summaryrefslogtreecommitdiffstats
path: root/base/java-tools
diff options
context:
space:
mode:
Diffstat (limited to 'base/java-tools')
-rw-r--r--base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java43
-rw-r--r--base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java28
2 files changed, 63 insertions, 8 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 9d81a72a6..c5da9cf3a 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -40,6 +40,7 @@ import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.util.EntityUtils;
+import org.dogtagpki.common.KRAInfoResource;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.asn1.ASN1Util;
import org.mozilla.jss.asn1.BIT_STRING;
@@ -182,6 +183,10 @@ public class CRMFPopClient {
option.setArgName("extractable");
options.addOption(option);
+ option = new Option("g", true, "KeyWrap");
+ option.setArgName("keyWrap");
+ options.addOption(option);
+
options.addOption("v", "verbose", false, "Run in verbose mode.");
options.addOption(null, "help", false, "Show help message.");
@@ -210,6 +215,9 @@ public class CRMFPopClient {
System.out.println(" - POP_NONE: without POP");
System.out.println(" - POP_SUCCESS: with valid POP");
System.out.println(" - POP_FAIL: with invalid POP (for testing)");
+ System.out.println(" -g <true|false> Use KeyWrapping to wrap private key (default: true)");
+ System.out.println(" - true: use a key wrapping algorithm");
+ System.out.println(" - false: use an encryption algorithm");
System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)");
System.out.println(" -v, --verbose Run in verbose mode.");
System.out.println(" --help Show help message.");
@@ -302,6 +310,16 @@ public class CRMFPopClient {
int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1"));
int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1"));
+ boolean keyWrap = true;
+ if (cmd.hasOption("g")) {
+ keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
+ } else {
+ String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
+ if (useKeyWrap != null) {
+ keyWrap = Boolean.parseBoolean(useKeyWrap);
+ }
+ }
+
String output = cmd.getOptionValue("o");
String hostPort = cmd.getOptionValue("m");
@@ -440,8 +458,11 @@ public class CRMFPopClient {
String kid = CryptoUtil.byte2string(id);
System.out.println("Keypair private key id: " + kid);
+ String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
+ KRAInfoResource.ENCRYPT_MECHANISM;
if (verbose) System.out.println("Creating certificate request");
- CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
+ CertRequest certRequest = client.createCertRequest(
+ token, transportCert, algorithm, keyPair, subject, archivalMechanism);
ProofOfPossession pop = null;
@@ -550,7 +571,8 @@ public class CRMFPopClient {
X509Certificate transportCert,
String algorithm,
KeyPair keyPair,
- Name subject) throws Exception {
+ Name subject,
+ String archivalMechanism) throws Exception {
EncryptionAlgorithm encryptAlg = null;
String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
@@ -563,7 +585,7 @@ public class CRMFPopClient {
byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
- WrappingParams params = getWrappingParams(encryptAlg, iv);
+ WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism);
PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
token,
@@ -583,12 +605,23 @@ public class CRMFPopClient {
return new CertRequest(new INTEGER(1), certTemplate, seq);
}
- private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception {
+ private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV,
+ String archivalMechanism) throws Exception {
if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
+ KeyWrapAlgorithm wrapAlg = null;
+ IVParameterSpec wrapIVS = null;
+ if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) {
+ // We will use AES_CBC_PAD as the a key wrap mechanism. This
+ // can be decrypted using the same mechanism on the server.
+ wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
+ wrapIVS = new IVParameterSpec(wrapIV);
+ } else {
+ wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+ }
return new WrappingParams(
SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
KeyWrapAlgorithm.RSA, encryptAlg,
- KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null);
+ wrapAlg, wrapIVS, wrapIVS);
} else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
return new WrappingParams(
SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 6562699cf..8ca857bcb 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -29,6 +29,8 @@ import java.util.Vector;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Option;
import org.apache.commons.io.FileUtils;
+import org.dogtagpki.common.CAInfoClient;
+import org.dogtagpki.common.KRAInfoResource;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.Signature;
@@ -245,8 +247,26 @@ public class ClientCertRequestCLI extends CLI {
CryptoManager manager = CryptoManager.getInstance();
X509Certificate transportCert = manager.importCACertPackage(transportCertData);
+ // get archival mechanism
+ CAInfoClient infoClient = new CAInfoClient(client, "ca");
+ String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+ try {
+ archivalMechanism = infoClient.getInfo().getArchivalMechanism();
+ } catch (Exception e) {
+ // this could be an older server, check for environment variable.
+ String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
+ if (useKeyWrapping != null) {
+ if (Boolean.parseBoolean(useKeyWrapping)) {
+ archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+ } else {
+ archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM;
+ }
+ }
+ }
+
csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding,
- algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop);
+ algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop,
+ archivalMechanism);
} else {
throw new Exception("Unknown request type: " + requestType);
@@ -387,7 +407,8 @@ public class ClientCertRequestCLI extends CLI {
boolean temporary,
int sensitive,
int extractable,
- boolean withPop
+ boolean withPop,
+ String archivalMechanism
) throws Exception {
CryptoManager manager = CryptoManager.getInstance();
@@ -408,7 +429,8 @@ public class ClientCertRequestCLI extends CLI {
throw new Exception("Unknown algorithm: " + algorithm);
}
- CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
+ CertRequest certRequest = client.createCertRequest(
+ token, transportCert, algorithm, keyPair, subject, archivalMechanism);
ProofOfPossession pop = null;
if (withPop) {
generated by cgit (git 2.34.1) at 2024-09-27 05:32:45 +0000