summaryrefslogtreecommitdiffstats
path: root/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
diff options
context:
space:
mode:
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java')
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java71
1 files changed, 65 insertions, 6 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 5d9f7f135..01685035e 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -40,6 +40,8 @@ import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.util.EntityUtils;
+import org.dogtagpki.common.CAInfo;
+import org.dogtagpki.common.CAInfoClient;
import org.dogtagpki.common.KRAInfoResource;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.asn1.ASN1Util;
@@ -75,6 +77,9 @@ import org.mozilla.jss.pkix.primitive.Name;
import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
import org.mozilla.jss.util.Password;
+import com.netscape.certsrv.base.PKIException;
+import com.netscape.certsrv.client.ClientConfig;
+import com.netscape.certsrv.client.PKIClient;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.HMACDigest;
@@ -187,6 +192,10 @@ public class CRMFPopClient {
option.setArgName("keyWrap");
options.addOption(option);
+ option = new Option("w", true, "Wrapping Keyset");
+ option.setArgName("keySet");
+ options.addOption(option);
+
options.addOption("v", "verbose", false, "Run in verbose mode.");
options.addOption(null, "help", false, "Show help message.");
@@ -218,6 +227,7 @@ public class CRMFPopClient {
System.out.println(" -g <true|false> Use KeyWrapping to wrap private key (default: true)");
System.out.println(" - true: use a key wrapping algorithm");
System.out.println(" - false: use an encryption algorithm");
+ System.out.println(" -w <keyset_id> Key set ID to use when wrapping the private key");
System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)");
System.out.println(" -v, --verbose Run in verbose mode.");
System.out.println(" --help Show help message.");
@@ -310,6 +320,7 @@ public class CRMFPopClient {
int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1"));
int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1"));
+ // get the key wrapping mechanism
boolean keyWrap = true;
if (cmd.hasOption("g")) {
keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
@@ -319,6 +330,10 @@ public class CRMFPopClient {
keyWrap = Boolean.parseBoolean(useKeyWrap);
}
}
+ String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
+ KRAInfoResource.ENCRYPT_MECHANISM;
+
+ String wrappingKeySet = cmd.getOptionValue("w");
String output = cmd.getOptionValue("o");
@@ -326,6 +341,16 @@ public class CRMFPopClient {
String username = cmd.getOptionValue("u");
String requestor = cmd.getOptionValue("r");
+ if (hostPort != null) {
+ if (cmd.hasOption("g") || cmd.hasOption("w")) {
+ printError("Wrapping Key Set (-g) and keywrap (-w) options should " +
+ "not be specified when hostport is specified. " +
+ "CRMFPopClient will contact the server to " +
+ "determine the correct values for these parameters");
+ System.exit(1);
+ }
+ }
+
if (subjectDN == null) {
printError("Missing subject DN");
System.exit(1);
@@ -458,11 +483,41 @@ public class CRMFPopClient {
String kid = CryptoUtil.byte2string(id);
System.out.println("Keypair private key id: " + kid);
- String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
- KRAInfoResource.ENCRYPT_MECHANISM;
+ if (hostPort != null) {
+ // check the CA for the required keyset and archival mechanism
+ // if found, override whatever has been set by the command line
+ // options or environment for archivalMechanism and wrappingKeySet
+
+ ClientConfig config = new ClientConfig();
+ String host = hostPort.substring(0, hostPort.indexOf(':'));
+ int port = Integer.parseInt(hostPort.substring(hostPort.indexOf(':')+1));
+ config.setServerURL("http", host, port);
+
+ PKIClient pkiclient = new PKIClient(config);
+
+ // get archival mechanism
+ CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca");
+ try {
+ CAInfo info = infoClient.getInfo();
+ archivalMechanism = info.getArchivalMechanism();
+ wrappingKeySet = info.getWrappingKeySet();
+ } catch (PKIException e) {
+ if (e.getCode() == 404) {
+ // assume this is an older server,
+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+ wrappingKeySet = "0";
+ } else {
+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+ }
+ } catch (Exception e) {
+ throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e);
+ }
+ }
+
if (verbose) System.out.println("Creating certificate request");
CertRequest certRequest = client.createCertRequest(
- token, transportCert, algorithm, keyPair, subject, archivalMechanism);
+ token, transportCert, algorithm, keyPair,
+ subject, archivalMechanism, wrappingKeySet);
ProofOfPossession pop = null;
@@ -572,11 +627,15 @@ public class CRMFPopClient {
String algorithm,
KeyPair keyPair,
Name subject,
- String archivalMechanism) throws Exception {
+ String archivalMechanism,
+ String wrappingKeySet) throws Exception {
EncryptionAlgorithm encryptAlg = null;
- String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
- if (keyset != null && keyset.equalsIgnoreCase("0")) {
+ if (wrappingKeySet == null) {
+ wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET");
+ }
+
+ if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) {
// talking to an old server?
encryptAlg = EncryptionAlgorithm.DES3_CBC;
} else {
generated by cgit (git 2.34.1) at 2024-06-17 19:11:11 +0000