diff options
4 files changed, 110 insertions, 19 deletions
diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java index 89255ed1a..f21dcd0d7 100644 --- a/base/common/src/org/dogtagpki/common/CAInfo.java +++ b/base/common/src/org/dogtagpki/common/CAInfo.java @@ -54,6 +54,7 @@ public class CAInfo extends ResourceMessage { } String archivalMechanism; + String wrappingKeySet; @XmlElement(name="ArchivalMechanism") public String getArchivalMechanism() { @@ -64,11 +65,21 @@ public class CAInfo extends ResourceMessage { this.archivalMechanism = archivalMechanism; } + @XmlElement(name="WrappingKeySet") + public String getWrappingKeySet() { + return wrappingKeySet; + } + + public void setWrappingKeySet(String wrappingKeySet) { + this.wrappingKeySet = wrappingKeySet; + } + @Override public int hashCode() { final int prime = 31; int result = super.hashCode(); result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode()); + result = prime * result + ((wrappingKeySet == null) ? 0 : wrappingKeySet.hashCode()); return result; } @@ -86,6 +97,11 @@ public class CAInfo extends ResourceMessage { return false; } else if (!archivalMechanism.equals(other.archivalMechanism)) return false; + if (wrappingKeySet == null) { + if (other.wrappingKeySet != null) + return false; + } else if (!wrappingKeySet.equals(other.wrappingKeySet)) + return false; return true; } diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 5d9f7f135..01685035e 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -40,6 +40,8 @@ import org.apache.http.HttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.util.EntityUtils; +import org.dogtagpki.common.CAInfo; +import org.dogtagpki.common.CAInfoClient; import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ASN1Util; @@ -75,6 +77,9 @@ import org.mozilla.jss.pkix.primitive.Name; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; import org.mozilla.jss.util.Password; +import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.client.ClientConfig; +import com.netscape.certsrv.client.PKIClient; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.HMACDigest; @@ -187,6 +192,10 @@ public class CRMFPopClient { option.setArgName("keyWrap"); options.addOption(option); + option = new Option("w", true, "Wrapping Keyset"); + option.setArgName("keySet"); + options.addOption(option); + options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "help", false, "Show help message."); @@ -218,6 +227,7 @@ public class CRMFPopClient { System.out.println(" -g <true|false> Use KeyWrapping to wrap private key (default: true)"); System.out.println(" - true: use a key wrapping algorithm"); System.out.println(" - false: use an encryption algorithm"); + System.out.println(" -w <keyset_id> Key set ID to use when wrapping the private key"); System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)"); System.out.println(" -v, --verbose Run in verbose mode."); System.out.println(" --help Show help message."); @@ -310,6 +320,7 @@ public class CRMFPopClient { int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + // get the key wrapping mechanism boolean keyWrap = true; if (cmd.hasOption("g")) { keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); @@ -319,6 +330,10 @@ public class CRMFPopClient { keyWrap = Boolean.parseBoolean(useKeyWrap); } } + String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : + KRAInfoResource.ENCRYPT_MECHANISM; + + String wrappingKeySet = cmd.getOptionValue("w"); String output = cmd.getOptionValue("o"); @@ -326,6 +341,16 @@ public class CRMFPopClient { String username = cmd.getOptionValue("u"); String requestor = cmd.getOptionValue("r"); + if (hostPort != null) { + if (cmd.hasOption("g") || cmd.hasOption("w")) { + printError("Wrapping Key Set (-g) and keywrap (-w) options should " + + "not be specified when hostport is specified. " + + "CRMFPopClient will contact the server to " + + "determine the correct values for these parameters"); + System.exit(1); + } + } + if (subjectDN == null) { printError("Missing subject DN"); System.exit(1); @@ -458,11 +483,41 @@ public class CRMFPopClient { String kid = CryptoUtil.byte2string(id); System.out.println("Keypair private key id: " + kid); - String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : - KRAInfoResource.ENCRYPT_MECHANISM; + if (hostPort != null) { + // check the CA for the required keyset and archival mechanism + // if found, override whatever has been set by the command line + // options or environment for archivalMechanism and wrappingKeySet + + ClientConfig config = new ClientConfig(); + String host = hostPort.substring(0, hostPort.indexOf(':')); + int port = Integer.parseInt(hostPort.substring(hostPort.indexOf(':')+1)); + config.setServerURL("http", host, port); + + PKIClient pkiclient = new PKIClient(config); + + // get archival mechanism + CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); + try { + CAInfo info = infoClient.getInfo(); + archivalMechanism = info.getArchivalMechanism(); + wrappingKeySet = info.getWrappingKeySet(); + } catch (PKIException e) { + if (e.getCode() == 404) { + // assume this is an older server, + archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + wrappingKeySet = "0"; + } else { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + } catch (Exception e) { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + } + if (verbose) System.out.println("Creating certificate request"); CertRequest certRequest = client.createCertRequest( - token, transportCert, algorithm, keyPair, subject, archivalMechanism); + token, transportCert, algorithm, keyPair, + subject, archivalMechanism, wrappingKeySet); ProofOfPossession pop = null; @@ -572,11 +627,15 @@ public class CRMFPopClient { String algorithm, KeyPair keyPair, Name subject, - String archivalMechanism) throws Exception { + String archivalMechanism, + String wrappingKeySet) throws Exception { EncryptionAlgorithm encryptAlg = null; - String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); - if (keyset != null && keyset.equalsIgnoreCase("0")) { + if (wrappingKeySet == null) { + wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); + } + + if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { // talking to an old server? encryptAlg = EncryptionAlgorithm.DES3_CBC; } else { diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index 8ca857bcb..696ab8ba3 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -29,6 +29,7 @@ import java.util.Vector; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.apache.commons.io.FileUtils; +import org.dogtagpki.common.CAInfo; import org.dogtagpki.common.CAInfoClient; import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; @@ -39,6 +40,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.ProofOfPossession; import org.mozilla.jss.pkix.primitive.Name; +import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.cert.CertClient; import com.netscape.certsrv.cert.CertEnrollmentRequest; import com.netscape.certsrv.cert.CertRequestInfos; @@ -250,23 +252,26 @@ public class ClientCertRequestCLI extends CLI { // get archival mechanism CAInfoClient infoClient = new CAInfoClient(client, "ca"); String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + String wrappingKeySet = "1"; try { - archivalMechanism = infoClient.getInfo().getArchivalMechanism(); - } catch (Exception e) { - // this could be an older server, check for environment variable. - String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); - if (useKeyWrapping != null) { - if (Boolean.parseBoolean(useKeyWrapping)) { - archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; - } else { - archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; - } + CAInfo info = infoClient.getInfo(); + archivalMechanism = info.getArchivalMechanism(); + wrappingKeySet = info.getWrappingKeySet(); + } catch (PKIException e) { + if (e.getCode() == 404) { + // assume this is an older server, + archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + wrappingKeySet = "0"; + } else { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); } + } catch (Exception e) { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); } csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, - archivalMechanism); + archivalMechanism, wrappingKeySet); } else { throw new Exception("Unknown request type: " + requestType); @@ -408,7 +413,8 @@ public class ClientCertRequestCLI extends CLI { int sensitive, int extractable, boolean withPop, - String archivalMechanism + String archivalMechanism, + String wrappingKeySet ) throws Exception { CryptoManager manager = CryptoManager.getInstance(); @@ -430,7 +436,7 @@ public class ClientCertRequestCLI extends CLI { } CertRequest certRequest = client.createCertRequest( - token, transportCert, algorithm, keyPair, subject, archivalMechanism); + token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); ProofOfPossession pop = null; if (withPop) { diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java index 975ad61ac..f4724a64c 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java @@ -50,6 +50,8 @@ public class CAInfoService extends PKIService implements CAInfoResource { if (archivalMechanism != null) info.setArchivalMechanism(getArchivalMechanism()); + info.setWrappingKeySet(getWrappingKeySet()); + return createOKResponse(info); } @@ -61,4 +63,12 @@ public class CAInfoService extends PKIService implements CAInfoResource { boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false); return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM; } + + String getWrappingKeySet() throws EBaseException { + IConfigStore cs = CMS.getConfigStore(); + boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false); + if (!kra_present) return null; + + return cs.getString("kra.wrappingKeySet", "1"); + } } |