integer.toString(mRecoveryIDCounter++); } - public Hashtable createRecoveryParams(String recoveryID) - throws EBaseException { + public Hashtable createRecoveryParams(String recoveryID) + throws EBaseException { Hashtable h = new Hashtable(); h.put(PARAM_CREDS, new Vector()); @@ -609,45 +593,40 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return h; } - public void destroyRecoveryParams(String recoveryID) - throws EBaseException { + public void destroyRecoveryParams(String recoveryID) throws EBaseException { mRecoveryParams.remove(recoveryID); } - public Hashtable getRecoveryParams(String recoveryID) - throws EBaseException { + public Hashtable getRecoveryParams(String recoveryID) throws EBaseException { return (Hashtable) mRecoveryParams.get(recoveryID); } public void createPk12(String recoveryID, byte[] pk12) - throws EBaseException { + throws EBaseException { Hashtable h = getRecoveryParams(recoveryID); h.put(PARAM_PK12, pk12); } - public byte[] getPk12(String recoveryID) - throws EBaseException { + public byte[] getPk12(String recoveryID) throws EBaseException { return (byte[]) getRecoveryParams(recoveryID).get(PARAM_PK12); } public void createError(String recoveryID, String error) - throws EBaseException { + throws EBaseException { Hashtable h = getRecoveryParams(recoveryID); h.put(PARAM_ERROR, error); } - public String getError(String recoveryID) - throws EBaseException { + public String getError(String recoveryID) throws EBaseException { return (String) getRecoveryParams(recoveryID).get(PARAM_ERROR); } /** * Retrieve the current approval agents */ - public Vector getAppAgents( - String recoveryID) throws EBaseException { + public Vector getAppAgents(String recoveryID) throws EBaseException { Hashtable h = getRecoveryParams(recoveryID); Vector dc = (Vector) h.get(PARAM_CREDS); @@ -655,20 +634,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Retrieves a list credentials. This puts KRA in a waiting - * mode, it never returns until all the necessary passwords - * are collected. + * Retrieves a list credentials. This puts KRA in a waiting mode, it never + * returns until all the necessary passwords are collected. */ - public Credential[] getDistributedCredentials( - String recoveryID) - throws EBaseException { + public Credential[] getDistributedCredentials(String recoveryID) + throws EBaseException { Hashtable h = getRecoveryParams(recoveryID); Vector dc = (Vector) h.get(PARAM_CREDS); Object lock = (Object) h.get(PARAM_LOCK); synchronized (lock) { - while (dc.size() < getNoOfRequiredAgents()) { - CMS.debug("KeyRecoveryAuthority: cfu in synchronized lock for getDistributedCredentials"); + while (dc.size() < getNoOfRequiredAgents()) { + CMS.debug("KeyRecoveryAuthority: cfu in synchronized lock for getDistributedCredentials"); try { lock.wait(); } catch (InterruptedException e) { @@ -684,16 +661,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Verifies credential. */ - private void verifyCredential(Vector creds, String uid, - String pwd) throws EBaseException { - // see if we have the uid already + private void verifyCredential(Vector creds, String uid, String pwd) + throws EBaseException { + // see if we have the uid already if (!mConfig.getBoolean("keySplitting")) { - // check if the uid is in the specified group + // check if the uid is in the specified group IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); if (!ug.isMemberOf(uid, mConfig.getString("recoveryAgentGroup"))) { - // invalid group - throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); + // invalid group + throw new EBaseException( + CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); } } @@ -702,19 +680,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove if (c.getIdentifier().equals(uid)) { // duplicated uid - throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); + throw new EBaseException( + CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); } } if (mConfig.getBoolean("keySplitting")) { - mStorageKeyUnit.checkPassword(uid, pwd); + mStorageKeyUnit.checkPassword(uid, pwd); } } /** * Adds password. */ - public void addDistributedCredential(String recoveryID, - String uid, String pwd) throws EBaseException { + public void addDistributedCredential(String recoveryID, String uid, + String pwd) throws EBaseException { Hashtable h = getRecoveryParams(recoveryID); Vector dc = (Vector) h.get(PARAM_CREDS); Object lock = (Object) h.get(PARAM_LOCK); @@ -729,26 +708,26 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Archives key. This creates a key record in the key - * repository. + * Archives key. This creates a key record in the key repository. * <P> - * + * * <ul> * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used - * whenever a user private key archive request is made (this is when the - * DRM receives the request) - * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED used - * whenever a user private key archive request is processed (this is when - * the DRM processes the request) + * whenever a user private key archive request is made (this is when the DRM + * receives the request) + * <li>signed.audit + * LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED used whenever + * a user private key archive request is processed (this is when the DRM + * processes the request) * </ul> + * * @param rec key record to be archived * @return executed request * @exception EBaseException failed to archive key * @return the request - * <P> + * <P> */ - public IRequest archiveKey(KeyRecord rec) - throws EBaseException { + public IRequest archiveKey(KeyRecord rec) throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); @@ -776,21 +755,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.SUCCESS, auditRequesterID, + auditArchiveID); audit(auditMessage); } catch (EBaseException eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.FAILURE, auditRequesterID, + auditArchiveID); audit(auditMessage); @@ -801,25 +776,22 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // to the signed audit log and stored as failures try { if (r != null) { - r.setExtData(EnrollmentService.ATTR_KEY_RECORD, rec.getSerialNumber()); + r.setExtData(EnrollmentService.ATTR_KEY_RECORD, + rec.getSerialNumber()); queue.processRequest(r); } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, ILogger.SUCCESS, auditPublicKey); audit(auditMessage); } catch (EBaseException eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditPublicKey); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, auditPublicKey); audit(auditMessage); @@ -832,8 +804,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * async key recovery initiation */ - public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent) - throws EBaseException { + public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, + String agent) throws EBaseException { String auditPublicKey = auditPublicKey(cert); String auditRecoveryID = "undefined"; @@ -857,37 +829,33 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - auditPublicKey); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, + auditSubjectID, ILogger.SUCCESS, auditRecoveryID, + auditPublicKey); audit(auditMessage); } catch (EBaseException eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditPublicKey); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditPublicKey); audit(auditMessage); throw eAudit1; } - //NO call to queue.processRequest(r) because it is only initiating + // NO call to queue.processRequest(r) because it is only initiating return r.getRequestId().toString(); } - /** - * is async recovery request status APPROVED - - * i.e. all required # of recovery agents approved - */ + /** + * is async recovery request status APPROVED - i.e. all required # of + * recovery agents approved + */ public boolean isApprovedAsyncKeyRecovery(String reqID) - throws EBaseException { + throws EBaseException { IRequestQueue queue = null; IRequest r = null; @@ -900,18 +868,19 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } - /** - * get async recovery request initiating agent - */ + /** + * get async recovery request initiating agent + */ public String getInitAgentAsyncKeyRecovery(String reqID) - throws EBaseException { + throws EBaseException { IRequestQueue queue = null; IRequest r = null; queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - String agents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + String agents = r + .getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); if (agents != null) { int i = agents.indexOf(","); if (i == -1) { @@ -925,14 +894,13 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return null; } - /** - * add async recovery agent to approving agent list of the recovery request - * record - * This method will check to see if the agent belongs to the recovery group - * first before adding. - */ + /** + * add async recovery agent to approving agent list of the recovery request + * record This method will check to see if the agent belongs to the recovery + * group first before adding. + */ public void addAgentAsyncKeyRecovery(String reqID, String agentID) - throws EBaseException { + throws EBaseException { IRequestQueue queue = null; IRequest r = null; @@ -940,13 +908,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); if (!ug.isMemberOf(agentID, mConfig.getString("recoveryAgentGroup"))) { // invalid group - throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); + throw new EBaseException( + CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); } queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - String agents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + String agents = r + .getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); if (agents != null) { int count = 0; StringTokenizer st = new StringTokenizer(agents, ","); @@ -954,17 +924,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String a = st.nextToken(); // first one is the initiating agent if ((count != 0) && a.equals(agentID)) { - // duplicated uid - throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); + // duplicated uid + throw new EBaseException( + CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); } count++; } // note: if count==1 and required agents is 1, it's good to add // and it'd look like "agent1,agent1" - that's the only dup allowed - if (count <= getNoOfRequiredAgents()) { //all good, add it - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, - agents+","+agentID); + if (count <= getNoOfRequiredAgents()) { // all good, add it + r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, agents + "," + + agentID); if (count == getNoOfRequiredAgents()) { r.setRequestStatus(RequestStatus.APPROVED); } else { @@ -978,34 +949,32 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Recovers key for administrators. This method is - * invoked by the agent operation of the key recovery servlet. + * Recovers key for administrators. This method is invoked by the agent + * operation of the key recovery servlet. * <P> - * + * * <ul> * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever * a user private key recovery request is made (this is when the DRM * receives the request) - * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever - * a user private key recovery request is processed (this is when the DRM - * processes the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used + * whenever a user private key recovery request is processed (this is when + * the DRM processes the request) * </ul> + * * @param kid key identifier * @param creds list of recovery agent credentials * @param password password of the PKCS12 package * @param cert certficate that will be put in PKCS12 * @param delivery file, mail or something else * @param nickname string containing the nickname of the id cert for this - * subsystem + * subsystem * @exception EBaseException failed to recover key * @return a byte array containing the key */ - public byte[] doKeyRecovery(BigInteger kid, - Credential creds[], String password, - X509CertImpl cert, - String delivery, String nickname, - String agent) - throws EBaseException { + public byte[] doKeyRecovery(BigInteger kid, Credential creds[], + String password, X509CertImpl cert, String delivery, + String nickname, String agent) throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRecoveryID = auditRecoveryID(); @@ -1026,8 +995,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // set transient parameters params = createVolatileRequest(r.getRequestId()); - if (mConfig.getBoolean("keySplitting")) { - params.put(RecoveryService.ATTR_AGENT_CREDENTIALS, creds); + if (mConfig.getBoolean("keySplitting")) { + params.put(RecoveryService.ATTR_AGENT_CREDENTIALS, creds); } params.put(RecoveryService.ATTR_TRANSPORT_PWD, password); @@ -1044,21 +1013,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - auditPublicKey); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, auditSubjectID, + ILogger.SUCCESS, auditRecoveryID, auditPublicKey); audit(auditMessage); } catch (EBaseException eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditPublicKey); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, auditSubjectID, + ILogger.FAILURE, auditRecoveryID, auditPublicKey); audit(auditMessage); @@ -1071,18 +1034,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue.processRequest(r); if (r.getExtDataInString(IRequest.ERROR) == null) { - byte pkcs12[] = (byte[]) params.get( - RecoveryService.ATTR_PKCS12); + byte pkcs12[] = (byte[]) params + .get(RecoveryService.ATTR_PKCS12); auditAgents = auditAgents(creds); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - auditAgents); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.SUCCESS, auditRecoveryID, + auditAgents); audit(auditMessage); @@ -1092,11 +1053,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } else { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditAgents); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditAgents); audit(auditMessage); @@ -1105,11 +1064,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } catch (EBaseException eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditAgents); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditAgents); audit(auditMessage); @@ -1117,29 +1074,27 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } - /** - * Async Recovers key for administrators. This method is - * invoked by the agent operation of the key recovery servlet. + /** + * Async Recovers key for administrators. This method is invoked by the + * agent operation of the key recovery servlet. * <P> - * + * * <ul> * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever * a user private key recovery request is made (this is when the