summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java126
-rw-r--r--base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java67
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java37
3 files changed, 125 insertions, 105 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java
index 5d882f7a6..92389c021 100644
--- a/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java
@@ -2,11 +2,9 @@ package com.netscape.cmstools.key;
import java.io.File;
import java.io.FileInputStream;
-import java.io.FileNotFoundException;
import java.util.Arrays;
import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller;
@@ -54,7 +52,7 @@ public class KeyRetrieveCLI extends CLI {
options.addOption(option);
}
- public void execute(String[] args) {
+ public void execute(String[] args) throws Exception {
// Always check for "--help" prior to parsing
if (Arrays.asList(args).contains("--help")) {
// Display usage
@@ -81,95 +79,73 @@ public class KeyRetrieveCLI extends CLI {
System.exit(-1);
}
- if(cmd.getOptions().length==0){
+ if (cmd.getOptions().length == 0) {
System.err.println("Error: Incorrect number of parameters provided.");
printHelp();
System.exit(-1);
}
+
String requestFile = cmd.getOptionValue("input");
Key keyData = null;
if (requestFile != null) {
- try {
- JAXBContext context = JAXBContext.newInstance(KeyRecoveryRequest.class);
- Unmarshaller unmarshaller = context.createUnmarshaller();
- FileInputStream fis = new FileInputStream(requestFile);
- KeyRecoveryRequest req = (KeyRecoveryRequest) unmarshaller.unmarshal(fis);
-
- if (req.getKeyId() == null) {
- System.err.println("Error: Key Id must be specified in the request file.");
- System.exit(-1);
- }
- if (req.getCertificate() != null) {
- keyData = keyCLI.keyClient.retrieveKeyByPKCS12(req.getKeyId(), req.getCertificate(),
- req.getPassphrase());
- } else if (req.getPassphrase() != null) {
- keyData = keyCLI.keyClient.retrieveKeyByPassphrase(req.getKeyId(), req.getPassphrase());
- } else if (req.getSessionWrappedPassphrase() != null) {
- keyData = keyCLI.keyClient.retrieveKeyUsingWrappedPassphrase(req.getKeyId(),
- Utils.base64decode(req.getTransWrappedSessionKey()),
- Utils.base64decode(req.getSessionWrappedPassphrase()),
- Utils.base64decode(req.getNonceData()));
- } else if (req.getTransWrappedSessionKey() != null) {
- keyData = keyCLI.keyClient.retrieveKey(req.getKeyId(),
- Utils.base64decode(req.getTransWrappedSessionKey()));
- } else {
- keyData = keyCLI.keyClient.retrieveKey(req.getKeyId());
- }
- } catch (JAXBException e) {
- System.err.println("Error: Cannot parse the request file.");
- if (verbose)
- e.printStackTrace();
- System.exit(-1);
- } catch (FileNotFoundException e) {
- System.err.println("Error: Cannot locate file at path: " + requestFile);
- if (verbose)
- e.printStackTrace();
- System.exit(-1);
- } catch (Exception e) {
- System.err.println(e.getMessage());
- if (verbose)
- e.printStackTrace();
+ JAXBContext context = JAXBContext.newInstance(KeyRecoveryRequest.class);
+ Unmarshaller unmarshaller = context.createUnmarshaller();
+ FileInputStream fis = new FileInputStream(requestFile);
+ KeyRecoveryRequest req = (KeyRecoveryRequest) unmarshaller.unmarshal(fis);
+
+ if (req.getKeyId() == null) {
+ System.err.println("Error: Key ID must be specified in the request file.");
System.exit(-1);
}
+ if (req.getCertificate() != null) {
+ keyData = keyCLI.keyClient.retrieveKeyByPKCS12(req.getKeyId(), req.getCertificate(),
+ req.getPassphrase());
+
+ } else if (req.getPassphrase() != null) {
+ keyData = keyCLI.keyClient.retrieveKeyByPassphrase(req.getKeyId(), req.getPassphrase());
+
+ } else if (req.getSessionWrappedPassphrase() != null) {
+ keyData = keyCLI.keyClient.retrieveKeyUsingWrappedPassphrase(req.getKeyId(),
+ Utils.base64decode(req.getTransWrappedSessionKey()),
+ Utils.base64decode(req.getSessionWrappedPassphrase()),
+ Utils.base64decode(req.getNonceData()));
+
+ } else if (req.getTransWrappedSessionKey() != null) {
+ keyData = keyCLI.keyClient.retrieveKey(req.getKeyId(),
+ Utils.base64decode(req.getTransWrappedSessionKey()));
+
+ } else {
+ keyData = keyCLI.keyClient.retrieveKey(req.getKeyId());
+ }
+
} else {
// Using command line options.
