diff options
Diffstat (limited to 'base/common/src')
5 files changed, 206 insertions, 196 deletions
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java index f66d53f1e..163d4dd5d 100644 --- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java @@ -22,6 +22,7 @@ import java.util.Date; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; +import com.netscape.certsrv.security.WrappingParams; /** * An interface contains constants for key record. @@ -167,4 +168,8 @@ public interface IKeyRecord { * @exception EBaseException failed to retrieve authorization realm */ public String getRealm() throws EBaseException; + + public void setWrappingParams(WrappingParams params) throws Exception; + + public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception; } diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index 7f5e95ec3..1b8a0bf25 100644 --- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -22,7 +22,6 @@ import java.security.PublicKey; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.SymmetricKey.Type; import com.netscape.certsrv.base.EBaseException; @@ -41,26 +40,6 @@ public interface IEncryptionUnit extends IToken { public PublicKey getPublicKey(); /** - * Wraps data. The given key will be wrapped by the - * private key in this unit. - * - * @param priKey private key to be wrapped - * @return wrapped data - * @exception EBaseException failed to wrap - */ - public byte[] wrap(PrivateKey priKey) throws Exception; - - /** - * Wraps data. The given key will be wrapped by the - * private key in this unit. - * - * @param symKey symmetric key to be wrapped - * @return wrapped data - * @exception EBaseException failed to wrap - */ - public byte[] wrap(SymmetricKey symKey) throws Exception; - - /** * Verifies the given key pair. * * @param publicKey public key @@ -70,69 +49,6 @@ public interface IEncryptionUnit extends IToken { EBaseException; /** - * Unwraps data. This method rebuilds the private key by - * unwrapping the private key data. - * - * @param sessionKey session key that unwrap the private key - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param privateKey private key data - * @param pubKey public key - * @return private key object - * @throws Exception - */ - public PrivateKey unwrap(byte sessionKey[], String symmAlgOID, - byte symmAlgParams[], byte privateKey[], - PublicKey pubKey) - throws Exception; - - /** - * Unwraps data. This method rebuilds the private key by - * unwrapping the private key data. - * - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param pubKey public key - * @param transportCert transport certificate - * @return private key object - * @throws Exception - */ - public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, - byte symmAlgParams[], byte encValue[], PublicKey pubKey, - org.mozilla.jss.crypto.X509Certificate transportCert) - throws Exception; - - /** - * Unwraps symmetric key data. This method rebuilds the symmetric key by - * unwrapping the private data blob. - * - * @param wrappedKeyData symmetric key data wrapped up with session key - * @return Symmetric key object - * @exception Exception failed to unwrap - */ - - public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize) - throws Exception; - - /** - * Unwraps symmetric key . This method - * unwraps the symmetric key. - * - * @param sessionKey session key that unwrap the symmetric key - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param symmetricKey symmetric key data - * @param type symmetric key algorithm - * @param strength symmetric key strength in bytes - * @return Symmetric key object - * @throws Exception - */ - - public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID, - byte symmAlgParams[], byte symmetricKey[], Type type, int strength) - throws Exception; - - /** * Unwraps symmetric key . This method * unwraps the symmetric key. * @@ -143,70 +59,8 @@ public interface IEncryptionUnit extends IToken { public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage, WrappingParams params); - public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey) - throws Exception; - - /** - * Unwraps data. This method rebuilds the private key by - * unwrapping the private key data. - * - * @param privateKey private key data - * @param pubKey public key object - * @return private key object - * @throws Exception - */ - public PrivateKey unwrap(byte privateKey[], PublicKey pubKey) - throws Exception; - - /** - * Encrypts the internal private key (private key to the KRA's - * internal storage). - * - * @param rawPrivate user's private key (key to be archived) - * @return encrypted data - * @exception EBaseException failed to encrypt - */ - public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception; - - /** - * Decrypts the internal private key (private key from the KRA's - * internal storage). - * - * @param wrappedPrivateData unwrapped private key data (key to be recovered) - * @return raw private key - * @throws Exception - */ - public byte[] decryptInternalPrivate(byte wrappedPrivateData[]) - throws Exception; - /** - * Decrypts the external private key (private key from the end-user). - * - * @param sessionKey session key that protects the user private - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param privateKey private key data - * @return private key data - * @throws Exception - */ - public byte[] decryptExternalPrivate(byte sessionKey[], - String symmAlgOID, - byte symmAlgParams[], byte privateKey[]) - throws Exception; + public WrappingParams getWrappingParams() throws EBaseException; - /** - * Decrypts the external private key (private key from the end-user). - * - * @param sessionKey session key that protects the user private - * @param symmAlgOID symmetric