DRM * receives the request) - * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever - * a user private key recovery request is processed (this is when the DRM - * processes the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used + * whenever a user private key recovery request is processed (this is when + * the DRM processes the request) * </ul> - * @param requestID request id - * @param password password of the PKCS12 package - * subsystem + * + * @param requestID request id + * @param password password of the PKCS12 package subsystem * @exception EBaseException failed to recover key * @return a byte array containing the key */ - public byte[] doKeyRecovery( - String reqID, - String password) - throws EBaseException { + public byte[] doKeyRecovery(String reqID, String password) + throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRecoveryID = reqID; @@ -1154,8 +1109,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - auditAgents = - r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + auditAgents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); // set transient parameters params = createVolatileRequest(r.getRequestId()); @@ -1164,22 +1118,22 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { - CMS.debug("KeyRecoveryAuthority: in asynchronous doKeyRecovery(), request state ="+ r.getRequestStatus().toString()); + CMS.debug("KeyRecoveryAuthority: in asynchronous doKeyRecovery(), request state =" + + r.getRequestStatus().toString()); // can only process requests in begin state r.setRequestStatus(RequestStatus.BEGIN); queue.processRequest(r); if (r.getExtDataInString(IRequest.ERROR) == null) { - byte pkcs12[] = (byte[]) params.get( - RecoveryService.ATTR_PKCS12); + byte pkcs12[] = (byte[]) params + .get(RecoveryService.ATTR_PKCS12); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - auditAgents); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + auditSubjectID, ILogger.SUCCESS, + auditRecoveryID, auditAgents); audit(auditMessage); @@ -1188,12 +1142,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return pkcs12; } else { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditAgents); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + auditSubjectID, ILogger.FAILURE, + auditRecoveryID, auditAgents); audit(auditMessage); @@ -1202,11 +1155,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } catch (EBaseException eAudit1) { // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditAgents); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, + auditAgents); audit(auditMessage); throw eAudit1; @@ -1214,9 +1165,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Constructs a recovery request and submits it - * to the request subsystem for processing. - * + * Constructs a recovery request and submits it to the request subsystem for + * processing. + * * @param kid key identifier * @param creds list of recovery agent credentials * @param password password of the PKCS12 package @@ -1225,10 +1176,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * @return executed request * @exception EBaseException failed to recover key */ - public IRequest recoverKey(BigInteger kid, - Credential creds[], String password, - X509CertImpl cert, - String delivery) throws EBaseException { + public IRequest recoverKey(BigInteger kid, Credential creds[], + String password, X509CertImpl cert, String delivery) + throws EBaseException { IRequestQueue queue = getRequestQueue(); IRequest r = queue.newRequest("recovery"); @@ -1242,7 +1192,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Recovers key for end-entities. - * + * * @param creds list of credentials * @param encryptionChain certificate chain * @param signingCert signing cert @@ -1251,10 +1201,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * @return executed request * @exception EBaseException failed to recover key */ - public IRequest recoverKey(Credential creds[], CertificateChain - encryptionChain, X509CertImpl signingCert, - X509CertImpl transportCert, - X500Name ownerName) throws EBaseException { + public IRequest recoverKey(Credential creds[], + CertificateChain encryptionChain, X509CertImpl signingCert, + X509CertImpl transportCert, X500Name ownerName) + throws EBaseException { IRequestQueue queue = getRequestQueue(); IRequest r = queue.newRequest("recovery"); @@ -1264,8 +1214,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r.setExtData(RecoveryService.ATTR_ENCRYPTION_CERTS, certChainOut.toByteArray()); } catch (IOException e) { - log(ILogger.LL_FAILURE, - "Error encoding certificate chain"); + log(ILogger.LL_FAILURE, "Error encoding certificate chain"); } r.setExtData(RecoveryService.ATTR_SIGNING_CERT, signingCert); @@ -1277,8 +1226,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r.setExtData(RecoveryService.ATTR_OWNER_NAME, ownerNameOut.toByteArray()); } catch (IOException e) { - log(ILogger.LL_FAILURE, - "Error encoding X500Name for owner name"); + log(ILogger.LL_FAILURE, "Error encoding X500Name for owner name"); } queue.processRequest(r); @@ -1286,10 +1234,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Retrieves the storage key unit. The storage key - * is used to wrap the user key for long term - * storage. - * + * Retrieves the storage key unit. The storage key is used to wrap the user + * key for long term storage. + * * @return storage key unit. */ public IStorageKeyUnit getStorageKeyUnit() { @@ -1298,7 +1245,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves the transport key unit. - * + * * @return transport key unit */ public ITransportKeyUnit getTransportKeyUnit() { @@ -1306,9 +1253,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Returns the name of this subsystem. This name is - * extracted from the transport certificate. - * + * Returns the name of this subsystem. This name is extracted from the + * transport certificate. + * * @return KRA name */ public X500Name getX500Name() { @@ -1320,9 +1267,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Returns the nickname for the id cert of this - * subsystem. - * + * Returns the nickname for the id cert of this subsystem. + * * @return nickname of the transport certificate */ public String getNickname() { @@ -1339,11 +1285,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } catch (EBaseException e) { } } - + public String getNewNickName() throws EBaseException { return mConfig.getString(PROP_NEW_NICKNAME, ""); } - + public void setNewNickName(String name) { mConfig.putString(PROP_NEW_NICKNAME, name); } @@ -1355,7 +1301,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves KRA request repository. * <P> - * + * * @return request repository */ public IRequestQueue getRequestQueue() { @@ -1363,8 +1309,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Retrieves the key repository. The key repository - * stores archived keys. + * Retrieves the key repository. The key repository stores archived keys. * <P> */ public IKeyRepository getKeyRepository() { @@ -1374,18 +1319,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves replica repository. * <P> - * + * * @return replica repository */ public IReplicaIDRepository getReplicaRepository() { return mReplicaRepot; } - /** * Retrieves the DN of this escrow authority. * <P> - * + * * @return distinguished name */ protected String getDN() { @@ -1401,23 +1345,22 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Logs an event. - * + * * @param level log level * @param msg message to log */ public void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, level, msg); } /** * Registers a request listener. - * + * * @param l request listener */ public void registerRequestListener(IRequestListener l) { // it's initialized. - if (mNotify != null) + if (mNotify != null) mNotify.registerListener(l); } @@ -1426,8 +1369,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * init notification related listeners - - * right now only RequestInQueue listener is available for KRA + * init notification related listeners - right now only RequestInQueue + * listener is available for KRA */ private void initNotificationListeners() { IConfigStore nc = null; @@ -1439,66 +1382,58 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove IConfigStore rq = nc.getSubStore(PROP_REQ_IN_Q_SUBSTORE); IAuthority cSub = (IAuthority) this; - String requestInQListenerClassName = nc.getString("certificateIssuedListenerClassName", "com.netscape.cms.listeners.RequestInQListener"); + String requestInQListenerClassName = nc.getString( + "certificateIssuedListenerClassName", + "com.netscape.cms.listeners.RequestInQListener"); try { - mReqInQListener = (IRequestListener) Class.forName(requestInQListenerClassName).newInstance(); + mReqInQListener = (IRequestListener) Class.forName( + requestInQListenerClassName).newInstance(); mReqInQListener.init(this, nc); } catch (Exception e1) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_REGISTER_LISTENER", requestInQListenerClassName)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_REGISTER_LISTENER", + requestInQListenerClassName)); } } else { - log(ILogger.LL_INFO, - "No KRA notification Module configuration found"); + log(ILogger.LL_INFO, + "No KRA notification Module configuration found"); } } catch (EPropertyNotFound e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); } catch (EListenersException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); } } /** * temporary accepted ras. */ - /* code no longer used - public X500Name[] getAcceptedRAs() { - // temporary. use usr/grp for real thing. - X500Name radn = null; - String raname = null; - - try { - raname = mConfig.getString("acceptedRA", null); - if (raname != null) { - radn = new X500Name(raname); - } - } catch (IOException e) { - mLogger.log(ILogger.EV_SYSTEM, ILogger.S_KRA, - ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_INVALID_RA_NAME", raname, e.toString())); - } catch (EBaseException e) { - // ignore - set to null. - mLogger.log(ILogger.EV_SYSTEM, ILogger.S_KRA, - ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_INVALID_RA_SETUP", e.toString())); - } - return new X500Name[] { radn }; - } - */ + /* + * code no longer used public X500Name[] getAcceptedRAs() { // temporary. + * use usr/grp for real thing. X500Name radn = null; String raname = null; + * + * try { raname = mConfig.getString("acceptedRA", null); if (raname != null) + * { radn = new X500Name(raname); } } catch (IOException e) { + * mLogger.log(ILogger.EV_SYSTEM, ILogger.S_KRA, ILogger.LL_FAILURE, + * CMS.getLogMessage("CMSCORE_KRA_INVALID_RA_NAME", raname, e.toString())); + * } catch (EBaseException e) { // ignore - set to null. + * mLogger.log(ILogger.EV_SYSTEM, ILogger.S_KRA, ILogger.LL_FAILURE, + * CMS.getLogMessage("CMSCORE_KRA_INVALID_RA_SETUP", e.toString())); } + * return new X500Name[] { radn }; } + */ public Hashtable mVolatileRequests = new Hashtable(); /** - * Creates a request object to store attributes that - * will not be serialized. Currently, request queue - * framework will try to serialize all the attribute into - * persistent storage. Things like passwords are not + * Creates a request object to store attributes that will not be serialized. + * Currently, request queue framework will try to serialize all the + * attribute into persistent storage. Things like passwords are not * desirable to be stored. */ public Hashtable createVolatileRequest(RequestId id) { @@ -1522,10 +1457,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -1536,20 +1471,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } /** * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for - * a signed audit log message. + * + * This method is called to obtain the "SubjectID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ private String auditSubjectID() { @@ -1564,8 +1496,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); + subjectID = (String) auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); @@ -1581,11 +1512,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for - * a signed audit log message. + * + * This method is called to obtain the "RequesterID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RequesterID */ private String auditRequesterID() { @@ -1600,8 +1531,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - requesterID = (String) - auditContext.get(SessionContext.REQUESTER_ID); + requesterID = (String) auditContext + .get(SessionContext.REQUESTER_ID); if (requesterID != null) { requesterID = requesterID.trim(); @@ -1617,11 +1548,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Recovery ID - * - * This method is called to obtain the "RecoveryID" for - * a signed audit log message. + * + * This method is called to obtain the "RecoveryID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RecoveryID */ private String auditRecoveryID() { @@ -1636,8 +1567,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - recoveryID = (String) - auditContext.get(SessionContext.RECOVERY_ID); + recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); if (recoveryID != null) { recoveryID = recoveryID.trim(); @@ -1653,11 +1583,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "X509Certificate" for a signed audit log message. * <P> - * + * * @param cert an X509Certificate * @return key string containing the certificate's public key */ @@ -1693,11 +1623,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "KeyRecord" for a signed audit log message. * <P> - * + * * @param rec a Key Record * @return key string containing the certificate's public key */ @@ -1750,11 +1680,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Agents - * + * * This method is called to extract agent uids from the passed in * "Credentials[]" and return a string of comma-separated agent uids. * <P> - * + * * @param creds array of credentials * @return a comma-separated string of agent uids */ @@ -1778,8 +1708,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove uid = uid.trim(); } - if (uid != null && - !uid.equals("")) { + if (uid != null && !uid.equals("")) { if (i == 0) { agents = uid; @@ -1792,4 +1721,3 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return agents; } } - diff --git a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index c69ab8c16..64ecee733 100644 --- a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; @@ -65,51 +64,34 @@ import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmscore.util.Debug; /** - * A class representing keygen/archival request procesor for requests - * from netkey RAs. - * the user private key of the encryption cert is wrapped with a - * session symmetric key. The session symmetric key is wrapped with the - * storage key and stored in the internal database for long term - * storage. - * The user private key of the encryption cert is to be wrapped with the - * DES key which came in in the request wrapped with the KRA - * transport cert. The wrapped user private key is then sent back to - * the caller (netkey RA) ...netkey RA should already has kek-wrapped - * des key from the TKS. They are to be sent together back to - * the token. - * + * A class representing keygen/archival request procesor for requests from + * netkey RAs. the user private key of the encryption cert is wrapped with a + * session symmetric key. The session symmetric key is wrapped with the storage + * key and stored in the internal database for long term storage. The user + * private key of the encryption cert is to be wrapped with the DES key which + * came in in the request wrapped with the KRA transport cert. The wrapped user + * private key is then sent back to the caller (netkey RA) ...netkey RA should + * already has kek-wrapped des key from the TKS. They are to be sent together + * back to the token. + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ public class NetkeyKeygenService implements IService { public final static String ATTR_KEY_RECORD = "keyRecord"; - public final static String ATTR_PROOF_OF_ARCHIVAL = - "proofOfArchival"; - - // private - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; - // these need to be defined in LogMessages_en.properties later when we do this - private final static String - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; - private final static String - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; - private final static String - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; + public final static String ATTR_PROOF_OF_ARCHIVAL = "proofOfArchival"; + + // private + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + // these need to be defined in LogMessages_en.properties later when we do + // this + private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; + private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; private IKeyRecoveryAuthority mKRA = null; private ITransportKeyUnit mTransportUnit = null; private IStorageKeyUnit mStorageUnit = null; @@ -132,34 +114,31 @@ public class NetkeyKeygenService implements IService { PKIArchiveOptions archOpts = null; try { - archOpts = (PKIArchiveOptions) - (new PKIArchiveOptions.Template()).decode(bis); + archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template()) + .decode(bis); } catch (Exception e) { - CMS.debug("NetkeyKeygenService: getPKIArchiveOptions " + e.toString()); + CMS.debug("NetkeyKeygenService: getPKIArchiveOptions " + + e.toString()); } return archOpts; } - public KeyPair generateKeyPair( - KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg) - throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, - InvalidParameterException, PQGParamGenException { + public KeyPair generateKeyPair(KeyPairAlgorithm kpAlg, int keySize, + PQGParams pqg) throws NoSuchAlgorithmException, TokenException, + InvalidAlgorithmParameterException, InvalidParameterException, + PQGParamGenException { CryptoToken token = mKRA.getKeygenToken(); - - CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: "+token.getName()); + + CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + + token.getName()); /* - make it temporary so can work with HSM - netHSM works with - temporary == true - sensitive == <do not specify> - extractable == <do not specify> - LunaSA2 works with - temporary == true - sensitive == true - extractable == true - */ + * make it temporary so can work with HSM netHSM works with temporary == + * true sensitive == <do not specify> extractable == <do not specify> + * LunaSA2 works with temporary == true sensitive == true extractable == + * true + */ KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); IConfigStore config = CMS.getConfigStore(); IConfigStore kgConfig = config.getSubStore("kra.keygen"); @@ -167,19 +146,19 @@ public class NetkeyKeygenService implements IService { boolean sp = false; boolean ep = false; if (kgConfig != null) { - try { - tp = kgConfig.getBoolean("temporaryPairs", false); - sp = kgConfig.getBoolean("sensitivePairs", false); - ep = kgConfig.getBoolean("extractablePairs", false); - // by default, let nethsm work - if ((tp == false) && (sp == false) && (ep == false)) { + try { + tp = kgConfig.getBoolean("temporaryPairs", false); + sp = kgConfig.getBoolean("sensitivePairs", false); + ep = kgConfig.getBoolean("extractablePairs", false); + // by default, let nethsm work + if ((tp == false) && (sp == false) && (ep == false)) { + tp = true; + } + } catch (Exception e) { + CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); + // by default, let nethsm work tp = true; } - } catch (Exception e) { - CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); - // by default, let nethsm work - tp = true; - } } else { // by default, let nethsm work CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); @@ -187,18 +166,18 @@ public class NetkeyKeygenService implements IService { } /* only specified to "true" will it be set */ if (tp == true) { - CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); - kpGen.temporaryPairs(true); + CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); + kpGen.temporaryPairs(true); } if (sp == true) { - CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); + CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); kpGen.sensitivePairs(true); } if (ep == true) { - CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); + CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); kpGen.extractablePairs(true); } - + if (kpAlg == KeyPairAlgorithm.DSA) { if (pqg == null) { kpGen.initialize(keySize); @@ -210,33 +189,29 @@ public class NetkeyKeygenService implements IService { } if (pqg == null) { - KeyPair kp = null; - synchronized (new Object()) { + KeyPair kp = null; + synchronized (new Object()) { CMS.debug("NetkeyKeygenService: key pair generation begins"); - kp = kpGen.genKeyPair(); + kp = kpGen.genKeyPair(); CMS.debug("NetkeyKeygenService: key pair generation done"); - mKRA.addEntropy(true); - } - return kp; + mKRA.addEntropy(true); + } + return kp; } else { // DSA KeyPair kp = null; - /* no DSA for now... netkey prototype - do { - // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair - kp = kpGen.genKeyPair(); - } - while (isBadDSAKeyPair(kp)); - */ + /* + * no DSA for now... netkey prototype do { // 602548 NSS bug - to + * overcome it, we use isBadDSAKeyPair kp = kpGen.genKeyPair(); } + * while (isBadDSAKeyPair(kp)); + */ return kp; } } - - - public KeyPair generateKeyPair( String alg, - int keySize, PQGParams pqg) throws EBaseException { + public KeyPair generateKeyPair(String alg, int keySize, PQGParams pqg) + throws EBaseException { KeyPairAlgorithm kpAlg = null; @@ -246,21 +221,24 @@ public class NetkeyKeygenService implements IService { kpAlg = KeyPairAlgorithm.DSA; try { - KeyPair kp = generateKeyPair( kpAlg, keySize, pqg); + KeyPair kp = generateKeyPair(kpAlg, keySize, pqg); return kp; } catch (InvalidParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS", - "" + keySize)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEYSIZE_PARAMS", "" + keySize)); } catch (PQGParamGenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED")); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", - kpAlg.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_ALG_NOT_SUPPORTED", kpAlg.toString())); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_TOKEN_ERROR_1", e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_ALG_NOT_SUPPORTED", "DSA")); } } @@ -268,11 +246,8 @@ public class NetkeyKeygenService implements IService { // All this streaming is lame, but Base64OutputStream needs a // PrintStream ByteArrayOutputStream output = new ByteArrayOutputStream(); - Base64OutputStream b64 = new Base64OutputStream(new - PrintStream(new - FilterOutputStream(output) - ) - ); + Base64OutputStream b64 = new Base64OutputStream(new PrintStream( + new FilterOutputStream(output))); b64.write(bytes); b64.flush(); @@ -283,34 +258,32 @@ public class NetkeyKeygenService implements IService { } // this encrypts bytes with a symmetric key - public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) - { - try { - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: "+e.toString()); + public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, + CryptoToken token, IVParameterSpec IV) { + try { + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: " + + e.toString()); return null; } } - /** * Services an archival request from netkey. * <P> - * + * * @param request enrollment request * @return serving successful or not * @exception EBaseException failed to serve */ - public boolean serviceRequest(IRequest request) - throws EBaseException { + public boolean serviceRequest(IRequest request) throws EBaseException { String auditMessage = null; String auditSubjectID = null; String auditRequesterID = "TPSagent"; @@ -318,129 +291,135 @@ public class NetkeyKeygenService implements IService { String auditPublicKey = ILogger.UNIDENTIFIED; byte[] wrapped_des_key; - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; - String iv_s =""; + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + String iv_s = ""; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); } catch (Exception e) { - CMS.debug("NetkeyKeygenService.serviceRequest: "+ e.toString()); + CMS.debug("NetkeyKeygenService.serviceRequest: " + e.toString()); } - IVParameterSpec algParam = new IVParameterSpec(iv); + IVParameterSpec algParam = new IVParameterSpec(iv); wrapped_des_key = null; - boolean archive = true; - PK11SymKey sk= null; - byte[] publicKeyData = null;; - String PubKey = ""; + boolean archive = true; + PK11SymKey sk = null; + byte[] publicKeyData = null; + ; + String PubKey = ""; String id = request.getRequestId().toString(); if (id != null) { auditArchiveID = id.trim(); } - String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); - if (rArchive.equals("true")) { - archive = true; - CMS.debug("NetkeyKeygenService: serviceRequest " +"archival requested for serverSideKeyGen"); - } else { - archive = false; - CMS.debug("NetkeyKeygenService: serviceRequest " +"archival not requested for serverSideKeyGen"); + String rArchive = request + .getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); + if (rArchive.equals("true")) { + archive = true; + CMS.debug("NetkeyKeygenService: serviceRequest " + + "archival requested for serverSideKeyGen"); + } else { + archive = false; + CMS.debug("NetkeyKeygenService: serviceRequest " + + "archival not requested for serverSideKeyGen"); } String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); - String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); - int keysize = Integer.parseInt(rKeysize); - auditSubjectID=rCUID+":"+rUserid; + String rUserid = request + .getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rKeysize = request + .getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); + int keysize = Integer.parseInt(rKeysize); + auditSubjectID = rCUID + ":" + rUserid; SessionContext sContext = SessionContext.getContext(); - String agentId=""; + String agentId = ""; if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); + agentId = (String) sContext.get(SessionContext.USER_ID); } auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, - agentId, - ILogger.SUCCESS, - auditSubjectID); + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, agentId, + ILogger.SUCCESS, auditSubjectID); audit(auditMessage); - - String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString); - wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); + String rWrappedDesKeyString = request + .getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString); + wrapped_des_key = com.netscape.cmsutil.util.Utils + .SpecialDecode(rWrappedDesKeyString); CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded"); - // get the token for generating user keys - CryptoToken keygenToken = mKRA.getKeygenToken(); - if (keygenToken == null) { - CMS.debug("NetkeyKeygenService: failed getting keygenToken"); - request.setExtData(IRequest.RESULT, Integer.valueOf(10)); - return false; - } else - CMS.debug("NetkeyKeygenService: got keygenToken"); + // get the token for generating user keys + CryptoToken keygenToken = mKRA.getKeygenToken(); + if (keygenToken == null) { + CMS.debug("NetkeyKeygenService: failed getting keygenToken"); + request.setExtData(IRequest.RESULT, Integer.valueOf(10)); + return false; + } else + CMS.debug("NetkeyKeygenService: got keygenToken"); - if ((wrapped_des_key != null) && - (wrapped_des_key.length > 0)) { + if ((wrapped_des_key != null) && (wrapped_des_key.length > 0)) { // unwrap the DES key - sk= (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key); + sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key); - /* XXX could be done in HSM*/ + /* XXX could be done in HSM */ KeyPair keypair = null; CMS.debug("NetkeyKeygenService: about to generate key pair"); - keypair = generateKeyPair("RSA"/*alg*/, - keysize /*Integer.parseInt(len)*/, null /*pqgParams*/); + keypair = generateKeyPair("RSA"/* alg */, keysize /* + * Integer.parseInt + * (len) + */, null /* pqgParams */); if (keypair == null) { - CMS.debug("NetkeyKeygenService: failed generating key pair for "+rCUID+":"+rUserid); + CMS.debug("NetkeyKeygenService: failed generating key pair for " + + rCUID + ":" + rUserid); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, - agentId, - ILogger.FAILURE, - auditSubjectID); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, + agentId, ILogger.FAILURE, auditSubjectID); audit(auditMessage); return false; } - CMS.debug("NetkeyKeygenService: finished generate key pair for " +rCUID+":"+rUserid); + CMS.debug("NetkeyKeygenService: finished generate key pair for " + + rCUID + ":" + rUserid); try { - publicKeyData = keypair.getPublic().getEncoded(); - if (publicKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); - return false; - } else { - //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length); - PubKey = base64Encode(publicKeyData); - - //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length()); - request.setExtData("public_key", PubKey); - } - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, - agentId, - ILogger.SUCCESS, - auditSubjectID, - PubKey); + publicKeyData = keypair.getPublic().getEncoded(); + if (publicKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); + return false; + } else { + // CMS.debug("NetkeyKeygenService: public key binary length ="+ + // publicKeyData.length); + PubKey = base64Encode(publicKeyData); + + // CMS.debug("NetkeyKeygenService: public