diff options
Diffstat (limited to 'base/java-tools')
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 43 | ||||
-rw-r--r-- | base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java | 28 |
2 files changed, 63 insertions, 8 deletions
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 9d81a72a6..c5da9cf3a 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -40,6 +40,7 @@ import org.apache.http.HttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.util.EntityUtils; +import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.BIT_STRING; @@ -182,6 +183,10 @@ public class CRMFPopClient { option.setArgName("extractable"); options.addOption(option); + option = new Option("g", true, "KeyWrap"); + option.setArgName("keyWrap"); + options.addOption(option); + options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "help", false, "Show help message."); @@ -210,6 +215,9 @@ public class CRMFPopClient { System.out.println(" - POP_NONE: without POP"); System.out.println(" - POP_SUCCESS: with valid POP"); System.out.println(" - POP_FAIL: with invalid POP (for testing)"); + System.out.println(" -g <true|false> Use KeyWrapping to wrap private key (default: true)"); + System.out.println(" - true: use a key wrapping algorithm"); + System.out.println(" - false: use an encryption algorithm"); System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)"); System.out.println(" -v, --verbose Run in verbose mode."); System.out.println(" --help Show help message."); @@ -302,6 +310,16 @@ public class CRMFPopClient { int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + boolean keyWrap = true; + if (cmd.hasOption("g")) { + keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); + } else { + String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); + if (useKeyWrap != null) { + keyWrap = Boolean.parseBoolean(useKeyWrap); + } + } + String output = cmd.getOptionValue("o"); String hostPort = cmd.getOptionValue("m"); @@ -440,8 +458,11 @@ public class CRMFPopClient { String kid = CryptoUtil.byte2string(id); System.out.println("Keypair private key id: " + kid); + String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : + KRAInfoResource.ENCRYPT_MECHANISM; if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject); + CertRequest certRequest = client.createCertRequest( + token, transportCert, algorithm, keyPair, subject, archivalMechanism); ProofOfPossession pop = null; @@ -550,7 +571,8 @@ public class CRMFPopClient { X509Certificate transportCert, String algorithm, KeyPair keyPair, - Name subject) throws Exception { + Name subject, + String archivalMechanism) throws Exception { EncryptionAlgorithm encryptAlg = null; String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); @@ -563,7 +585,7 @@ public class CRMFPopClient { byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength()); AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv)); - WrappingParams params = getWrappingParams(encryptAlg, iv); + WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism); PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( token, @@ -583,12 +605,23 @@ public class CRMFPopClient { return new CertRequest(new INTEGER(1), certTemplate, seq); } - private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception { + private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV, + String archivalMechanism) throws Exception { if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) { + KeyWrapAlgorithm wrapAlg = null; + IVParameterSpec wrapIVS = null; + if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) { + // We will use AES_CBC_PAD as the a key wrap mechanism. This + // can be decrypted using the same mechanism on the server. + wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD; + wrapIVS = new IVParameterSpec(wrapIV); + } else { + wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + } return new WrappingParams( SymmetricKey.AES, KeyGenAlgorithm.AES, 128, KeyWrapAlgorithm.RSA, encryptAlg, - KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null); + wrapAlg, wrapIVS, wrapIVS); } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) { return new WrappingParams( SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index 6562699cf..8ca857bcb 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -29,6 +29,8 @@ import java.util.Vector; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.apache.commons.io.FileUtils; +import org.dogtagpki.common.CAInfoClient; +import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.Signature; @@ -245,8 +247,26 @@ public class ClientCertRequestCLI extends CLI { CryptoManager manager = CryptoManager.getInstance(); X509Certificate transportCert = manager.importCACertPackage(transportCertData); + // get archival mechanism + CAInfoClient infoClient = new CAInfoClient(client, "ca"); + String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + try { + archivalMechanism = infoClient.getInfo().getArchivalMechanism(); + } catch (Exception e) { + // this could be an older server, check for environment variable. + String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); + if (useKeyWrapping != null) { + if (Boolean.parseBoolean(useKeyWrapping)) { + archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + } else { + archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; + } + } + } + csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, - algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop); + algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, + archivalMechanism); } else { throw new Exception("Unknown request type: " + requestType); @@ -387,7 +407,8 @@ public class ClientCertRequestCLI extends CLI { boolean temporary, int sensitive, int extractable, - boolean withPop + boolean withPop, + String archivalMechanism ) throws Exception { CryptoManager manager = CryptoManager.getInstance(); @@ -408,7 +429,8 @@ public class ClientCertRequestCLI extends CLI { throw new Exception("Unknown algorithm: " + algorithm); } - CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject); + CertRequest certRequest = client.createCertRequest( + token, transportCert, algorithm, keyPair, subject, archivalMechanism); ProofOfPossession pop = null; if (withPop) { |