summaryrefslogtreecommitdiffstats
path: root/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
diff options
context:
space:
mode:
Diffstat (limited to 'base/kra/src/com/netscape/kra/NetkeyKeygenService.java')
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java299
1 files changed, 208 insertions, 91 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 1310fca76..2731e537c 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -62,6 +62,9 @@ import com.netscape.certsrv.policy.*;
import com.netscape.certsrv.authentication.*;
import com.netscape.certsrv.apps.*;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.cmsutil.crypto.CryptoUtil;
+import com.netscape.cms.servlet.key.KeyRecordParser;
+
//for b64 encoding
import org.mozilla.jss.util.Base64OutputStream;
@@ -146,7 +149,7 @@ public class NetkeyKeygenService implements IService {
}
public KeyPair generateKeyPair(
- KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg)
+ KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg)
throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
InvalidParameterException, PQGParamGenException {
@@ -165,20 +168,28 @@ public class NetkeyKeygenService implements IService {
sensitive == true
extractable == true
*/
+
KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg);
IConfigStore config = CMS.getConfigStore();
IConfigStore kgConfig = config.getSubStore("kra.keygen");
boolean tp = false;
boolean sp = false;
boolean ep = false;
- if (kgConfig != null) {
+ if ((kgConfig != null) && (!kgConfig.equals(""))) {
try {
tp = kgConfig.getBoolean("temporaryPairs", false);
sp = kgConfig.getBoolean("sensitivePairs", false);
ep = kgConfig.getBoolean("extractablePairs", false);
+ CMS.debug("NetkeyKeygenService: found config store: kra.keygen");
// by default, let nethsm work
if ((tp == false) && (sp == false) && (ep == false)) {
- tp = true;
+ if (kpAlg == KeyPairAlgorithm.EC) {
+ // set to what works for nethsm
+ tp = true;
+ sp = false;
+ ep = true;
+ } else
+ tp = true;
}
} catch (Exception e) {
CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
@@ -188,70 +199,111 @@ public class NetkeyKeygenService implements IService {
} else {
// by default, let nethsm work
CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true");
- tp = true;
- }
- /* only specified to "true" will it be set */
- if (tp == true) {
- CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
- kpGen.temporaryPairs(true);
- }
- if (sp == true) {
- CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
- kpGen.sensitivePairs(true);
- }
- if (ep == true) {
- CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
- kpGen.extractablePairs(true);
+ if (kpAlg == KeyPairAlgorithm.EC) {
+ // set to what works for nethsm
+ tp = true;
+ sp = false;
+ ep = true;
+ } else {
+ tp = true;
+ }
}
+
+ if (kpAlg == KeyPairAlgorithm.EC) {
+
+ boolean isECDHE = false;
+ KeyPair pair = null;
+
+ // used with isECDHE == true
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = {
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
+ };
+
+ // used with isECDHE == false
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = {
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER
+ };
+
+ try {
+ pair = CryptoUtil.generateECCKeyPair(token.getName(), /*ECC_curve default*/ keyCurve ,
+ null,
+ (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH,
+ tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/);
+ CMS.debug("NetkeyKeygenService: after key pair generation" );
+ } catch (Exception e) {
+ CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString());
+ }
+ return pair;
+
+ } else { // !EC
+ //only specified to "true" will it be set
+ if (tp == true) {
+ CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
+ kpGen.temporaryPairs(true);
+ }
+
+ if (sp == true) {
+ CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
+ kpGen.sensitivePairs(true);
+ }
+
+ if (ep == true) {
+ CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
+ kpGen.extractablePairs(true);
+ }
- if (kpAlg == KeyPairAlgorithm.DSA) {
- if (pqg == null) {
- kpGen.initialize(keySize);
+ if (kpAlg == KeyPairAlgorithm.DSA) {
+ if (pqg == null) {
+ kpGen.initialize(keySize);
+ } else {
+ kpGen.initialize(pqg);
+ }
} else {
- kpGen.initialize(pqg);
+ kpGen.initialize(keySize);
}
- } else {
- kpGen.initialize(keySize);
- }
- if (pqg == null) {
- KeyPair kp = null;