String keyId = cmd.getOptionValue("keyID");
String passphrase = cmd.getOptionValue("passphrase");
- try {
- if (passphrase != null) {
- keyData = keyCLI.keyClient.retrieveKeyByPassphrase(new KeyId(keyId), passphrase);
- } else {
- keyData = keyCLI.keyClient.retrieveKey(new KeyId(keyId));
- clientEncryption = false;
-
- // No need to return the encrypted data since encryption
- //is done locally.
- keyData.setEncryptedData(null);
- }
- } catch (Exception e) {
- System.err.println(e.getMessage());
- if (verbose)
- e.printStackTrace();
- System.exit(-1);
+
+ if (passphrase != null) {
+ keyData = keyCLI.keyClient.retrieveKeyByPassphrase(new KeyId(keyId), passphrase);
+
+ } else {
+ keyData = keyCLI.keyClient.retrieveKey(new KeyId(keyId));
+ clientEncryption = false;
+
+ // No need to return the encrypted data since encryption
+ // is done locally.
+ keyData.setEncryptedData(null);
}
}
String outputFilePath = cmd.getOptionValue("output");
if (outputFilePath != null) {
- try {
- JAXBContext context = JAXBContext.newInstance(Key.class);
- Marshaller marshaller = context.createMarshaller();
- marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
- marshaller.marshal(keyData, new File(outputFilePath));
- } catch (JAXBException e) {
- System.err.println(e.getMessage());
- if (verbose)
- e.printStackTrace();
- System.exit(-1);
- }
+ JAXBContext context = JAXBContext.newInstance(Key.class);
+ Marshaller marshaller = context.createMarshaller();
+ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+ marshaller.marshal(keyData, new File(outputFilePath));
+
} else {
MainCLI.printMessage("Retrieve Key Information");
printKeyData(keyData);
@@ -180,10 +156,14 @@ public class KeyRetrieveCLI extends CLI {
System.out.println(" Key Algorithm: " + key.getAlgorithm());
System.out.println(" Key Size: " + key.getSize());
System.out.println(" Nonce data: " + Utils.base64encode(key.getNonceData()));
- if(clientEncryption)
+
+ if (clientEncryption) {
System.out.println(" Encrypted Data:" + Utils.base64encode(key.getEncryptedData()));
- if (!clientEncryption)
+
+ } else {
System.out.println(" Actual archived data: " + Utils.base64encode(key.getData()));
+ }
+
if (key.getP12Data() != null) {
System.out.println(" Key data in PKCS12 format: " + key.getP12Data());
}
diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
index 752c8dff5..b2449677f 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
@@ -117,6 +117,8 @@ public class SecurityDataRecoveryService implements IService {
public boolean serviceRequest(IRequest request)
throws EBaseException {
+ CMS.debug("SecurityDataRecoveryService.serviceRequest()");
+
//Pave the way for allowing generated IV vector
byte iv[]= null;
byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
@@ -130,28 +132,34 @@ public class SecurityDataRecoveryService implements IService {
BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO);
request.setExtData(ATTR_KEY_RECORD, serialno);
RequestId requestID = request.getRequestId();
+
if (params == null) {
- CMS.debug("Can't get volatile params.");
+ CMS.debug("SecurityDataRecoveryService: Can't get volatile params.");
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
"cannot get volatile params");
throw new EBaseException("Can't obtain volatile params!");
}
- byte[] wrappedPassPhrase = null;
- byte[] wrappedSessKey = null;
+
String transWrappedSessKeyStr = (String) params.get(IRequest.SECURITY_DATA_TRANS_SESS_KEY);
+ byte[] wrappedSessKey = null;
if (transWrappedSessKeyStr != null) {
wrappedSessKey = Utils.base64decode(transWrappedSessKeyStr);
}
+
String sessWrappedPassPhraseStr = (String) params.get(IRequest.SECURITY_DATA_SESS_PASS_PHRASE);
+ byte[] wrappedPassPhrase = null;
if (sessWrappedPassPhraseStr != null) {
wrappedPassPhrase = Utils.base64decode(sessWrappedPassPhraseStr);
}
+
String ivInStr = (String) params.get(IRequest.SECURITY_DATA_IV_STRING_IN);
if (ivInStr != null) {
iv_in = Utils.base64decode(ivInStr);
}
+
if (transWrappedSessKeyStr == null && sessWrappedPassPhraseStr == null) {
//We may be in recovery case where no params were initially submitted.