key length =" + + // PubKey.length()); + request.setExtData("public_key", PubKey); + } + + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, + agentId, ILogger.SUCCESS, auditSubjectID, + PubKey); audit(auditMessage); - //...extract the private key handle (not privatekeydata) - java.security.PrivateKey privKey = - keypair.getPrivate(); + // ...extract the private key handle (not privatekeydata) + java.security.PrivateKey privKey = keypair.getPrivate(); if (privKey == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); @@ -450,159 +429,159 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: got private key"); } - if (sk == null) { - CMS.debug("NetkeyKeygenService: no DES key"); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - return false; - } else { - CMS.debug("NetkeyKeygenService: received DES key"); - } - - // 3 wrapping should be done in HSM - // wrap private key with DES - KeyWrapper symWrap = - keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName()); - CMS.debug("NetkeyKeygenService: got key wrapper"); - - CMS.debug("NetkeyKeygenService: key transport key is on slot: "+sk.getOwningToken().getName()); - symWrap.initWrap((SymmetricKey)sk, algParam); - byte wrapped[] = symWrap.wrap((PrivateKey)privKey); - /* - CMS.debug("NetkeyKeygenService: wrap called"); - CMS.debug(wrapped); - */ - /* This is for using with my decryption tool and ASN1 - decoder to see if the private key is indeed PKCS#8 format - { // cfu debug - String oFilePath = "/tmp/wrappedPrivKey.bin"; - File file = new File(oFilePath); - FileOutputStream ostream = new FileOutputStream(oFilePath); - ostream.write(wrapped); - ostream.close(); - } - */ - String wrappedPrivKeyString = /*base64Encode(wrapped);*/ - com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, - agentId, - ILogger.FAILURE, - auditSubjectID, - PubKey); - - audit(auditMessage); - return false; - } else { - request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, - agentId, - ILogger.SUCCESS, - auditSubjectID, - PubKey); - - audit(auditMessage); - } - - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - - /* - * archival - option flag "archive" controllable by the caller - TPS - */ - if (archive) { - // - // privateKeyData ::= SEQUENCE { - // sessionKey OCTET_STRING, - // encKey OCTET_STRING, - // } - // - // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - agentId, - ILogger.SUCCESS, - auditSubjectID, - auditArchiveID); - - audit(auditMessage); - CMS.debug("KRA encrypts private key to put on internal ldap db"); - byte privateKeyData[] = - mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey); - - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); - return false; - } else - CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); - - // create key record - KeyRecord rec = new KeyRecord(null, publicKeyData, - privateKeyData, rCUID+":"+rUserid, - keypair.getPublic().getAlgorithm(), - agentId); - - CMS.debug("NetkeyKeygenService: got key record"); - - // we deal with RSA key only - try { - RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); - - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); - CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); - return false; - } - //?? - IKeyRepository storage = mKRA.getKeyRepository(); - BigInteger serialNo = storage.getNextSerialNumber(); - - if (serialNo == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); - CMS.debug("NetkeyKeygenService: serialNo null"); - return false; - } - CMS.debug("NetkeyKeygenService: before addKeyRecord"); - rec.set(KeyRecord.ATTR_ID, serialNo); - request.setExtData(ATTR_KEY_RECORD, serialNo); - storage.addKeyRecord(rec); - CMS.debug("NetkeyKeygenService: key archived for "+rCUID+":"+rUserid); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - agentId, - ILogger.SUCCESS, - PubKey); - - audit(auditMessage); - - } //if archive - - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - } catch (Exception e) { - CMS.debug("NetKeyKeygenService: " + e.toString()); - Debug.printStackTrace(e); + if (sk == null) { + CMS.debug("NetkeyKeygenService: no DES key"); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + return false; + } else { + CMS.debug("NetkeyKeygenService: received DES key"); } - } else + + // 3 wrapping should be done in HSM + // wrap private key with DES + KeyWrapper symWrap = keygenToken + .getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + CMS.debug("NetkeyKeygenService: wrapper token=" + + keygenToken.getName()); + CMS.debug("NetkeyKeygenService: got key wrapper"); + + CMS.debug("NetkeyKeygenService: key transport key is on slot: " + + sk.getOwningToken().getName()); + symWrap.initWrap((SymmetricKey) sk, algParam); + byte wrapped[] = symWrap.wrap((PrivateKey) privKey); + /* + * CMS.debug("NetkeyKeygenService: wrap called"); + * CMS.debug(wrapped); + */ + /* + * This is for using with my decryption tool and ASN1 decoder to + * see if the private key is indeed PKCS#8 format { // cfu debug + * String oFilePath = "/tmp/wrappedPrivKey.bin"; File file = new + * File(oFilePath); FileOutputStream ostream = new + * FileOutputStream(oFilePath); ostream.write(wrapped); + * ostream.close(); } + */ + String wrappedPrivKeyString = /* base64Encode(wrapped); */ + com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + agentId, ILogger.FAILURE, auditSubjectID, + PubKey); + + audit(auditMessage); + return false; + } else { + request.setExtData("wrappedUserPrivate", + wrappedPrivKeyString); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + agentId, ILogger.SUCCESS, auditSubjectID, + PubKey); + + audit(auditMessage); + } + + iv_s = /* base64Encode(iv); */com.netscape.cmsutil.util.Utils + .SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + /* + * archival - option flag "archive" controllable by the caller - + * TPS + */ + if (archive) { + // + // privateKeyData ::= SEQUENCE { + // sessionKey OCTET_STRING, + // encKey OCTET_STRING, + // } + // + // mKRA.log(ILogger.LL_INFO, + // "KRA encrypts internal private"); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + agentId, ILogger.SUCCESS, auditSubjectID, + auditArchiveID); + + audit(auditMessage); + CMS.debug("KRA encrypts private key to put on internal ldap db"); + byte privateKeyData[] = mStorageUnit + .wrap((org.mozilla.jss.crypto.PrivateKey) privKey); + + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); + return false; + } else + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); + + // create key record + KeyRecord rec = new KeyRecord(null, publicKeyData, + privateKeyData, rCUID + ":" + rUserid, keypair + .getPublic().getAlgorithm(), agentId); + + CMS.debug("NetkeyKeygenService: got key record"); + + // we deal with RSA key only + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey( + publicKeyData); + + rec.setKeySize(Integer.valueOf(rsaPublicKey + .getKeySize())); + } catch (InvalidKeyException e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); + return false; + } + // ?? + IKeyRepository storage = mKRA.getKeyRepository(); + BigInteger serialNo = storage.getNextSerialNumber(); + + if (serialNo == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: serialNo null"); + return false; + } + CMS.debug("NetkeyKeygenService: before addKeyRecord"); + rec.set(KeyRecord.ATTR_ID, serialNo); + request.setExtData(ATTR_KEY_RECORD, serialNo); + storage.addKeyRecord(rec); + CMS.debug("NetkeyKeygenService: key archived for " + rCUID + + ":" + rUserid); + + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + agentId, ILogger.SUCCESS, PubKey); + + audit(auditMessage); + + } // if archive + + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + } catch (Exception e) { + CMS.debug("NetKeyKeygenService: " + e.toString()); + Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } + } else request.setExtData(IRequest.RESULT, Integer.valueOf(2)); - + return true; - } //serviceRequest + } // serviceRequest /** - * Signed Audit Log - *y - * This method is called to store messages to the signed audit log. + * Signed Audit Log y This method is called to store messages to the signed + * audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -613,10 +592,7 @@ public class NetkeyKeygenService implements IService { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } } diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java index f364bf4ff..0760d7078 100644 --- a/pki/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayOutputStream; import java.io.CharConversionException; import java.math.BigInteger; @@ -71,16 +70,15 @@ import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmscore.util.Debug; /** - * A class represents recovery request processor. There - * are 2 types of recovery modes: (1) administrator or - * (2) end-entity. + * A class represents recovery request processor. There are 2 types of recovery + * modes: (1) administrator or (2) end-entity. * <P> - * Administrator recovery will create a PKCS12 file where - * stores the certificate and the recovered key. + * Administrator recovery will create a PKCS12 file where stores the certificate + * and the recovered key. * <P> - * End Entity recovery will send RA or CA a response where - * stores the recovered key. - * + * End Entity recovery will send RA or CA a response where stores the recovered + * key. + * * @author thomask (original) * @author cfu (non-RSA keys; private keys secure handling); * @version $Revision$, $Date$ @@ -96,12 +94,10 @@ public class RecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = - "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = - "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; // for Async Key Recovery @@ -121,11 +117,10 @@ public class RecoveryService implements IService { } /** - * Processes a recovery request. Based on the recovery mode - * (either Administrator or End-Entity), the method reads - * the key record from the database, and tried to recover the - * key with the storage key unit. - * + * Processes a recovery request. Based on the recovery mode (either + * Administrator or End-Entity), the method reads the key record from the + * database, and tried to recover the key with the storage key unit. + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -146,22 +141,25 @@ public class RecoveryService implements IService { CMS.debug("RecoveryService: serviceRequest: use internal token "); ct = cm.getInternalCryptoToken(); } else { - CMS.debug("RecoveryService: serviceRequest: tokenName="+tokName); + CMS.debug("RecoveryService: serviceRequest: tokenName=" + + tokName); ct = cm.getTokenByName(tokName); } - allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false); + allowEncDecrypt_recovery = config.getBoolean( + "kra.allowEncDecrypt.recovery", false); } catch (Exception e) { CMS.debug("RecoveryService exception: use internal token :" - + e.toString()); + + e.toString()); ct = cm.getInternalCryptoToken(); } if (ct == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR"+ "cannot get crypto token")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR" + + "cannot get crypto token")); } - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("recovery", true /* main action */); + statsSub.startTiming("recovery", true /* main action */); } if (Debug.ON) @@ -171,8 +169,7 @@ public class RecoveryService implements IService { // byte publicKey[] = (byte[])request.get(ATTR_PUBLIC_KEY_DATA); // X500Name owner = (X500Name)request.get(ATTR_OWNER_NAME); - Hashtable params = mKRA.getVolatileRequest( - request.getRequestId()); + Hashtable params = mKRA.getVolatileRequest(request.getRequestId()); if (params == null) { // possibly we are in recovery mode @@ -184,27 +181,28 @@ public class RecoveryService implements IService { mKRA.log(ILogger.LL_INFO, "KRA reading key record"); if (statsSub != null) { - statsSub.startTiming("get_key"); + statsSub.startTiming("get_key"); } KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno); if (statsSub != null) { - statsSub.endTiming("get_key"); + statsSub.endTiming("get_key"); } // see if the certificate matches the key byte pubData[] = keyRecord.getPublicKeyData(); - X509Certificate x509cert = - request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = request.getExtDataInCert(ATTR_USER_CERT); byte inputPubData[] = x509cert.getPublicKey().getEncoded(); if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } for (int i = 0; i < pubData.length; i++) { if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } @@ -212,49 +210,50 @@ public class RecoveryService implements IService { boolean isRSA = true; String keyAlg = x509cert.getPublicKey().getAlgorithm(); - if (keyAlg != null) { - CMS.debug("RecoveryService: publicKey alg ="+keyAlg); - if (!keyAlg.equals("RSA")) isRSA = false; + if (keyAlg != null) { + CMS.debug("RecoveryService: publicKey alg =" + keyAlg); + if (!keyAlg.equals("RSA")) + isRSA = false; } // Unwrap the archived private key byte privateKeyData[] = null; - X509Certificate transportCert = - request.getExtDataInCert(ATTR_TRANSPORT_CERT); + X509Certificate transportCert = request + .getExtDataInCert(ATTR_TRANSPORT_CERT); if (transportCert == null) { if (statsSub != null) { - statsSub.startTiming("recover_key"); + statsSub.startTiming("recover_key"); } PrivateKey privKey = null; if (allowEncDecrypt_recovery == true) { privateKeyData = recoverKey(params, keyRecord); } else { - privKey= recoverKey(params, keyRecord, isRSA); + privKey = recoverKey(params, keyRecord, isRSA); } if (statsSub != null) { - statsSub.endTiming("recover_key"); + statsSub.endTiming("recover_key"); } if ((isRSA == true) && (allowEncDecrypt_recovery == true)) { if (statsSub != null) { - statsSub.startTiming("verify_key"); + statsSub.startTiming("verify_key"); } // verifyKeyPair() is RSA-centric if (verifyKeyPair(pubData, privateKeyData) == false) { mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } if (statsSub != null) { - statsSub.endTiming("verify_key"); + statsSub.endTiming("verify_key"); } } if (statsSub != null) { - statsSub.startTiming("create_p12"); + statsSub.startTiming("create_p12"); } if (allowEncDecrypt_recovery == true) { createPFX(request, params, privateKeyData); @@ -262,31 +261,29 @@ public class RecoveryService implements IService { createPFX(request, params, privKey, ct); } if (statsSub != null) { - statsSub.endTiming("create_p12"); + statsSub.endTiming("create_p12"); } } else { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) - params.get(ATTR_AGENT_CREDENTIALS); - mKRA.getStorageKeyUnit().login(creds); + Credential creds[] = (Credential[]) params + .get(ATTR_AGENT_CREDENTIALS); + mKRA.getStorageKeyUnit().login(creds); } if (statsSub != null) { - statsSub.startTiming("unwrap_key"); + statsSub.startTiming("unwrap_key"); } PrivateKey privateKey = mKRA.getStorageKeyUnit().unwrap( keyRecord.getPrivateKeyData(), null); if (statsSub != null) { - statsSub.endTiming("unwrap_key"); + statsSub.endTiming("unwrap_key"); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mKRA.getStorageKeyUnit().logout(); + mKRA.getStorageKeyUnit().logout(); } } - mKRA.log(ILogger.LL_INFO, "key " + - serialno.toString() + - " recovered"); + mKRA.log(ILogger.LL_INFO, "key " + serialno.toString() + " recovered"); // for audit log String authMgr = AuditFormat.NOAUTH; @@ -294,33 +291,29 @@ public class RecoveryService implements IService { SessionContext sContext = SessionContext.getContext(); if (sContext != null) { - String agentId = - (String) sContext.get(SessionContext.USER_ID); + String agentId = (String) sContext.get(SessionContext.USER_ID); initiative = AuditFormat.FROMAGENT + " agentID: " + agentId; - AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); - + AuthToken authToken = (AuthToken) sContext + .get(SessionContext.AUTH_TOKEN); + if (authToken != null) { - authMgr = - authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken + .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } } - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_KRA, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - IRequest.KEYRECOVERY_REQUEST, - request.getRequestId(), - initiative, - authMgr, - "completed", - ((X509CertImpl) x509cert).getSubjectDN(), - "serial number: 0x" + serialno.toString(16)} - ); + CMS.getLogger().log( + ILogger.EV_AUDIT, + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { IRequest.KEYRECOVERY_REQUEST, + request.getRequestId(), initiative, authMgr, + "completed", ((X509CertImpl) x509cert).getSubjectDN(), + "serial number: 0x" + serialno.toString(16) }); if (statsSub != null) { - statsSub.endTiming("recovery"); + statsSub.endTiming("recovery"); } return true; @@ -329,63 +322,67 @@ public class RecoveryService implements IService { /* * verifyKeyPair()- RSA-centric key verification */ - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + + publicKeyModulus + " privateKeyModulus=" + + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + + publicKeyExponent + " privateKeyExponent=" + + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } /** - * Recovers key. (using unwrapping/wrapping on token) - * - used when allowEncDecrypt_recovery is false + * Recovers key. (using unwrapping/wrapping on token) - used when + * allowEncDecrypt_recovery is false */ - public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean isRSA) - throws EBaseException { + public synchronized PrivateKey recoverKey(Hashtable request, + KeyRecord keyRecord, boolean isRSA) throws EBaseException { - if (!isRSA) { + if (!isRSA) { CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false"); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); - } - try { + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); + } + try { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); + Credential creds[] = (Credential[]) request + .get(ATTR_AGENT_CREDENTIALS); - mStorageUnit.login(creds); + mStorageUnit.login(creds); } /* wrapped retrieve session key and private key */ @@ -400,50 +397,53 @@ public class RecoveryService implements IService { byte publicKeyData[] = keyRecord.getPublicKeyData(); PublicKey pubkey = null; try { - pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); + pubkey = X509Key.parsePublicKey(new DerValue(publicKeyData)); } catch (Exception e) { - CMS.debug("RecoverService: after parsePublicKey:"+e.toString()); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "pubic key parsing failure")); + CMS.debug("RecoverService: after parsePublicKey:" + + e.toString()); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_RECOVERY_FAILED_1", + "pubic key parsing failure")); } - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; - PrivateKey privKey = - mStorageUnit.unwrap( - session, - keyRecord.getAlgorithm(), - iv, - pri, - (PublicKey) pubkey); + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + PrivateKey privKey = mStorageUnit.unwrap(session, + keyRecord.getAlgorithm(), iv, pri, (PublicKey) pubkey); if (privKey == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key unwrapping failure")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_RECOVERY_FAILED_1", + "private key unwrapping failure")); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); + mStorageUnit.logout(); } return privKey; } catch (Exception e) { - CMS.debug("RecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString()); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString())); + CMS.debug("RecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:" + + e.toString()); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_RECOVERY_FAILED_1", + "recoverKey() failed with allowEncDecrypt_recovery=false:" + + e.toString())); } } - /** - * Creates a PFX (PKCS12) file. (the unwrapping/wrapping way) - * - used when allowEncDecrypt_recovery is false - * + * Creates a PFX (PKCS12) file. (the unwrapping/wrapping way) - used when + * allowEncDecrypt_recovery is false + * * @param request CRMF recovery request * @param priKey private key handle * @exception EBaseException failed to create P12 file */ - public void createPFX(IRequest request, Hashtable params, - PrivateKey priKey, CryptoToken ct) throws EBaseException { + public void createPFX(IRequest request, Hashtable params, + PrivateKey priKey, CryptoToken ct) throws EBaseException { CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false"); try { // create p12 - X509Certificate x509cert = - request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = request.getExtDataInCert(ATTR_USER_CERT); String pwd = (String) params.get(ATTR_TRANSPORT_PWD); // add certificate @@ -457,61 +457,49 @@ public class RecoveryService implements IService { nickname = x509cert.getSubjectDN().toString(); } byte localKeyId[] = createLocalKeyId(x509cert); - SET certAttrs = createBagAttrs( - nickname, localKeyId); + SET certAttrs = createBagAttrs(nickname, localKeyId); // attributes: user friendly name, Local Key ID - SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, - new CertBag(CertBag.X509_CERT_TYPE, cert), - certAttrs); + SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, new CertBag( + CertBag.X509_CERT_TYPE, cert), certAttrs); encSafeContents.addElement(certBag); // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); CMS.debug("RecoverService: createPFX() adds key to P12"); - org.mozilla.jss.util.Password pass = new - org.mozilla.jss.util.Password( + org.mozilla.jss.util.Password pass = new org.mozilla.jss.util.Password( pwd.toCharArray()); SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new - PasswordConverter(); - byte salt[] = {0x01, 0x01, 0x01, 0x01}; + PasswordConverter passConverter = new PasswordConverter(); + byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, - pass, salt, 1, passConverter, priKey, ct); + PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, + passConverter, priKey, ct); - SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), + SET keyAttrs = createBagAttrs(x509cert.getSubjectDN().toString(), localKeyId); - SafeBag keyBag = new SafeBag( - SafeBag.PKCS8_SHROUDED_KEY_BAG, key, + SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, key, keyAttrs); // ?? safeContents.addElement(keyBag); // build contents - AuthenticatedSafes authSafes = new - AuthenticatedSafes(); - - authSafes.addSafeContents( - safeContents - ); - authSafes.addSafeContents( - encSafeContents - ); - - // authSafes.addEncryptedSafeContents( - // authSafes.DEFAULT_KEY_GEN_ALG, - // pass, null, 1, - // encSafeContents); + AuthenticatedSafes authSafes = new AuthenticatedSafes(); + + authSafes.addSafeContents(safeContents); + authSafes.addSafeContents(encSafeContents); + + // authSafes.addEncryptedSafeContents( + // authSafes.DEFAULT_KEY_GEN_ALG, + // pass, null, 1, + // encSafeContents); PFX pfx = new PFX(authSafes); pfx.computeMacData(pass, null, 5); // ?? - ByteArrayOutputStream fos = new - ByteArrayOutputStream(); + ByteArrayOutputStream fos = new ByteArrayOutputStream(); pfx.encode(fos); pass.clear(); @@ -519,57 +507,56 @@ public class RecoveryService implements IService { // put final PKCS12 into volatile request params.put(ATTR_PKCS12, fos.toByteArray()); } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_PKCS12_FAILED_1", e.toString())); } // update request mKRA.getRequestQueue().updateRequest(request); } - /** - * Recovers key. - * - used when allowEncDecrypt_recovery is true + * Recovers key. - used when allowEncDecrypt_recovery is true */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); + Credential creds[] = (Credential[]) request + .get(ATTR_AGENT_CREDENTIALS); - mStorageUnit.login(creds); + mStorageUnit.login(creds); } mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); + byte privateKeyData[] = mStorageUnit.decryptInternalPrivate(keyRecord + .getPrivateKeyData()); if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); + mStorageUnit.logout(); } if (privateKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } /** - * Creates a PFX (PKCS12) file. - * - used when allowEncDecrypt_recovery is true - * + * Creates a PFX (PKCS12) file. - used when allowEncDecrypt_recovery is true + * * @param request CRMF recovery request * @param priData decrypted private key (PrivateKeyInfo) * @exception EBaseException failed to create P12 file */ - public void createPFX(IRequest request, Hashtable params, - byte priData[]) throws EBaseException { + public void createPFX(IRequest request, Hashtable params, byte priData[]) + throws EBaseException { CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true"); try { // create p12 - X509Certificate x509cert = - request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = request.getExtDataInCert(ATTR_USER_CERT); String pwd = (String) params.get(ATTR_TRANSPORT_PWD); // add certificate @@ -582,60 +569,47 @@ public class RecoveryService implements IService { nickname = x509cert.getSubjectDN().toString(); } byte localKeyId[] = createLocalKeyId(x509cert); - SET certAttrs = createBagAttrs( - nickname, localKeyId); + SET certAttrs = createBagAttrs(nickname, localKeyId); // attributes: user friendly name, Local Key ID - SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, - new CertBag(CertBag.X509_CERT_TYPE, cert), - certAttrs); + SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, new CertBag( + CertBag.X509_CERT_TYPE, cert), certAttrs); encSafeContents.addElement(certBag); // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); - org.mozilla.jss.util.Password pass = new - org.mozilla.jss.util.Password( + org.mozilla.jss.util.Password pass = new org.mozilla.jss.util.Password( pwd.toCharArray()); SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new - PasswordConverter(); - byte salt[] = {0x01, 0x01, 0x01, 0x01}; - PrivateKeyInfo pki = (PrivateKeyInfo) - ASN1Util.decode(PrivateKeyInfo.getTemplate(), - priData); + PasswordConverter passConverter = new PasswordConverter(); + byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + PrivateKeyInfo pki = (PrivateKeyInfo) ASN1Util.decode( + PrivateKeyInfo.getTemplate(), priData); ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, - pass, salt, 1, passConverter, pki); - SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), + PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, + passConverter, pki); + SET keyAttrs = createBagAttrs(x509cert.getSubjectDN().toString(), localKeyId); - SafeBag keyBag = new SafeBag( - SafeBag.PKCS8_SHROUDED_KEY_BAG, key, + SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, key, keyAttrs); // ?? safeContents.addElement(keyBag); // build contents - AuthenticatedSafes authSafes = new - AuthenticatedSafes(); - - authSafes.addSafeContents( - safeContents - ); - authSafes.addSafeContents( - encSafeContents - ); - - // authSafes.addEncryptedSafeContents( - // authSafes.DEFAULT_KEY_GEN_ALG, - // pass, null, 1, - // encSafeContents); + AuthenticatedSafes authSafes = new AuthenticatedSafes(); + + authSafes.addSafeContents(safeContents); + authSafes.addSafeContents(encSafeContents); + + // authSafes.addEncryptedSafeContents( + // authSafes.DEFAULT_KEY_GEN_ALG, + // pass, null, 1, + // encSafeContents); PFX pfx = new PFX(authSafes); pfx.computeMacData(pass, null, 5); // ?? - ByteArrayOutputStream fos = new - ByteArrayOutputStream(); + ByteArrayOutputStream fos = new ByteArrayOutputStream(); pfx.encode(fos); pass.clear(); @@ -643,8 +617,10 @@ public class RecoveryService implements IService { // put final PKCS12 into volatile request params.put(ATTR_PKCS12, fos.toByteArray()); } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_PKCS12_FAILED_1", e.toString())); } // update request @@ -654,8 +630,7 @@ public class RecoveryService implements IService { /** * Creates local key identifier. */ - public byte[] createLocalKeyId(X509Certificate cert) - throws EBaseException { + public byte[] createLocalKeyId(X509Certificate cert) throws EBaseException { try { // SHA1 hash of the X509Cert der encoding byte certDer[] = cert.getEncoded(); @@ -666,21 +641,23 @@ public class RecoveryService implements IService { md.update(certDer); return md.digest(); } catch (CertificateEncodingException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_KEYID_FAILED_1", e.toString())); } catch (NoSuchAlgorithmException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_KEYID_FAILED_1", e.toString())); } } /** * Creates bag attributes. */ - public SET createBagAttrs(String nickName, byte localKeyId[]) - throws EBaseException { + public SET createBagAttrs(String nickName, byte localKeyId[]) + throws EBaseException { try { SET attrs = new SET(); SEQUENCE nickNameAttr = new SEQUENCE(); @@ -701,9 +678,10 @@ public class RecoveryService implements IService { attrs.addElement(localKeyAttr); return attrs; } catch (CharConversionException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYBAG_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_KEYBAG_FAILED_1", e.toString())); } } } diff --git a/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java index 2c3ba716a..e4b63f605 100644 --- a/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.CharConversionException; import java.io.File; import java.io.FileInputStream; @@ -62,17 +61,15 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.Credential; import com.netscape.certsrv.security.IStorageKeyUnit; - /** - * A class represents a storage key unit. Currently, this - * is implemented with cryptix, the final implementation - * should be built on JSS/HCL. - * + * A class represents a storage key unit. Currently, this is implemented with + * cryptix, the final implementation should be built on JSS/HCL. + * * @author thomask * @version $Revision$, $Date$ */ -public class StorageKeyUnit extends EncryptionUnit implements - ISubsystem, IStorageKeyUnit { +public class StorageKeyUnit extends EncryptionUnit implements ISubsystem, + IStorageKeyUnit { private IConfigStore mConfig = null; @@ -89,7 +86,6 @@ public class StorageKeyUnit extends EncryptionUnit implements private byte mPrivateKeyData[] = null; private boolean mKeySplitting = false; - private static final String PROP_N = "n"; private static final String PROP_M = "m"; private static final String PROP_UID = "uid"; @@ -105,7 +101,7 @@ public class StorageKeyUnit extends EncryptionUnit implements * Constructs this token. */ public StorageKeyUnit() { - super(); + super(); } /** @@ -116,192 +112,220 @@ public class StorageKeyUnit extends EncryptionUnit implements } /** - * Sets subsystem identifier. Once the system is - * loaded, system identifier cannot be changed - * dynamically. + * Sets subsystem identifier. Once the system is loaded, system identifier + * cannot be changed dynamically. */ public void setId(String id) throws EBaseException { throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION")); } /** - * return true if byte arrays are equal, false otherwise + * return true if byte arrays are equal, false otherwise */ private boolean byteArraysMatch(byte a[], byte b[]) { - if (a==null || b==null) { return false; } - if (a.length != b.length) { return false; } - for (int i=0; i<a.length; i++) { - if (a[i] != b[i]) { return false; } - } - return true; + if (a == null || b == null) { + return false; + } + if (a.length != b.length) { + return false; + } + for (int i = 0; i < a.length; i++) { + if (a[i] != b[i]) { + return false; + } + } + return true; } - /** * Initializes this subsystem. */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { mKRA = (IKeyRecoveryAuthority) owner; mConfig = config; - - mKeySplitting = owner.getConfigStore().getBoolean("keySplitting", false); + + mKeySplitting = owner.getConfigStore() + .getBoolean("keySplitting", false); try { mManager = CryptoManager.getInstance(); mToken = getToken(); } catch (org.mozilla.jss.CryptoManager.NotInitializedException e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_INIT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_INIT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", + e.toString())); } - + if (mConfig.getString(PROP_HARDWARE, null) != null) { - System.setProperty("cms.skip_token", mConfig.getString(PROP_HARDWARE)); + System.setProperty("cms.skip_token", + mConfig.getString(PROP_HARDWARE)); -// The strategy here is to read all the certs in the token -// and cycle through them until we find one that matches the -// kra-cert.db file + // The strategy here is to read all the certs in the token + // and cycle through them until we find one that matches the + // kra-cert.db file - if (mKeySplitting) { + if (mKeySplitting) { - byte certFileData[] = null; - try { - File certFile = new File( - mConfig.getString(PROP_CERTDB)); + byte certFileData[] = null; + try { + File certFile = new File(mConfig.getString(PROP_CERTDB)); - certFileData = new byte[ - (Long.valueOf(certFile.length())).intValue()]; - FileInputStream fi = new FileInputStream(certFile); + certFileData = new byte[(Long.valueOf(certFile.length())) + .intValue()]; + FileInputStream fi = new FileInputStream(certFile); - fi.read(certFileData); - fi.close(); + fi.read(certFileData); + fi.close(); - // pick up cert by nickName + // pick up cert by nickName - } catch (IOException e) { - mKRA.log(ILogger.LL_INFO, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } + } catch (IOException e) { + mKRA.log(ILogger.LL_INFO, CMS.getLogMessage( + "CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", e.toString())); + } + + try { + X509Certificate certs[] = getToken().getCryptoStore() + .getCertificates(); + for (int i = 0; i < certs.length; i++) { + if (byteArraysMatch(certs[i].getEncoded(), certFileData)) { + mCert = certs[i]; + } + } + if (mCert == null) { + mKRA.log(ILogger.LL_FAILURE, + "Storage Cert could not be initialized. No cert in token matched kra-cert file"); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", "mCert == null")); + } else { + mKRA.log(ILogger.LL_INFO, + "Using Storage Cert " + mCert.getSubjectDN()); + } + } catch (CertificateEncodingException e) { + mKRA.log(ILogger.LL_FAILURE, "Error encoding cert "); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", e.toString())); + } catch (TokenException e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", e.toString())); + } + } - try { - X509Certificate certs[] = - getToken().getCryptoStore().getCertificates(); - for (int i=0;i <certs.length;i++) { - if (byteArraysMatch(certs[i].getEncoded(),certFileData)) { - mCert = certs[i]; - } - } - if (mCert == null) { - mKRA.log(ILogger.LL_FAILURE, "Storage Cert could not be initialized. No cert in token matched kra-cert file"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", "mCert == null")); - } else { - mKRA.log(ILogger.LL_INFO, "Using Storage Cert "+mCert.getSubjectDN()); - } - } catch (CertificateEncodingException e) { - mKRA.log(ILogger.LL_FAILURE, "Error encoding cert "); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } catch (TokenException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } - } - } else { // read certificate from file byte certData[] = null; try { - if (mKeySplitting) { - File certFile = new File( - mConfig.getString(PROP_CERTDB)); + if (mKeySplitting) { + File certFile = new File(mConfig.getString(PROP_CERTDB)); - certData = new byte[ - (Long.valueOf(certFile.length())).intValue()]; - FileInputStream fi = new FileInputStream(certFile); + certData = new byte[(Long.valueOf(certFile.length())) + .intValue()]; + FileInputStream fi = new FileInputStream(certFile); - fi.read(certData); - fi.close(); + fi.read(certData); + fi.close(); - // pick up cert by nickName - mCert = mManager.findCertByNickname( - config.getString(PROP_NICKNAME)); + // pick up cert by nickName + mCert = mManager.findCertByNickname(config + .getString(PROP_NICKNAME)); - } else { - mCert = mManager.findCertByNickname( - config.getString(PROP_NICKNAME)); - } + } else { + mCert = mManager.findCertByNickname(config + .getString(PROP_NICKNAME)); + } } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", e.toString())); } catch (TokenException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", e.toString())); } catch (ObjectNotFoundException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", + e.toString())); // XXX - this import wont work try { - mCert = mManager.importCertPackage(certData, - "kraStorageCert"); + mCert = mManager.importCertPackage(certData, + "kraStorageCert"); } catch (Exception ex) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_IMPORT_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ex.toString())); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_STORAGE_IMPORT_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_CERT_ERROR", ex.toString())); } } - - if (mKeySplitting) { - // read private key from the file - try { - File priFile = new File(mConfig.getString(PROP_KEYDB)); - mPrivateKeyData = new byte[ - (Long.valueOf(priFile.length())).intValue()]; - FileInputStream fi = new FileInputStream(priFile); + if (mKeySplitting) { + // read private key from the file + try { + File priFile = new File(mConfig.getString(PROP_KEYDB)); + + mPrivateKeyData = new byte[(Long.valueOf(priFile.length())) + .intValue()]; + FileInputStream fi = new FileInputStream(priFile); + + fi.read(mPrivateKeyData); + fi.close(); + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_STORAGE_READ_PRIVATE", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); + } + } + + } + + if (mKeySplitting) { + // open internal data storage configuration + mTokenFile = mConfig.getString(PROP_MN); + try { + // read m, n and no of identifier + mStorageConfig = CMS.createFileConfigStore(mTokenFile); + } catch (EBaseException e) { + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_MN", + e.toString())); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); - fi.read(mPrivateKeyData); - fi.close(); - } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_PRIVATE", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } - } - } - if (mKeySplitting) { - // open internal data storage configuration - mTokenFile = mConfig.getString(PROP_MN); try { - // read m, n and no of identifier - mStorageConfig = CMS.createFileConfigStore(mTokenFile); - } catch (EBaseException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_MN", + if (mCert == null) { + CMS.debug("mCert is null...retrieving " + + config.getString(PROP_NICKNAME)); + mCert = mManager.findCertByNickname(config + .getString(PROP_NICKNAME)); + CMS.debug("mCert = " + mCert); + } + } catch (Exception e) { + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", + e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); - } - } - - try { - if (mCert == null) { - CMS.debug("mCert is null...retrieving "+ config.getString(PROP_NICKNAME)); - mCert = mManager.findCertByNickname( - config.getString(PROP_NICKNAME)); - CMS.debug("mCert = "+mCert); - } - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } } @@ -316,7 +340,7 @@ public class StorageKeyUnit extends EncryptionUnit implements */ public void shutdown() { } - + /** * Returns the configuration store of this token. */ @@ -324,10 +348,11 @@ public class StorageKeyUnit extends EncryptionUnit implements return mConfig; } - public static SymmetricKey buildSymmetricKeyWithInternalStorage( - String pin) throws EBaseException { + public static SymmetricKey buildSymmetricKeyWithInternalStorage(String pin) + throws EBaseException { try { - return buildSymmetricKey(CryptoManager.getInstance().getInternalKeyStorageToken(), pin); + return buildSymmetricKey(CryptoManager.getInstance() + .getInternalKeyStorageToken(), pin); } catch (Exception e) { return null; } @@ -336,95 +361,89 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Builds symmetric key from the given password. */ - public static SymmetricKey buildSymmetricKey(CryptoToken token, - String pin) throws EBaseException { + public static SymmetricKey buildSymmetricKey(CryptoToken token, String pin) + throws EBaseException { try { Password pass = new Password(pin.toCharArray()); KeyGenerator kg = null; - kg = token.getKeyGenerator( - PBEAlgorithm.PBE_SHA1_DES3_CBC); - byte salt[] = {0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01}; - PBEKeyGenParams kgp = new PBEKeyGenParams(pass, - salt, 5); + kg = token.getKeyGenerator(PBEAlgorithm.PBE_SHA1_DES3_CBC); + byte salt[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }; + PBEKeyGenParams kgp = new PBEKeyGenParams(pass, salt, 5); pass.clear(); kg.initialize(kgp); return kg.generate(); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "buildSymmetricKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "buildSymmetricKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "buildSymmetricKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + e.toString())); } catch (CharConversionException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "buildSymmetricKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "buildSymmetricKey:" + e.toString())); } } /** * Unwraps the storage key with the given symmetric key. */ - public PrivateKey unwrapStorageKey(CryptoToken token, - SymmetricKey sk, byte wrapped[], - PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrapStorageKey(CryptoToken token, SymmetricKey sk, + byte wrapped[], PublicKey pubKey) throws EBaseException { try { CMS.debug("StorageKeyUnit.unwrapStorageKey."); - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD); - - wrapper.initUnwrap(sk, IV); + KeyWrapper wrapper = token + .getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + + wrapper.initUnwrap(sk, IV); // XXX - it does not like the public key that is // not a crypto X509Certificate - PrivateKey pk = wrapper.unwrapTemporaryPrivate(wrapped, + PrivateKey pk = wrapper.unwrapTemporaryPrivate(wrapped, PrivateKey.RSA, pubKey); return pk; } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "unwrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "unwrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "unwrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "unwrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", + "unwrapStorageKey:" + e.toString())); } } - + /** * Used by config-cert. */ - public byte[] wrapStorageKey(CryptoToken token, - SymmetricKey sk, PrivateKey pri) - throws EBaseException { + public byte[] wrapStorageKey(CryptoToken token, SymmetricKey sk, + PrivateKey pri) throws EBaseException { CMS.debug("StorageKeyUnit.wrapStorageKey."); try { // move public & private to config/storage.dat // delete private key - KeyWrapper wrapper = token.getKeyWrapper( - KeyWrapAlgorithm.DES3_CBC_PAD); + KeyWrapper wrapper = token + .getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); // next to randomly generate a symmetric // password @@ -432,21 +451,17 @@ public class StorageKeyUnit extends EncryptionUnit implements wrapper.initWrap(sk, IV); return wrapper.wrap(pri); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - "wrapStorageKey:" + - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + e.toString())); } } @@ -460,23 +475,29 @@ public class StorageKeyUnit extends EncryptionUnit implements PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); for (int i = 0; i < pk.length; i++) { - if (arraysEqual(pk[i].getUniqueID(), + if (arraysEqual(pk[i].getUniqueID(), ((TokenCertificate) mCert).getUniqueID())) { mPrivateKey = pk[i]; } } } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", + e.toString())); } } else { try { SymmetricKey sk = buildSymmetricKey(mToken, pin); - mPrivateKey = unwrapStorageKey(mToken, sk, - mPrivateKeyData, getPublicKey()); + mPrivateKey = unwrapStorageKey(mToken, sk, mPrivateKeyData, + getPublicKey()); } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", + e.toString())); } if (mPrivateKey == null) { mPrivateKey = getPrivateKey(); @@ -487,8 +508,7 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Logins to this token. */ - public void login(Credential creds[]) - throws EBaseException { + public void login(Credential creds[]) throws EBaseException { String pwd = constructPassword(creds); login(pwd); @@ -500,12 +520,15 @@ public class StorageKeyUnit extends EncryptionUnit implements public void logout() { try { if (mConfig.getString(PROP_HARDWARE, null) != null) { - if (mConfig.getBoolean(PROP_LOGOUT, false)) { - getToken().logout(); - } + if (mConfig.getBoolean(PROP_LOGOUT, false)) { + getToken().logout(); + } } } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGOUT", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGOUT", + e.toString())); } mPrivateKey = null; @@ -519,8 +542,7 @@ public class StorageKeyUnit extends EncryptionUnit implements for (int i = 0;; i++) { try { - String uid = - mStorageConfig.getString(PROP_UID + i); + String uid = mStorageConfig.getString(PROP_UID + i); if (uid == null) break; @@ -535,22 +557,21 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Changes agent password. */ - public boolean changeAgentPassword(String id, String oldpwd, - String newpwd) throws EBaseException { + public boolean changeAgentPassword(String id, String oldpwd, String newpwd) + throws EBaseException { // locate the id(s) for (int i = 0;; i++) { try { - String uid = - mStorageConfig.getString(PROP_UID + i); + String uid = mStorageConfig.getString(PROP_UID + i); if (uid == null) break; if (id.equals(uid)) { - byte share[] = decryptShareWithInternalStorage(mStorageConfig.getString(PROP_SHARE + i), oldpwd); + byte share[] = decryptShareWithInternalStorage( + mStorageConfig.getString(PROP_SHARE + i), oldpwd); mStorageConfig.putString(PROP_SHARE + i, - encryptShareWithInternalStorage( - share, newpwd)); + encryptShareWithInternalStorage(share, newpwd)); mStorageConfig.commit(false); return true; } @@ -564,10 +585,8 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Changes the m out of n recovery schema. */ - public boolean changeAgentMN(int new_n, int new_m, - Credential oldcreds[], - Credential newcreds[]) - throws EBaseException { + public boolean changeAgentMN(int new_n, int new_m, Credential oldcreds[], + Credential newcreds[]) throws EBaseException { if (new_n != newcreds.length) { throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_N")); @@ -587,22 +606,22 @@ public class StorageKeyUnit extends EncryptionUnit implements IShare s = null; try { - String className = mConfig.getString("share_class", - "com.netscape.cms.shares.OldShare"); - s = (IShare)Class.forName(className).newInstance(); + String className = mConfig.getString("share_class", + "com.netscape.cms.shares.OldShare"); + s = (IShare) Class.forName(className).newInstance(); } catch (Exception e) { - CMS.debug("Loading Shares error " + e); + CMS.debug("Loading Shares error " + e); } if (s == null) { - CMS.debug("Share plugin is not found"); - return false; + CMS.debug("Share plugin is not found"); + return false; } try { - s.initialize(secret.getBytes(), new_m); + s.initialize(secret.getBytes(), new_m); } catch (Exception e) { - CMS.debug("Failed to initialize Share plugin"); - return false; + CMS.debug("Failed to initialize Share plugin"); + return false; } for (int i = 0; i < newcreds.length; i++) { @@ -615,20 +634,22 @@ public class StorageKeyUnit extends EncryptionUnit implements mStorageConfig.putInteger(PROP_N, new_n); mStorageConfig.putInteger(PROP_M, new_m); for (int i = 0; i < newcreds.length; i++) { - mStorageConfig.putString(PROP_UID + i, - newcreds[i].getIdentifier()); + mStorageConfig.putString(PROP_UID + i, newcreds[i].getIdentifier()); // use password to encrypt shares... - mStorageConfig.putString(PROP_SHARE + i, - encryptShareWithInternalStorage(shares[i], - newcreds[i].getPassword())); + mStorageConfig.putString( + PROP_SHARE + i, + encryptShareWithInternalStorage(shares[i], + newcreds[i].getPassword())); } try { mStorageConfig.commit(false); return true; } catch (EBaseException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_CHANGE_MN", e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_CHANGE_MN", + e.toString())); } return false; } @@ -641,8 +662,7 @@ public class StorageKeyUnit extends EncryptionUnit implements } /** - * Returns number of recovery agents required for - * recovery operation. + * Returns number of recovery agents required for recovery operation. */ public int getNoOfRequiredAgents() throws EBaseException { return mStorageConfig.getInteger(PROP_M); @@ -663,7 +683,8 @@ public class StorageKeyUnit extends EncryptionUnit implements public CryptoToken getToken() { try { if (mConfig.getString(PROP_HARDWARE, null) != null) { - return mManager.getTokenByName(mConfig.getString(PROP_HARDWARE)); + return mManager + .getTokenByName(mConfig.getString(PROP_HARDWARE)); } else { return CryptoManager.getInstance().getInternalKeyStorageToken(); } @@ -683,35 +704,35 @@ public class StorageKeyUnit extends EncryptionUnit implements public PrivateKey getPrivateKey() { if (!mKeySplitting) { - try { - PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); - for (int i = 0; i < pk.length; i++) { - if (arraysEqual(pk[i].getUniqueID(), + try { + PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); + for (int i = 0; i < pk.length; i++) { + if (arraysEqual(pk[i].getUniqueID(), ((TokenCertificate) mCert).getUniqueID())) { return pk[i]; } - } - } catch (TokenException e) { - } - return null; - } else { - return mPrivateKey; - } + } + } catch (TokenException e) { + } + return null; + } else { + return mPrivateKey; + } } /** * Verifies the integrity of the given key pairs. */ public void verify(byte publicKey[], PrivateKey privateKey) - throws EBaseException { + throws EBaseException { // XXX } - public String encryptShareWithInternalStorage( - byte share[], String pwd) - throws EBaseException { + public String encryptShareWithInternalStorage(byte share[], String pwd) + throws EBaseException { try { - return encryptShare(CryptoManager.getInstance().getInternalKeyStorageToken(), share, pwd); + return encryptShare(CryptoManager.getInstance() + .getInternalKeyStorageToken(), share, pwd); } catch (Exception e) { return null; } @@ -720,13 +741,12 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Protectes the share with the given password. */ - public String encryptShare(CryptoToken token, - byte share[], String pwd) - throws EBaseException { + public String encryptShare(CryptoToken token, byte share[], String pwd) + throws EBaseException { try { CMS.debug("StorageKeyUnit.encryptShare"); - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); SymmetricKey sk = StorageKeyUnit.buildSymmetricKey(token, pwd); cipher.initEncrypt(sk, IV); @@ -737,23 +757,23 @@ public class StorageKeyUnit extends EncryptionUnit implements // configuration return com.netscape.osutil.OSUtil.BtoA(enc).trim(); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); } catch (BadPaddingException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); } catch (IllegalBlockSizeException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_KEY_1", e.toString())); } } @@ -798,23 +818,24 @@ public class StorageKeyUnit extends EncryptionUnit implements } if (uid.equals(userid)) { byte data[] = decryptShareWithInternalStorage( - mStorageConfig.getString(PROP_SHARE + i), - pwd); - if (data == null) { - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + mStorageConfig.getString(PROP_SHARE + i), pwd); + if (data == null) { + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return; } } - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + } - public byte[] decryptShareWithInternalStorage( - String encoding, String pwd) - throws EBaseException { + public byte[] decryptShareWithInternalStorage(String encoding, String pwd) + throws EBaseException { try { - return decryptShare(CryptoManager.getInstance().getInternalKeyStorageToken(), encoding, pwd); + return decryptShare(CryptoManager.getInstance() + .getInternalKeyStorageToken(), encoding, pwd); } catch (Exception e) { return null; } @@ -823,23 +844,22 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Decrypts shares with the given password. */ - public byte[] decryptShare(CryptoToken token, - String encoding, String pwd) - throws EBaseException { + public byte[] decryptShare(CryptoToken token, String encoding, String pwd) + throws EBaseException { try { CMS.debug("StorageKeyUnit.decryptShare"); byte share[] = CMS.AtoB(encoding); - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); - SymmetricKey sk = StorageKeyUnit.buildSymmetricKey( - token, pwd); + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + SymmetricKey sk = StorageKeyUnit.buildSymmetricKey(token, pwd); cipher.initDecrypt(sk, IV); byte dec[] = cipher.doFinal(share); if (dec == null || !verifyShare(dec)) { // invalid passwod - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return postVerify(dec); } catch (OutOfMemoryError e) { @@ -851,34 +871,33 @@ public class StorageKeyUnit extends EncryptionUnit implements // // e.printStackTrace(); // - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (IllegalBlockSizeException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (BadPaddingException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", e.toString())); } } /** * Reconstructs password from recovery agents. */ - private String constructPassword(Credential creds[]) - throws EBaseException { + private String constructPassword(Credential creds[]) throws EBaseException { // sort the credential according to the order in // configuration file Hashtable v = new Hashtable(); @@ -896,11 +915,11 @@ public class StorageKeyUnit extends EncryptionUnit implements for (int j = 0; j < creds.length; j++) { if (uid.equals(creds[j].getIdentifier())) { byte pwd[] = decryptShareWithInternalStorage( - mStorageConfig.getString( - PROP_SHARE + i), + mStorageConfig.getString(PROP_SHARE + i), creds[j].getPassword()); if (pwd == null) { - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } v.put(Integer.toString(i), pwd); break; @@ -909,39 +928,42 @@ public class StorageKeyUnit extends EncryptionUnit implements } if (v.size() < 0) { - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } if (v.size() != creds.length) { - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } IJoinShares j = null; try { - String className = mConfig.getString("joinshares_class", - "com.netscape.cms.shares.OldJoinShares"); - j = (IJoinShares)Class.forName(className).newInstance(); + String className = mConfig.getString("joinshares_class", + "com.netscape.cms.shares.OldJoinShares"); + j = (IJoinShares) Class.forName(className).newInstance(); } catch (Exception e) { - CMS.debug("JoinShares error " + e); + CMS.debug("JoinShares error " + e); } if (j == null) { CMS.debug("JoinShares plugin is not found"); - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } try { - j.initialize(v.size()); + j.initialize(v.size()); } catch (Exception e) { CMS.debug("Failed to initialize JoinShares"); - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + throw new EBaseException( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } Enumeration e = v.keys(); while (e.hasMoreElements()) { String next = (String) e.nextElement(); - j.addShare(Integer.parseInt(next) + 1, - (byte[]) v.get(next)); + j.addShare(Integer.parseInt(next) + 1, (byte[]) v.get(next)); } try { byte secret[] = j.recoverSecret(); @@ -949,10 +971,12 @@ public class StorageKeyUnit extends EncryptionUnit implements return pwd; } catch (Exception ee) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_RECONSTRUCT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", - ee.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_RECONSTRUCT", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_KRA_INVALID_PASSWORD", ee.toString())); } } diff --git a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index f9ff8385d..f31a2de2e 100644 --- a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; @@ -52,9 +51,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.util.Cert; - /** * A class represents recovery request processor. + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ @@ -68,12 +67,10 @@ public class TokenKeyRecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = - "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = - "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; private IKeyRecoveryAuthority mKRA = null; @@ -81,13 +78,9 @@ public class TokenKeyRecoveryService implements IService { private IStorageKeyUnit mStorageUnit = null; private ITransportKeyUnit mTransportUnit = null; - private final static String - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); /** @@ -97,15 +90,15 @@ public class TokenKeyRecoveryService implements IService { mKRA = kra; mStorage = mKRA.getKeyRepository(); mStorageUnit = mKRA.getStorageKeyUnit(); - mTransportUnit = kra.getTransportKeyUnit(); + mTransportUnit = kra.getTransportKeyUnit(); } - /** + /** * Process the HTTP request. - * + * * @param s The URL to decode */ - protected String URLdecode(String s) { + protected String URLdecode(String s) { if (s == null) return null; ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); @@ -125,11 +118,11 @@ public class TokenKeyRecoveryService implements IService { } } // end for return out.toString(); - } + } public static String normalizeCertStr(String s) { String val = ""; - + for (int i = 0; i < s.length(); i++) { if (s.charAt(i) == '\\') { i++; @@ -151,11 +144,8 @@ public class TokenKeyRecoveryService implements IService { // All this streaming is lame, but Base64OutputStream needs a // PrintStream ByteArrayOutputStream output = new ByteArrayOutputStream(); - Base64OutputStream b64 = new Base64OutputStream(new - PrintStream(new - FilterOutputStream(output) - ) - ); + Base64OutputStream b64 = new Base64OutputStream(new PrintStream( + new FilterOutputStream(output))); b64.write(bytes); b64.flush(); @@ -166,35 +156,30 @@ public class TokenKeyRecoveryService implements IService { } // this encrypts bytes with a symmetric key - public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) - { - try { - Cipher cipher = token.getCipherContext( - EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("initEncrypt() threw exception: "+e.toString()); + public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, + CryptoToken token, IVParameterSpec IV) { + try { + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("initEncrypt() threw exception: " + e.toString()); return null; } } - /** - * Processes a recovery request. The method reads - * the key record from the database, and tries to recover the - * key with the storage key unit. Once recovered, it wraps it - * with desKey - * In the params - * - cert is used for recovery record search - * - cuid may be used for additional validation check - * - userid may be used for additional validation check - * - wrappedDesKey is used for wrapping recovered private key - * + * Processes a recovery request. The method reads the key record from the + * database, and tries to recover the key with the storage key unit. Once + * recovered, it wraps it with desKey In the params - cert is used for + * recovery record search - cuid may be