- synchronized (new Object()) {
- CMS.debug("NetkeyKeygenService: key pair generation begins");
- kp = kpGen.genKeyPair();
- CMS.debug("NetkeyKeygenService: key pair generation done");
- mKRA.addEntropy(true);
- }
- return kp;
- } else {
- // DSA
- KeyPair kp = null;
+ if (pqg == null) {
+ KeyPair kp = null;
+ synchronized (new Object()) {
+ CMS.debug("NetkeyKeygenService: key pair generation begins");
+ kp = kpGen.genKeyPair();
+ CMS.debug("NetkeyKeygenService: key pair generation done");
+ mKRA.addEntropy(true);
+ }
+ return kp;
+ } else {
+ // DSA
+ KeyPair kp = null;
- /* no DSA for now... netkey prototype
- do {
- // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair
- kp = kpGen.genKeyPair();
+ /* no DSA for now... netkey prototype
+ do {
+ // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair
+ kp = kpGen.genKeyPair();
+ }
+ while (isBadDSAKeyPair(kp));
+ */
+ return kp;
}
- while (isBadDSAKeyPair(kp));
- */
- return kp;
}
}
public KeyPair generateKeyPair( String alg,
- int keySize, PQGParams pqg) throws EBaseException {
+ int keySize, String keyCurve, PQGParams pqg) throws EBaseException {
KeyPairAlgorithm kpAlg = null;
if (alg.equals("RSA"))
kpAlg = KeyPairAlgorithm.RSA;
+ else if (alg.equals("EC"))
+ kpAlg = KeyPairAlgorithm.EC;
else
kpAlg = KeyPairAlgorithm.DSA;
try {
- KeyPair kp = generateKeyPair( kpAlg, keySize, pqg);
+ KeyPair kp = generateKeyPair( kpAlg, keySize, keyCurve, pqg);
return kp;
} catch (InvalidParameterException e) {
@@ -324,7 +376,7 @@ public class NetkeyKeygenService implements IService {
byte[] wrapped_des_key;
byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1};
- String iv_s ="";
+ String iv_s ="";
try {
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.nextBytes(iv);
@@ -332,33 +384,34 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService.serviceRequest: "+ e.toString());
}
- IVParameterSpec algParam = new IVParameterSpec(iv);
+ IVParameterSpec algParam = new IVParameterSpec(iv);
wrapped_des_key = null;
- boolean archive = true;
- PK11SymKey sk= null;
- byte[] publicKeyData = null;;
- String PubKey = "";
+ boolean archive = true;
+ PK11SymKey sk= null;
+ byte[] publicKeyData = null;;
+ String PubKey = "";
String id = request.getRequestId().toString();
if (id != null) {
auditArchiveID = id.trim();
}
- String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG);
- if (rArchive.equals("true")) {
- archive = true;
+ String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG);
+ if (rArchive.equals("true")) {
+ archive = true;
CMS.debug("NetkeyKeygenService: serviceRequest " +"archival requested for serverSideKeyGen");
- } else {
- archive = false;
+ } else {
+ archive = false;
CMS.debug("NetkeyKeygenService: serviceRequest " +"archival not requested for serverSideKeyGen");
}
String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID);
String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID);
- String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE);
- int keysize = Integer.parseInt(rKeysize);
- auditSubjectID=rCUID+":"+rUserid;
+
+ String rKeytype = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_TYPE);
+
+ auditSubjectID=rCUID+":"+rUserid;
SessionContext sContext = SessionContext.getContext();
String agentId="";
@@ -381,14 +434,40 @@ public class NetkeyKeygenService implements IService {
wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString);
CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded");
- // get the token for generating user keys
- CryptoToken keygenToken = mKRA.getKeygenToken();
- if (keygenToken == null) {
- CMS.debug("NetkeyKeygenService: failed getting keygenToken");
- request.setExtData(IRequest.RESULT, Integer.valueOf(10));
- return false;
- } else
- CMS.debug("NetkeyKeygenService: got keygenToken");
+/*
+ if ((rKeytype == null) || (rKeytype.equals(""))) {
+ rKeytype = "RSA";
+ }
+*/
+
+ if ((rKeytype == null) || (rKeytype.equals(""))) {
+ CMS.debug("NetkeyKeygenService: serviceRequest: key type is null");
+ rKeytype = "RSA";
+ } else
+ CMS.debug("NetkeyKeygenService: serviceRequest: key type = "+ rKeytype);
+
+ /* for EC, keysize is ignored, only key curve is used */
+ String rKeysize = "2048";
+ int keysize = 2048;
+ String rKeycurve = "nistp256";
+ if (rKeytype.equals("EC")) {
+ rKeycurve = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_EC_CURVE);
