diff options
Diffstat (limited to 'base/java-tools/src/com/netscape/cmstools/PKCS10Client.java')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 295 |
1 files changed, 232 insertions, 63 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java index 95acc53cf..6b2c0535e 100644 --- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java @@ -22,9 +22,13 @@ import java.io.FileOutputStream; import java.io.IOException; import java.io.PrintStream; import java.security.KeyPair; +import java.security.PublicKey; +import java.security.PrivateKey; import java.security.MessageDigest; import netscape.security.x509.X500Name; +import netscape.security.x509.X509Key; +import netscape.security.pkcs.PKCS10; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.INTEGER; @@ -33,9 +37,11 @@ import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.asn1.PrintableString; import org.mozilla.jss.asn1.SET; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.CryptoStore; import org.mozilla.jss.crypto.KeyPairAlgorithm; import org.mozilla.jss.crypto.KeyPairGenerator; import org.mozilla.jss.crypto.SignatureAlgorithm; +import org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.*; import org.mozilla.jss.pkcs10.CertificationRequest; import org.mozilla.jss.pkcs10.CertificationRequestInfo; import org.mozilla.jss.pkix.primitive.AVA; @@ -46,9 +52,11 @@ import org.mozilla.jss.util.Password; import com.netscape.cmsutil.util.HMACDigest; import com.netscape.cmsutil.util.Utils; +import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.certsrv.apps.CMS; /** - * Generates a 1024-bit RSA key pair in the security database, constructs a + * Generates an ECC or RSA key pair in the security database, constructs a * PKCS#10 certificate request with the public key, and outputs the request * to a file. * <p> @@ -66,32 +74,104 @@ public class PKCS10Client { private static void printUsage() { System.out.println( - "Usage: PKCS10Client -p <certdb password> -d <location of certdb> -o <output file which saves the base64 PKCS10> -s <subjectDN>\n"); + "Usage: PKCS10Client -d <location of certdb> -h <token name> -p <token password> -a <algorithm: 'rsa' or 'ec'> -l <rsa key length> -c <ec curve name> -o <output file which saves the base64 PKCS10> -n <subjectDN>\n"); + System.out.println( + " Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator:\n"); + System.out.println( + " -t <true for temporary(session); false for permanent(token); default is false>\n"); + System.out.println( + " -s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>\n"); + System.out.println( + " -e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>\n"); + System.out.println( + " Also optional for ECC key generation:\n"); + System.out.println( + " -x <true for SSL cert that does ECDH ECDSA; false otherwise; default false>\n"); + System.out.println( + " available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); } public static void main(String args[]) throws Exception { - String dbdir = null, ofilename = null, password = null, subjectName = null; + String dbdir = null, ofilename = null, password = null, subjectName = null, type = null, tokenName = null; + + String alg = "rsa"; + String ecc_curve = "nistp256"; + boolean ec_temporary = false; /* session if true; token if false */ + int ec_sensitive = -1; /* -1, 0, or 1 */ + int ec_extractable = -1; /* -1, 0, or 1 */ + boolean ec_ssl_ecdh = false; + int rsa_keylen = 2048; - if (args.length != 8) { + if (args.length < 4) { printUsage(); System.exit(1); } - for (int i = 0; i < args.length; i++) { + for (int i = 0; i < args.length; i+=2) { String name = args[i]; + if (name.equals("-p")) { - password = args[i + 1]; + password = args[i+1]; } else if (name.equals("-d")) { - dbdir = args[i + 1]; - } else if (name.equals("-o")) { - ofilename = args[i + 1]; + dbdir = args[i+1]; + } else if (name.equals("-a")) { + alg = args[i+1]; + if (!alg.equals("rsa") && !alg.equals("ec")) { + System.out.println("PKCS10Client: ERROR: invalid algorithm: " + alg); + System.exit(1); + } + } else if (name.equals("-x")) { + String temp = args[i+1]; + if (temp.equals("true")) + ec_ssl_ecdh = true; + else + ec_ssl_ecdh = false; + } else if (name.equals("-t")) { + String temp = args[i+1]; + if (temp.equals("true")) + ec_temporary = true; + else + ec_temporary = false; } else if (name.equals("-s")) { - subjectName = args[i + 1]; + String ec_sensitive_s = args[i+1]; + ec_sensitive = Integer.parseInt(ec_sensitive_s); + if ((ec_sensitive != 0) && + (ec_sensitive != 1) && + (ec_sensitive != -1)) { + System.out.println("PKCS10Client: Illegal input parameters for -s."); + printUsage(); + System.exit(1); + } + } else if (name.equals("-e")) { + String ec_extractable_s = args[i+1]; + ec_extractable = Integer.parseInt(ec_extractable_s); + if ((ec_extractable != 0) && + (ec_extractable != 1) && + (ec_extractable != -1)) { + System.out.println("PKCS10Client: Illegal input parameters for -e."); + printUsage(); + System.exit(1); + } + } else if (name.equals("-c")) { + ecc_curve = args[i+1]; + } else if (name.equals("-l")) { + rsa_keylen = Integer.parseInt(args[i+1]); + } else if (name.equals("-o")) { + ofilename = args[i+1]; + } else if (name.equals("-n")) { + subjectName = args[i+1]; + } else if (name.equals("-h")) { + tokenName = args[i+1]; + } else { + System.out.println("Unrecognized argument(" + i + "): " + + name); + printUsage(); + System.exit(1); } } if (password == null || ofilename == null || subjectName == null) { - System.out.println("Illegal input parameters."); + System.out.println("PKCS10Client: Illegal input parameters."); printUsage(); System.exit(1); } @@ -99,31 +179,74 @@ public class PKCS10Client { if (dbdir == null) dbdir = "."; - String mPrefix = ""; - CryptoManager.InitializationValues vals = + try { + // initialize CryptoManager + String mPrefix = ""; + CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(dbdir, mPrefix, mPrefix, "secmod.db"); - CryptoManager.initialize(vals); - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken token = cm.getInternalKeyStorageToken(); - Password pass = new Password(password.toCharArray()); - - token.login(pass); - KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA); - kg.initialize(1024); - KeyPair pair = kg.genKeyPair(); - - // Add idPOPLinkWitness control - String secretValue = "testing"; - byte[] key1 = null; - byte[] finalDigest = null; - MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); - key1 = SHA1Digest.digest(secretValue.getBytes()); - - /* seed */ - byte[] b = - { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, + CryptoManager.initialize(vals); + CryptoToken token = null; + CryptoManager cm = CryptoManager.getInstance(); + if ((tokenName == null) || (tokenName.equals(""))) { + token = cm.getInternalKeyStorageToken(); + tokenName = "NSS Certificate DB"; + } else { + token = cm.getTokenByName(tokenName); + } + cm.setThreadToken(token); + + Password pass = new Password(password.toCharArray()); + + try { + token.login(pass); + System.out.println("PKCS10Client: token "+ tokenName + " logged in..."); + } catch (Exception e) { + System.out.println("PKCS10Client: login Exception: " + e.toString()); + System.exit(1); + } + + KeyPair pair = null; + + if (alg.equals("rsa")) { + KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA); + kg.initialize(rsa_keylen); + pair = kg.genKeyPair(); + } else if (alg.equals("ec")) { + // used with SSL server cert that does ECDH ECDSA + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER + }; + + // used for other certs including SSL server cert that does ECDHE ECDSA + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE + }; + + pair = CryptoUtil.generateECCKeyPair(tokenName, ecc_curve , + null, + usages_mask, ec_temporary /*temporary*/, + ec_sensitive /*sensitive*/, ec_extractable /*extractable*/); + if (pair == null) { + System.out.println("PKCS10Client: pair null."); + System.exit(1); + } + } + + System.out.println("PKCS10Client: key pair generated."); //key pair generated"); + + // Add idPOPLinkWitness control + String secretValue = "testing"; + byte[] key1 = null; + byte[] finalDigest = null; + MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1"); + key1 = SHA1Digest.digest(secretValue.getBytes()); + + /* seed */ + byte[] b = + { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c, 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c, 0x51, 0x34, 0x35, 0x23, 0x3c, 0x42, 0x43, 0x45, 0x61, 0x4f, 0x6e, 0x43, 0x1e, 0x2a, 0x2b, 0x31, @@ -132,37 +255,83 @@ public class PKCS10Client { 0x6a, 0x12, 0x6b, 0x3c, 0x4c, 0x3f, 0x00, 0x14, 0x51, 0x61, 0x15, 0x22, 0x23, 0x5f, 0x5e, 0x69 }; - HMACDigest hmacDigest = new HMACDigest(SHA1Digest, key1); - hmacDigest.update(b); - finalDigest = hmacDigest.digest(); + HMACDigest hmacDigest = new