algorithm - * @param symmAlgParams symmetric algorithm parameters - * @param privateKey private key data - * @param transportCert transport certificate - * @return private key data - * @throws Exception - */ - public byte[] decryptExternalPrivate(byte sessionKey[], - String symmAlgOID, byte symmAlgParams[], byte privateKey[], - org.mozilla.jss.crypto.X509Certificate transportCert) - throws Exception; + public WrappingParams getOldWrappingParams(); } diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java index 4e651d394..6f6e31201 100644 --- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java @@ -17,9 +17,12 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.security; +import java.security.PublicKey; import java.util.Enumeration; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.base.EBaseException; @@ -96,4 +99,74 @@ public interface IStorageKeyUnit extends IEncryptionUnit { public CryptoToken getToken(); + /** + * Encrypts the internal private key (private key to the KRA's + * internal storage). + * + * @param rawPrivate user's private key (key to be archived) + * @return encrypted data + * @exception EBaseException failed to encrypt + */ + public byte[] encryptInternalPrivate(byte rawPrivate[]) throws Exception; + + /** + * Wraps data. The given key will be wrapped by the + * private key in this unit. + * + * @param priKey private key to be wrapped + * @param WrappingParams - wrapping parameters + * @return wrapped data + * @exception EBaseException failed to wrap + */ + public byte[] wrap(PrivateKey priKey) throws Exception; + + /** + * Wraps data. The given key will be wrapped by the + * private key in this unit. + * + * @param symKey symmetric key to be wrapped + * @param wrappingParams - wrapping parameters + * @return wrapped data + * @exception EBaseException failed to wrap + */ + public byte[] wrap(SymmetricKey symKey) throws Exception; + + /** + * Decrypts the internal private key (private key from the KRA's + * internal storage). + * + * @param wrappedPrivateData unwrapped private key data (key to be recovered) + * @param params - wrapping params + * @return raw private key + * @throws Exception + */ + public byte[] decryptInternalPrivate(byte wrappedPrivateData[], WrappingParams params) + throws Exception; + + /** + * Unwraps symmetric key data. This method rebuilds the symmetric key by + * unwrapping the private data blob. + * + * @param wrappedKeyData symmetric key data wrapped up with session key + * @return Symmetric key object + * @exception Exception failed to unwrap + */ + + public SymmetricKey unwrap(byte wrappedKeyData[], SymmetricKey.Type algorithm, int keySize, + WrappingParams params) throws Exception; + + /** + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. + * + * @param privateKey private key data + * @param pubKey public key object + * @param temporary - temporary key? + * @param params - wrapping parameters + * @return private key object + * @throws Exception + */ + public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary, + WrappingParams params) throws Exception; + } diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java index 965101ffa..675c7340a 100644 --- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -22,6 +22,7 @@ import java.security.PublicKey; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.SymmetricKey.Type; import com.netscape.certsrv.base.EBaseException; @@ -63,58 +64,86 @@ public interface ITransportKeyUnit extends IEncryptionUnit { public PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert); /** - * Unwraps symmetric key . This method - * unwraps the symmetric key. - * - * @param encSymmKey wrapped symmetric key to be unwrapped - * @param usage Key usage for unwrapped key. - * @return Symmetric key object + * Returns this Unit's crypto token object. + * @return CryptoToken object. */ - public SymmetricKey unwrap_session_key(CryptoToken token, byte encSymmKey[], SymmetricKey.Usage usage, - WrappingParams params); + public CryptoToken getToken(); + + /** + * Returns this Unit's signing algorithm in String format. + * @return String of signing algorithm + * @throws EBaseException + */ + + public String getSigningAlgorithm() throws EBaseException; + + /** + * Sets this Unit's signing algorithm. + * @param str String of signing algorithm to set. + * @throws EBaseException + */ + public void setSigningAlgorithm(String str) throws EBaseException; + + /** + * Decrypts the external private key (private key from the end-user). + * + * @param sessionKey session key that protects the user private + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param privateKey private key data + * @param transportCert transport certificate + * @return private key data + * @throws Exception + */ + public byte[] decryptExternalPrivate(byte sessionKey[], + String symmAlgOID, byte symmAlgParams[], byte privateKey[], + org.mozilla.jss.crypto.X509Certificate transportCert) + throws Exception; /** * Unwraps symmetric key . This method * unwraps the symmetric key. * - * @param encSymmKey wrapped symmetric key to be unwrapped + * @param sessionKey session key that unwrap the symmetric key + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters + * @param symmetricKey symmetric key data + * @param type symmetric key algorithm + * @param strength symmetric key strength in bytes * @return Symmetric key object + * @throws Exception */ - public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params); + public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID, + byte symmAlgParams[], byte symmetricKey[], Type type, int strength) + throws Exception; /** - * Unwraps temporary private key . This method - * unwraps the temporary private key. + * Unwraps data. This method