diff options
Diffstat (limited to 'base/kra/src/com/netscape/kra/NetkeyKeygenService.java')
-rw-r--r-- | base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 299 |
1 files changed, 208 insertions, 91 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 1310fca76..2731e537c 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -62,6 +62,9 @@ import com.netscape.certsrv.policy.*; import com.netscape.certsrv.authentication.*; import com.netscape.certsrv.apps.*; import com.netscape.certsrv.apps.CMS; +import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.cms.servlet.key.KeyRecordParser; + //for b64 encoding import org.mozilla.jss.util.Base64OutputStream; @@ -146,7 +149,7 @@ public class NetkeyKeygenService implements IService { } public KeyPair generateKeyPair( - KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg) + KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg) throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, InvalidParameterException, PQGParamGenException { @@ -165,20 +168,28 @@ public class NetkeyKeygenService implements IService { sensitive == true extractable == true */ + KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg); IConfigStore config = CMS.getConfigStore(); IConfigStore kgConfig = config.getSubStore("kra.keygen"); boolean tp = false; boolean sp = false; boolean ep = false; - if (kgConfig != null) { + if ((kgConfig != null) && (!kgConfig.equals(""))) { try { tp = kgConfig.getBoolean("temporaryPairs", false); sp = kgConfig.getBoolean("sensitivePairs", false); ep = kgConfig.getBoolean("extractablePairs", false); + CMS.debug("NetkeyKeygenService: found config store: kra.keygen"); // by default, let nethsm work if ((tp == false) && (sp == false) && (ep == false)) { - tp = true; + if (kpAlg == KeyPairAlgorithm.EC) { + // set to what works for nethsm + tp = true; + sp = false; + ep = true; + } else + tp = true; } } catch (Exception e) { CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); @@ -188,70 +199,111 @@ public class NetkeyKeygenService implements IService { } else { // by default, let nethsm work CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); - tp = true; - } - /* only specified to "true" will it be set */ - if (tp == true) { - CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); - kpGen.temporaryPairs(true); - } - if (sp == true) { - CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); - kpGen.sensitivePairs(true); - } - if (ep == true) { - CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); - kpGen.extractablePairs(true); + if (kpAlg == KeyPairAlgorithm.EC) { + // set to what works for nethsm + tp = true; + sp = false; + ep = true; + } else { + tp = true; + } } + + if (kpAlg == KeyPairAlgorithm.EC) { + + boolean isECDHE = false; + KeyPair pair = null; + + // used with isECDHE == true + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE + }; + + // used with isECDHE == false + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = { + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER + }; + + try { + pair = CryptoUtil.generateECCKeyPair(token.getName(), /*ECC_curve default*/ keyCurve , + null, + (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH, + tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/); + CMS.debug("NetkeyKeygenService: after key pair generation" ); + } catch (Exception e) { + CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString()); + } + return pair; + + } else { // !EC + //only specified to "true" will it be set + if (tp == true) { + CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); + kpGen.temporaryPairs(true); + } + + if (sp == true) { + CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); + kpGen.sensitivePairs(true); + } + + if (ep == true) { + CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); + kpGen.extractablePairs(true); + } - if (kpAlg == KeyPairAlgorithm.DSA) { - if (pqg == null) { - kpGen.initialize(keySize); + if (kpAlg == KeyPairAlgorithm.DSA) { + if (pqg == null) { + kpGen.initialize(keySize); + } else { + kpGen.initialize(pqg); + } } else { - kpGen.initialize(pqg); + kpGen.initialize(keySize); } - } else { - kpGen.initialize(keySize); - } - if (pqg == null) { - KeyPair kp = null; - synchronized (new Object()) { - CMS.debug("NetkeyKeygenService: key pair generation begins"); - kp = kpGen.genKeyPair(); - CMS.debug("NetkeyKeygenService: key pair generation done"); - mKRA.addEntropy(true); - } - return kp; - } else { - // DSA - KeyPair kp = null; + if (pqg == null) { + KeyPair kp = null; + synchronized (new Object()) { + CMS.debug("NetkeyKeygenService: key pair generation begins"); + kp = kpGen.genKeyPair(); + CMS.debug("NetkeyKeygenService: key pair generation done"); + mKRA.addEntropy(true); + } + return kp; + } else { + // DSA + KeyPair kp = null; - /* no DSA for now... netkey prototype - do { - // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair - kp = kpGen.genKeyPair(); + /* no DSA for now... netkey prototype + do { + // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair + kp = kpGen.genKeyPair(); + } + while (isBadDSAKeyPair(kp)); + */ + return kp; } - while (isBadDSAKeyPair(kp)); - */ - return kp; } } public KeyPair generateKeyPair( String alg, - int keySize, PQGParams pqg) throws EBaseException { + int keySize, String keyCurve, PQGParams pqg) throws EBaseException { KeyPairAlgorithm kpAlg = null; if (alg.equals("RSA")) kpAlg = KeyPairAlgorithm.RSA; + else if (alg.equals("EC")) + kpAlg = KeyPairAlgorithm.EC; else kpAlg = KeyPairAlgorithm.DSA; try { - KeyPair kp = generateKeyPair( kpAlg, keySize, pqg); + KeyPair kp = generateKeyPair( kpAlg, keySize, keyCurve, pqg); return kp; } catch (InvalidParameterException e) { @@ -324,7 +376,7 @@ public class NetkeyKeygenService implements IService { byte[] wrapped_des_key; byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; - String iv_s =""; + String iv_s =""; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); @@ -332,33 +384,34 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService.serviceRequest: "+ e.toString()); } - IVParameterSpec algParam = new IVParameterSpec(iv); + IVParameterSpec algParam = new IVParameterSpec(iv); wrapped_des_key = null; - boolean archive = true; - PK11SymKey sk= null; - byte[] publicKeyData = null;; - String PubKey = ""; + boolean archive = true; + PK11SymKey sk= null; + byte[] publicKeyData = null;; + String PubKey = ""; String id = request.getRequestId().toString(); if (id != null) { auditArchiveID = id.trim(); } - String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); - if (rArchive.equals("true")) { - archive = true; + String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); + if (rArchive.equals("true")) { + archive = true; CMS.debug("NetkeyKeygenService: serviceRequest " +"archival requested for serverSideKeyGen"); - } else { - archive = false; + } else { + archive = false; CMS.debug("NetkeyKeygenService: serviceRequest " +"archival not requested for serverSideKeyGen"); } String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); - int keysize = Integer.parseInt(rKeysize); - auditSubjectID=rCUID+":"+rUserid; + + String rKeytype = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_TYPE); + + auditSubjectID=rCUID+":"+rUserid; SessionContext sContext = SessionContext.getContext(); String agentId=""; @@ -381,14 +434,40 @@ public class NetkeyKeygenService implements IService { wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded"); - // get the token for generating user keys - CryptoToken keygenToken = mKRA.getKeygenToken(); - if (keygenToken == null) { - CMS.debug("NetkeyKeygenService: failed getting keygenToken"); - request.setExtData(IRequest.RESULT, Integer.valueOf(10)); - return false; - } else - CMS.debug("NetkeyKeygenService: got keygenToken"); +/* + if ((rKeytype == null) || (rKeytype.equals(""))) { + rKeytype = "RSA"; + } +*/ + + if ((rKeytype == null) || (rKeytype.equals(""))) { + CMS.debug("NetkeyKeygenService: serviceRequest: key type is null"); + rKeytype = "RSA"; + } else + CMS.debug("NetkeyKeygenService: serviceRequest: key type = "+ rKeytype); + + /* for EC, keysize is ignored, only key curve is used */ + String rKeysize = "2048"; + int keysize = 2048; + String rKeycurve = "nistp256"; + if (rKeytype.equals("EC")) { + rKeycurve = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_EC_CURVE); + if ((rKeycurve == null) || (rKeycurve.equals(""))) { + rKeycurve = "nistp256"; + } + } else { + rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); + keysize = Integer.parseInt(rKeysize); + } + + // get the token for generating user keys + CryptoToken keygenToken = mKRA.getKeygenToken(); + if (keygenToken == null) { + CMS.debug("NetkeyKeygenService: failed getting keygenToken"); + request.setExtData(IRequest.RESULT, Integer.valueOf(10)); + return false; + } else + CMS.debug("NetkeyKeygenService: got keygenToken"); if ((wrapped_des_key != null) && (wrapped_des_key.length > 0)) { @@ -401,8 +480,10 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: about to generate key pair"); - keypair = generateKeyPair("RSA"/*alg*/, - keysize /*Integer.parseInt(len)*/, null /*pqgParams*/); + keypair = generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */, + keysize /*Integer.parseInt(len)*/, + rKeycurve /* for "EC" only */, + null /*pqgParams*/); if (keypair == null) { CMS.debug("NetkeyKeygenService: failed generating key pair for "+rCUID+":"+rUserid); @@ -421,18 +502,20 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: finished generate key pair for " +rCUID+":"+rUserid); try { - publicKeyData = keypair.getPublic().getEncoded(); - if (publicKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); - return false; - } else { - //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length); - PubKey = base64Encode(publicKeyData); - - //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length()); - request.setExtData("public_key", PubKey); - } + publicKeyData = keypair.getPublic().getEncoded(); + if (publicKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); + return false; + } else { + //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length); + /* url encode */ + PubKey = com.netscape.cmsutil.util.Utils.SpecialEncode(publicKeyData); + CMS.debug("NetkeyKeygenService: EC PubKey special encoded"); + + //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length()); + request.setExtData("public_key", PubKey); + } auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, @@ -558,18 +641,52 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: privatekey recording failed"); return false; } else - CMS.debug("NetkeyKeygenService: got key record"); + CMS.debug("NetkeyKeygenService: got key record"); - // we deal with RSA key only - try { - RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + if (rKeytype.equals("RSA")) { + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); + return false; + } + } else if (rKeytype.equals("EC")) { + CMS.debug("NetkeyKeygenService: alg is EC"); + String oidDescription = "UNDETERMINED"; + // for KeyRecordParser + MetaInfo metaInfo = new MetaInfo(); + + try { + byte curve[] = + ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData, + false /* without tag and size */); + if (curve.length != 0) { + oidDescription = ASN1Util.getOIDdescription(curve); + } else { + /* this is to be used by derdump */ + byte curveTS[] = + ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData, + true /* with tag and size */); + if (curveTS.length != 0) { + oidDescription = CMS.BtoA(curveTS); + } + } + } catch (Exception e) { + CMS.debug("NetkeyKeygenService: ASN1Util.getECCurveBytesByX509PublicKeyByte() throws exception: "+ e.toString()); + CMS.debug("NetkeyKeygenService: exception allowed. continue"); + } + + metaInfo.set(KeyRecordParser.OUT_KEY_EC_CURVE, + oidDescription); + + rec.set(IKeyRecord.ATTR_META_INFO, metaInfo); + // key size does not apply to EC; + rec.setKeySize(-1); + } - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); - CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); - return false; - } //?? IKeyRepository storage = mKRA.getKeyRepository(); BigInteger serialNo = storage.getNextSerialNumber(); |