HMACDigest(SHA1Digest, key1); + hmacDigest.update(b); + finalDigest = hmacDigest.digest(); - OCTET_STRING ostr = new OCTET_STRING(finalDigest); - Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr); + OCTET_STRING ostr = new OCTET_STRING(finalDigest); + Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr); - SET attributes = new SET(); - attributes.addElement(attr); - Name n = getJssName(subjectName); - SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic()); - CertificationRequestInfo certReqInfo = + SET attributes = new SET(); + attributes.addElement(attr); + Name n = getJssName(subjectName); + SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic()); + System.out.println("PKCS10Client: pair.getPublic() called."); + CertificationRequestInfo certReqInfo = new CertificationRequestInfo(new INTEGER(0), n, subjectPub, attributes); - CertificationRequest certRequest = new CertificationRequest(certReqInfo, - pair.getPrivate(), SignatureAlgorithm.RSASignatureWithMD5Digest); - - ByteArrayOutputStream bos = new ByteArrayOutputStream(); - certRequest.encode(bos); - byte[] bb = bos.toByteArray(); - - String b64E = Utils.base64encode(bb); - - System.out.println(""); - System.out.println(b64E); - System.out.println(""); + System.out.println("PKCS10Client: CertificationRequestInfo() created."); - PrintStream ps = null; - ps = new PrintStream(new FileOutputStream(ofilename)); - ps.println(b64E); - ps.flush(); - ps.close(); + String b64E = ""; + if (alg.equals("rsa")) { + CertificationRequest certRequest = null; + certRequest = new CertificationRequest(certReqInfo, + pair.getPrivate(), SignatureAlgorithm.RSASignatureWithMD5Digest); + System.out.println("PKCS10Client: CertificationRequest created."); + if (certRequest == null) { + System.out.println("PKCS10Client: certRequest null."); + System.exit(1); + } else + System.out.println("PKCS10Client: certRequest not null."); + + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + certRequest.encode(bos); + byte[] bb = bos.toByteArray(); + + System.out.println("PKCS10Client: calling BtoA()."); + b64E = CMS.BtoA(bb); + System.out.println("PKCS10Client: BtoA() completes."); + } else { // "ec" + + CryptoToken t = cm.getThreadToken(); + System.out.println("PKCS10Client: token is: "+ t.getName()); + PublicKey pubk = pair.getPublic(); + if (pubk == null) { + System.out.println("PKCS10Client: pubk null."); + System.exit(1); + } + X509Key xKey = null; + byte pubk_encoded[] = pubk.getEncoded(); + xKey = CryptoUtil.getPublicX509ECCKey(pubk_encoded); + System.out.println("PKCS10Client: calling CryptoUtil.createCertificationRequest"); + PKCS10 certReq = CryptoUtil.createCertificationRequest( + subjectName, xKey, (org.mozilla.jss.crypto.PrivateKey) pair.getPrivate(), + "SHA256withEC"); + + System.out.println("PKCS10Client: created cert request"); + if (certReq == null) { + System.out.println("PKCS10Client: cert request null"); + System.exit(1); + } else + System.out.println("PKCS10Client: cert request not null"); + byte[] certReqb = certReq.toByteArray(); + b64E = CryptoUtil.base64Encode(certReqb); + } + + System.out.println("-----BEGIN NEW CERTIFICATE REQUEST-----"); + System.out.println(b64E); + System.out.println("-----END NEW CERTIFICATE REQUEST-----"); + + PrintStream ps = null; + ps = new PrintStream(new FileOutputStream(ofilename)); + ps.println("-----BEGIN NEW CERTIFICATE REQUEST-----"); + ps.println(b64E); + ps.println("-----END NEW CERTIFICATE REQUEST-----"); + ps.flush(); + ps.close(); + System.out.println("PKCS10Client: done. Request written to file: "+ ofilename); + } catch (Exception e) { + System.out.println("PKCS10Client: Exception caught: "+e.toString()); + } } @@ -174,8 +343,8 @@ public class PKCS10Client { x5Name = new X500Name(dn); } catch (IOException e) { - System.out.println("Illegal Subject Name: " + dn + " Error: " + e.toString()); - System.out.println("Filling in default Subject Name......"); + System.out.println("PKCS10Client: Illegal Subject Name: " + dn + " Error: " + e.toString()); + System.out.println("PKCS10Client: Filling in default Subject Name......"); return null; } @@ -237,7 +406,7 @@ public class PKCS10Client { continue; } } catch (Exception e) { - System.out.println("Error constructing RDN: " + rdnStr + " Error: " + e.toString()); + System.out.println("PKCS10Client: Error constructing RDN: " + rdnStr + " Error: " + e.toString()); continue; } } |