+ CMS.debug("SecurityDataRecoveryService: No params provided.");
return false;
}
@@ -168,35 +176,43 @@ public class SecurityDataRecoveryService implements IService {
KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno);
- SymmetricKey unwrappedSess = null;
String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE);
+ if (dataType == null) dataType = KeyRequestResource.ASYMMETRIC_KEY_TYPE;
+
+ SymmetricKey unwrappedSess = null;
SymmetricKey symKey = null;
byte[] unwrappedSecData = null;
PrivateKey privateKey = null;
+
if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
symKey = recoverSymKey(keyRecord);
} else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
unwrappedSecData = recoverSecurityData(keyRecord);
+
} else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
try {
privateKey = mStorageUnit.unwrap(keyRecord.getPrivateKeyData(),
X509Key.parsePublicKey(new DerValue(keyRecord.getPublicKeyData())));
+
} catch (IOException e) {
- e.printStackTrace();
- CMS.debug("Cannot unwrap stored private key.");
- throw new EBaseException("Cannot fetch the private key from the database.");
+ throw new EBaseException("Cannot fetch the private key from the database.", e);
}
+
} else {
throw new EBaseException("Invalid data type stored in the database.");
}
+
CryptoToken ct = mTransportUnit.getToken();
byte[] key_data = null;
String pbeWrappedData = null;
- if (sessWrappedPassPhraseStr != null) { //We have a trans wrapped pass phrase, we will be doing PBE packaging
+
+ if (sessWrappedPassPhraseStr != null) {
+ CMS.debug("SecurityDataRecoveryService: secure retrieved data with tranport passphrase");
byte[] unwrappedPass = null;
Password pass = null;
+
try {
unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.DECRYPT);
Cipher decryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
@@ -207,12 +223,15 @@ public class SecurityDataRecoveryService implements IService {
passStr = null;
if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
+ CMS.debug("SecurityDataRecoveryService: wrap stored symmetric key with transport passphrase");
pbeWrappedData = createEncryptedContentInfo(ct, symKey, null, null,
pass);
} else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)){
+ CMS.debug("SecurityDataRecoveryService: encrypt stored passphrase with transport passphrase");
pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null,
pass);
} else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
+ CMS.debug("SecurityDataRecoveryService: wrap stored private key with transport passphrase");
pbeWrappedData = createEncryptedContentInfo(ct, null, null, privateKey,
pass);
}
@@ -222,73 +241,81 @@ public class SecurityDataRecoveryService implements IService {
} catch (Exception e) {
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
"Cannot unwrap passphrase");
- throw new EBaseException("Can't unwrap pass phase! " + e.toString());
+ throw new EBaseException("Cannot unwrap passphrase: " + e, e);
+
} finally {
- if ( pass != null) {
+ if (pass != null) {
pass.clear();
}
- if ( unwrappedPass != null) {
+ if (unwrappedPass != null) {
java.util.Arrays.fill(unwrappedPass, (byte) 0);
}
}
- } else { // No trans wrapped pass phrase, return session wrapped data.