used for additional validation check + * - userid may be used for additional validation check - wrappedDesKey is + * used for wrapping recovered private key + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -205,59 +190,60 @@ public class TokenKeyRecoveryService implements IService { String auditRequesterID = "TPSagent"; String auditRecoveryID = ILogger.UNIDENTIFIED; String auditPublicKey = ILogger.UNIDENTIFIED; - String iv_s =""; + String iv_s = ""; CMS.debug("KRA services token key recovery request"); byte[] wrapped_des_key; - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService.serviceRequest: "+ e.toString()); + CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); } String id = request.getRequestId().toString(); if (id != null) { auditRecoveryID = id.trim(); } - SessionContext sContext = SessionContext.getContext(); - String agentId=""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - Hashtable params = mKRA.getVolatileRequest( - request.getRequestId()); + SessionContext sContext = SessionContext.getContext(); + String agentId = ""; + if (sContext != null) { + agentId = (String) sContext.get(SessionContext.USER_ID); + } + Hashtable params = mKRA.getVolatileRequest(request.getRequestId()); if (params == null) { // possibly we are in recovery mode - CMS.debug("getVolatileRequest params null"); - // return true; + CMS.debug("getVolatileRequest params null"); + // return true; } wrapped_des_key = null; - PK11SymKey sk= null; + PK11SymKey sk = null; String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); - String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - auditSubjectID=rCUID+":"+rUserid; - - CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="+rWrappedDesKeyString); - wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); + String rUserid = request + .getExtDataInString(IRequest.NETKEY_ATTR_USERID); + String rWrappedDesKeyString = request + .getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); + auditSubjectID = rCUID + ":" + rUserid; + + CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key =" + + rWrappedDesKeyString); + wrapped_des_key = com.netscape.cmsutil.util.Utils + .SpecialDecode(rWrappedDesKeyString); CMS.debug("TokenKeyRecoveryService: wrapped_des_key specialDecoded"); - if ((wrapped_des_key != null) && - (wrapped_des_key.length > 0)) { + if ((wrapped_des_key != null) && (wrapped_des_key.length > 0)) { // unwrap the des key - sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key); + sk = (PK11SymKey) mTransportUnit + .unwrap_encrypt_sym(wrapped_des_key); if (sk == null) { CMS.debug("TokenKeyRecoveryService: no des key"); @@ -269,11 +255,8 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: not receive des key"); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); audit(auditMessage); return false; @@ -285,11 +268,8 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: not receive cert"); request.setExtData(IRequest.RESULT, Integer.valueOf(3)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); audit(auditMessage); return false; @@ -298,15 +278,13 @@ public class TokenKeyRecoveryService implements IService { String cert = normalizeCertStr(cert_s); java.security.cert.X509Certificate x509cert = null; try { - x509cert= (java.security.cert.X509Certificate) Cert.mapCert(cert); + x509cert = (java.security.cert.X509Certificate) Cert.mapCert(cert); if (x509cert == null) { CMS.debug("cert mapping failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(5)); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); audit(auditMessage); @@ -316,301 +294,289 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: mapCert failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(6)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); audit(auditMessage); return false; } - try { - /* - CryptoToken internalToken = - CryptoManager.getInstance().getInternalKeyStorageToken(); - */ - CryptoToken token = mStorageUnit.getToken(); - CMS.debug("TokenKeyRecoveryService: got token slot:"+token.getName()); - IVParameterSpec algParam = new IVParameterSpec(iv); - - Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - KeyRecord keyRecord = null; - CMS.debug( "KRA reading key record"); - try { - keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); - if (keyRecord != null) - CMS.debug("read key record"); - else { - CMS.debug("key record not found"); - request.setExtData(IRequest.RESULT, Integer.valueOf(8)); - auditMessage = CMS.getLogMessage( + try { + /* + * CryptoToken internalToken = + * CryptoManager.getInstance().getInternalKeyStorageToken(); + */ + CryptoToken token = mStorageUnit.getToken(); + CMS.debug("TokenKeyRecoveryService: got token slot:" + + token.getName()); + IVParameterSpec algParam = new IVParameterSpec(iv); + + Cipher cipher = token + .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + KeyRecord keyRecord = null; + CMS.debug("KRA reading key record"); + try { + keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + if (keyRecord != null) + CMS.debug("read key record"); + else { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, + auditRecoveryID, agentId); + + audit(auditMessage); + return false; + } + } catch (Exception e) { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - }catch (Exception e) { - com.netscape.cmscore.util.Debug.printStackTrace(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(9)); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + return false; + } + + // see if the owner name matches (cuid:userid) -XXX need make this + // optional + String owner = keyRecord.getOwnerName(); + CMS.debug("TokenKeyRecoveryService: owner name on record =" + owner); + CMS.debug("TokenKeyRecoveryService: owner name from TPS =" + rCUID + + ":" + rUserid); + if (owner != null) { + if (owner.equals(rCUID + ":" + rUserid)) { + CMS.debug("TokenKeyRecoveryService: owner name matches"); + } else { + CMS.debug("TokenKeyRecoveryService: owner name mismatches"); + } + } + + // see if the certificate matches the key + byte pubData[] = keyRecord.getPublicKeyData(); + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); + + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - - // see if the owner name matches (cuid:userid) -XXX need make this optional - String owner = keyRecord.getOwnerName(); - CMS.debug("TokenKeyRecoveryService: owner name on record =" +owner); - CMS.debug("TokenKeyRecoveryService: owner name from TPS =" +rCUID+":"+rUserid); - if (owner != null) { - if (owner.equals(rCUID+":"+rUserid)) { - CMS.debug("TokenKeyRecoveryService: owner name matches"); - } else { - CMS.debug("TokenKeyRecoveryService: owner name mismatches"); - } - } - - // see if the certificate matches the key - byte pubData[] = keyRecord.getPublicKeyData(); - byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS + .getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.FAILURE, + auditRecoveryID, agentId); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } + audit(auditMessage); + return false; + } + CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); + + iv_s = /* base64Encode(iv); */com.netscape.cmsutil.util.Utils + .SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + CMS.debug("request.setExtData: iv_s: " + iv_s); + + /* LunaSA returns data with padding which we need to remove */ + ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); + DerValue dv = new DerValue(dis); + byte p[] = dv.toByteArray(); + int l = p.length; + CMS.debug("length different data length=" + l + " real length=" + + privateKeyData.length); + if (l != privateKeyData.length) { + privateKeyData = p; + } - for (int i = 0; i < pubData.length; i++) { - if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } - } - - // Unwrap the archived private key - byte privateKeyData[] = null; - privateKeyData = recoverKey(params, keyRecord); - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { + CMS.debug("TokenKeyRecoveryService: private key verified with public key"); + } + + // encrypt and put in private key + cipher.initEncrypt(sk, algParam); + byte wrapped[] = cipher.doFinal(privateKeyData); + + String wrappedPrivKeyString = com.netscape.cmsutil.util.Utils + .SpecialEncode(wrapped); + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); - - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - - CMS.debug("request.setExtData: iv_s: " + iv_s); - - /* LunaSA returns data with padding which we need to remove */ - ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); - DerValue dv = new DerValue(dis); - byte p[] = dv.toByteArray(); - int l = p.length; - CMS.debug("length different data length=" + l + - " real length=" + privateKeyData.length ); - if (l != privateKeyData.length) { - privateKeyData = p; - } + audit(auditMessage); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); + request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + CMS.debug("TokenKeyRecoveryService: key for " + rCUID + ":" + + rUserid + " recovered"); + } + + // convert and put in the public key + String b64PKey = base64Encode(pubData); - if (verifyKeyPair(pubData, privateKeyData) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, auditSubjectID, + ILogger.SUCCESS, auditRecoveryID, b64PKey); audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } else { - CMS.debug("TokenKeyRecoveryService: private key verified with public key"); - } - - //encrypt and put in private key - cipher.initEncrypt(sk, algParam); - byte wrapped[] = cipher.doFinal(privateKeyData); - - String wrappedPrivKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( + + if (b64PKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, + auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); - request.setExtData("wrappedUserPrivate", - wrappedPrivKeyString); - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered"); - } - - //convert and put in the public key - String b64PKey = base64Encode(pubData); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - b64PKey); - audit(auditMessage); - - if (b64PKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + + b64PKey); + } + request.setExtData("public_key", b64PKey); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, ILogger.SUCCESS, auditRecoveryID, agentId); audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = "+ - b64PKey); - } - request.setExtData("public_key", b64PKey); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - agentId); - - audit(auditMessage); - return true; + return true; - } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService: " + e.toString()); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - } + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService: " + e.toString()); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + + publicKeyModulus + " privateKeyModulus=" + + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + + publicKeyExponent + " privateKeyExponent=" + + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } - + /** * Recovers key. */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { - /* - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); - - mStorageUnit.login(creds); - */ - CMS.debug( "KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); - /* - mStorageUnit.logout(); - */ + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { + /* + * Credential creds[] = (Credential[]) + * request.get(ATTR_AGENT_CREDENTIALS); + * + * mStorageUnit.login(creds); + */ + CMS.debug("KRA decrypts internal private"); + byte privateKeyData[] = mStorageUnit.decryptInternalPrivate(keyRecord + .getPrivateKeyData()); + /* + * mStorageUnit.logout(); + */ if (privateKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage( + "CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } + /** - * Signed Audit Log - *y - * This method is called to store messages to the signed audit log. + * Signed Audit Log y This method is called to store messages to the signed + * audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -621,11 +587,8 @@ public class TokenKeyRecoveryService implements IService { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } } diff --git a/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java index 86b2dbfc7..ed6662ba3 100644 --- a/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -34,16 +34,15 @@ import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmsutil.util.Cert; - /** - * A class represents the transport key pair. This key pair - * is used to protected EE's private key in transit. - * + * A class represents the transport key pair. This key pair is used to protected + * EE's private key in transit. + * * @author thomask * @version $Revision$, $Date$ */ -public class TransportKeyUnit extends EncryptionUnit implements - ISubsystem, ITransportKeyUnit { +public class TransportKeyUnit extends EncryptionUnit implements ISubsystem, + ITransportKeyUnit { public static final String PROP_NICKNAME = "nickName"; public static final String PROP_SIGNING_ALGORITHM = "signingAlgorithm"; @@ -72,14 +71,15 @@ public class TransportKeyUnit extends EncryptionUnit implements * Sets subsystem identifier. */ public void setId(String id) throws EBaseException { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); } /** * Initializes this subsystem. */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { mConfig = config; try { mManager = CryptoManager.getInstance(); @@ -87,21 +87,24 @@ public class TransportKeyUnit extends EncryptionUnit implements String algo = config.getString("signingAlgorithm", "SHA256withRSA"); // #613795 - initialize this; otherwise JSS is not happy - CryptoToken token = getToken(); + CryptoToken token = getToken(); SignatureAlgorithm sigalg = Cert.mapAlgorithmToJss(algo); - Signature signer = token.getSignatureContext(sigalg); + Signature signer = token.getSignatureContext(sigalg); signer.initSign(getPrivateKey()); - } catch (org.mozilla.jss.CryptoManager.NotInitializedException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } catch (ObjectNotFoundException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } } @@ -115,7 +118,7 @@ public class TransportKeyUnit extends EncryptionUnit implements public CryptoToken getToken() { // 390148: returning the token that owns the private - // key. + // key. return getPrivateKey().getOwningToken(); } @@ -130,7 +133,7 @@ public class TransportKeyUnit extends EncryptionUnit implements */ public void shutdown() { } - + /** * Returns the configuration store of this token. */ @@ -191,7 +194,7 @@ public class TransportKeyUnit extends EncryptionUnit implements * Verifies the integrity of the given key pair. */ public void verify(byte publicKey[], PrivateKey privateKey) - throws EBaseException { + throws EBaseException { // XXX } } |