rebuilds the private key by + * unwrapping the private key data. * - * @param wrappedKeyData wrapped private key to be unwrapped + * @param symmAlgOID symmetric algorithm + * @param symmAlgParams symmetric algorithm parameters * @param pubKey public key - * @return Private key object + * @param transportCert transport certificate + * @return private key object * @throws Exception */ + public PrivateKey unwrap(byte encSymmKey[], String symmAlgOID, + byte symmAlgParams[], byte encValue[], PublicKey pubKey, + org.mozilla.jss.crypto.X509Certificate transportCert) + throws Exception; - public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey - pubKey) throws Exception; /** - * Returns this Unit's crypto token object. - * @return CryptoToken object. + * Unwraps symmetric key . This method + * unwraps the symmetric key. + * + * @param encSymmKey wrapped symmetric key to be unwrapped + * @return Symmetric key object */ - public CryptoToken getToken(); - - /** - * Returns this Unit's signing algorithm in String format. - * @return String of signing algorithm - * @throws EBaseException - */ + public SymmetricKey unwrap_sym(byte encSymmKey[], WrappingParams params); - public String getSigningAlgorithm() throws EBaseException; - /** - * Sets this Unit's signing algorithm. - * @param str String of signing algorithm to set. - * @throws EBaseException - */ - public void setSigningAlgorithm(String str) throws EBaseException; } diff --git a/base/common/src/com/netscape/certsrv/security/WrappingParams.java b/base/common/src/com/netscape/certsrv/security/WrappingParams.java index 9689ecc60..b3fabfc63 100644 --- a/base/common/src/com/netscape/certsrv/security/WrappingParams.java +++ b/base/common/src/com/netscape/certsrv/security/WrappingParams.java @@ -1,16 +1,17 @@ package com.netscape.certsrv.security; +import java.security.NoSuchAlgorithmException; + import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.SymmetricKey.Type; -import org.mozilla.jss.crypto.SymmetricKey.Usage; public class WrappingParams { // session key attributes - SymmetricKey.Type skTyoe; - SymmetricKey.Usage[] skUsages; + SymmetricKey.Type skType; KeyGenAlgorithm skKeyGenAlgorithm; int skLength; @@ -23,33 +24,38 @@ public class WrappingParams { //wrapping algorithm for payload KeyWrapAlgorithm payloadWrapAlgorithm; - public WrappingParams(Type skTyoe, Usage[] skUsages, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, + // payload encryption IV + IVParameterSpec payloadEncryptionIV; + + // payload wrapping IV + IVParameterSpec payloadWrappingIV; + + public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm, - KeyWrapAlgorithm payloadWrapAlgorithm) { + KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) { super(); - this.skTyoe = skTyoe; - this.skUsages = skUsages; + this.skType = skType; this.skKeyGenAlgorithm = skKeyGenAlgorithm; this.skLength = skLength; this.skWrapAlgorithm = skWrapAlgorithm; this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; this.payloadWrapAlgorithm = payloadWrapAlgorithm; + this.payloadEncryptionIV = payloadEncryptIV; + this.payloadWrappingIV = payloadWrapIV; } - public SymmetricKey.Type getSkTyoe() { - return skTyoe; - } + public WrappingParams() {} - public void setSkTyoe(SymmetricKey.Type skTyoe) { - this.skTyoe = skTyoe; + public SymmetricKey.Type getSkType() { + return skType; } - public SymmetricKey.Usage[] getSkUsages() { - return skUsages; + public void setSkType(SymmetricKey.Type skType) { + this.skType = skType; } - public void setSkUsages(SymmetricKey.Usage[] skUsages) { - this.skUsages = skUsages; + public void setSkType(String skTypeName) throws NoSuchAlgorithmException { + this.skType = SymmetricKey.Type.fromName(skTypeName); } public KeyGenAlgorithm getSkKeyGenAlgorithm() { @@ -60,6 +66,20 @@ public class WrappingParams { this.skKeyGenAlgorithm = skKeyGenAlgorithm; } + public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException { + // JSS mapping is not working. Lets just do something brain-dead to + // handle the cases we expect. + if (algName.equalsIgnoreCase("AES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; + } else if (algName.equalsIgnoreCase("DES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; + } else if (algName.equalsIgnoreCase("DESede")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } else if (algName.equalsIgnoreCase("DES3")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } + } + public int getSkLength() { return skLength; } @@ -76,6 +96,10 @@ public class WrappingParams { this.skWrapAlgorithm = skWrapAlgorithm; } + public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + public EncryptionAlgorithm getPayloadEncryptionAlgorithm() { return payloadEncryptionAlgorithm; } @@ -84,6 +108,11 @@ public class WrappingParams { this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; } + public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength) + throws NoSuchAlgorithmException { + this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength); + } + public KeyWrapAlgorithm getPayloadWrapAlgorithm() { return payloadWrapAlgorithm; } @@ -91,4 +120,24 @@ public class WrappingParams { public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) { this.payloadWrapAlgorithm = payloadWrapAlgorithm; } + + public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + + public IVParameterSpec getPayloadEncryptionIV() { + return payloadEncryptionIV; + } + + public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) { + this.payloadEncryptionIV = payloadEncryptionIV; + } + + public IVParameterSpec getPayloadWrappingIV() { + return payloadWrappingIV; + } + + public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) { + this.payloadWrappingIV = payloadWrappingIV; + } } |