+ } else {
+ CMS.debug("SecurityDataRecoveryService: secure retrieved data with session key");
+
if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
- //wrap the key with session key
+ CMS.debug("SecurityDataRecoveryService: wrap stored symmetric key with session key");
try {
unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.WRAP);
KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv));
key_data = wrapper.wrap(symKey);
+
} catch (Exception e) {
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
"Cannot wrap symmetric key");
- throw new EBaseException("Can't wrap symmetric key! " + e.toString());
+ throw new EBaseException("Cannot wrap symmetric key: " + e, e);
}
} else if (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
+ CMS.debug("SecurityDataRecoveryService: encrypt stored passphrase with session key");
try {
unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.ENCRYPT);
Cipher encryptor = ct.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
if (encryptor != null) {
encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv));
key_data = encryptor.doFinal(unwrappedSecData);
+
} else {
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
serialno.toString(), "Failed to create cipher");
throw new IOException("Failed to create cipher");
}
+
} catch (Exception e) {
- e.printStackTrace();
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID,
- serialno.toString(), "Cannot wrap pass phrase");
- throw new EBaseException("Can't wrap pass phrase!");
+ serialno.toString(), "Cannot encrypt passphrase");
+ throw new EBaseException("Cannot encrypt passphrase: " + e, e);
}
} else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
- CMS.debug("Wrapping the private key with the session key");
+ CMS.debug("SecurityDataRecoveryService: wrap stored private key with session key");
try {
unwrappedSess = mTransportUnit.unwrap_sym(wrappedSessKey, SymmetricKey.Usage.WRAP);
KeyWrapper wrapper = ct.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv));
key_data = wrapper.wrap(privateKey);
+
} catch (Exception e) {
auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
"Cannot wrap private key");
- throw new EBaseException("Cannot wrap private key - " + e.toString());
+ throw new EBaseException("Cannot wrap private key: " + e, e);
}
}
String wrappedKeyData = Utils.base64encode(key_data);
params.put(IRequest.SECURITY_DATA_SESS_WRAPPED_DATA, wrappedKeyData);
params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr);
-
}
+
auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(),
"None");
request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
mKRA.getRequestQueue().updateRequest(request);
+
return false; //return true ? TODO
}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 99e6471b1..f4445bb65 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -117,53 +117,66 @@ public class KeyService extends PKIService implements KeyResource {
*/
@Override
public Response retrieveKey(KeyRecoveryRequest data) {
- String method = "KeyService.retrieveKey: ";
+
+ CMS.debug("KeyService.retrieveKey()");
String auditInfo = "KeyService.retrieveKey";
- CMS.debug(method + "begins.");
+
if (data == null) {
- String msg = "Invalid request: data is null";
- CMS.debug(msg);
- auditRetrieveKey(ILogger.FAILURE, "None", "None", auditInfo + ";" + msg);
- throw new BadRequestException(method + msg);
+ String message = "Missing key recovery request";
+ CMS.debug(message);
+ auditRetrieveKey(ILogger.FAILURE, "None", "None", auditInfo + ";" + message);
+ throw new BadRequestException(message);
}
- // auth and authz
+
RequestId requestID = data.getRequestId();
- IRequest request;
- KeyId keyId = data.getKeyId();
+ CMS.debug("KeyService: request ID: " + requestID);
if (requestID != null)
auditInfo = auditInfo + ": requestID=" + requestID.toString();
+ KeyId keyId = data.getKeyId();
+ CMS.debug("KeyService: key ID: " + keyId);
if (keyId != null)
auditInfo = auditInfo + "; keyID=" + keyId.toString();
+ IRequest request;
try {
request = queue.findRequest(requestID);
+
} catch (EBaseException e) {
- e.printStackTrace();
+ CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, null, auditInfo + ";" + e.getMessage());
throw new PKIException(e.getMessage());
}
+
String type = request.getRequestType();
+ CMS.debug("KeyService: request type: " + type);
auditInfo = auditInfo + "; request type:" + type;
+
KeyData keyData;
try {
if (IRequest.KEYRECOVERY_REQUEST.equals(type)) {
keyData = recoverKey(data);
+
} else {
keyId = validateRequest(data);
keyData = getKey(keyId, data);
}
+
} catch (Exception e) {
- e.printStackTrace();
+ CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, keyId, auditInfo + ";" + e.getMessage());
throw new PKIException(e.getMessage());
}
+
if (keyData == null) {
- // no key record
+ CMS.debug("KeyService: No key record");
auditRetrieveKey(ILogger.FAILURE, requestID, keyId, auditInfo + "; No key record");
throw new HTTPGoneException("No key record.");
}
+
+ CMS.debug("KeyService: key retrieved");
+
auditRetrieveKey(ILogger.SUCCESS, requestID, keyId, auditInfo);
return createOKResponse(keyData);
generated by cgit (git 2.34.1) at 2024-09-21 09:22:12 +0000