+ if ((rKeycurve == null) || (rKeycurve.equals(""))) {
+ rKeycurve = "nistp256";
+ }
+ } else {
+ rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE);
+ keysize = Integer.parseInt(rKeysize);
+ }
+
+ // get the token for generating user keys
+ CryptoToken keygenToken = mKRA.getKeygenToken();
+ if (keygenToken == null) {
+ CMS.debug("NetkeyKeygenService: failed getting keygenToken");
+ request.setExtData(IRequest.RESULT, Integer.valueOf(10));
+ return false;
+ } else
+ CMS.debug("NetkeyKeygenService: got keygenToken");
if ((wrapped_des_key != null) &&
(wrapped_des_key.length > 0)) {
@@ -401,8 +480,10 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService: about to generate key pair");
- keypair = generateKeyPair("RSA"/*alg*/,
- keysize /*Integer.parseInt(len)*/, null /*pqgParams*/);
+ keypair = generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */,
+ keysize /*Integer.parseInt(len)*/,
+ rKeycurve /* for "EC" only */,
+ null /*pqgParams*/);
if (keypair == null) {
CMS.debug("NetkeyKeygenService: failed generating key pair for "+rCUID+":"+rUserid);
@@ -421,18 +502,20 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService: finished generate key pair for " +rCUID+":"+rUserid);
try {
- publicKeyData = keypair.getPublic().getEncoded();
- if (publicKeyData == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("NetkeyKeygenService: failed getting publickey encoded");
- return false;
- } else {
- //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length);
- PubKey = base64Encode(publicKeyData);
-
- //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length());
- request.setExtData("public_key", PubKey);
- }
+ publicKeyData = keypair.getPublic().getEncoded();
+ if (publicKeyData == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("NetkeyKeygenService: failed getting publickey encoded");
+ return false;
+ } else {
+ //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length);
+ /* url encode */
+ PubKey = com.netscape.cmsutil.util.Utils.SpecialEncode(publicKeyData);
+ CMS.debug("NetkeyKeygenService: EC PubKey special encoded");
+
+ //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length());
+ request.setExtData("public_key", PubKey);
+ }
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
@@ -558,18 +641,52 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService: privatekey recording failed");
return false;
} else
- CMS.debug("NetkeyKeygenService: got key record");
+ CMS.debug("NetkeyKeygenService: got key record");
- // we deal with RSA key only
- try {
- RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
+ if (rKeytype.equals("RSA")) {
+ try {
+ RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
+
+ rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
+ } catch (InvalidKeyException e) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(11));
+ CMS.debug("NetkeyKeygenService: failed:InvalidKeyException");
+ return false;
+ }
+ } else if (rKeytype.equals("EC")) {
+ CMS.debug("NetkeyKeygenService: alg is EC");
+ String oidDescription = "UNDETERMINED";
+ // for KeyRecordParser
+ MetaInfo metaInfo = new MetaInfo();
+
+ try {
+ byte curve[] =
+ ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData,
+ false /* without tag and size */);
+ if (curve.length != 0) {
+ oidDescription = ASN1Util.getOIDdescription(curve);
+ } else {
+ /* this is to be used by derdump */
+ byte curveTS[] =
+ ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData,
+ true /* with tag and size */);
+ if (curveTS.length != 0) {
+ oidDescription = CMS.BtoA(curveTS);
+ }
+ }
+ } catch (Exception e) {
+ CMS.debug("NetkeyKeygenService: ASN1Util.getECCurveBytesByX509PublicKeyByte() throws exception: "+ e.toString());
+ CMS.debug("NetkeyKeygenService: exception allowed. continue");
+ }
+
+ metaInfo.set(KeyRecordParser.OUT_KEY_EC_CURVE,
+ oidDescription);
+
+ rec.set(IKeyRecord.ATTR_META_INFO, metaInfo);
+ // key size does not apply to EC;
+ rec.setKeySize(-1);
+ }
- rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
- } catch (InvalidKeyException e) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(11));
- CMS.debug("NetkeyKeygenService: failed:InvalidKeyException");
- return false;
- }
//??
IKeyRepository storage = mKRA.getKeyRepository();
BigInteger serialNo = storage.getNextSerialNumber();
generated by cgit (git 2.34.1) at 2024-05-04 07:05:51 +0000