diff options
Diffstat (limited to 'base/kra/src')
| -rw-r--r-- | base/kra/src/com/netscape/kra/EncryptionUnit.java | 5 | ||||
| -rw-r--r-- | base/kra/src/com/netscape/kra/EnrollmentService.java | 152 | ||||
| -rw-r--r-- | base/kra/src/com/netscape/kra/RecoveryService.java | 7 |
3 files changed, 139 insertions, 25 deletions
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 946f57613..1d06fd2d5 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -370,6 +370,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { PrivateKey.Type keytype = null; String alg = pubKey.getAlgorithm(); + CMS.debug("EncryptionUnit.unwrap alg ="+ alg); if (alg.equals("DSA")) { keytype = PrivateKey.DSA; } else if (alg.equals("EC")) { @@ -384,18 +385,22 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } catch (TokenException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (NoSuchAlgorithmException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (InvalidKeyException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (Exception e) { CMS.debug("EncryptionUnit.unwrap : Exception:"+e.toString()); diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index 37d1aea53..c65a6ea62 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -22,6 +22,8 @@ import java.io.IOException; import java.math.BigInteger; import java.security.InvalidKeyException; import java.security.cert.CertificateException; +import java.security.PublicKey; +import java.util.Arrays; import java.util.StringTokenizer; import java.util.Vector; @@ -35,11 +37,15 @@ import netscape.security.x509.CertificateX509Key; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; +import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.ASN1Value; import org.mozilla.jss.asn1.InvalidBERException; import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.asn1.SEQUENCE; +import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import org.mozilla.jss.pkcs11.PK11ParameterSpec; import org.mozilla.jss.pkix.crmf.CertReqMsg; import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; @@ -48,8 +54,11 @@ import org.mozilla.jss.pkix.primitive.AVA; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.kra.ProofOfArchival; @@ -61,6 +70,7 @@ import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.certsrv.util.IStatsSubsystem; +import com.netscape.cms.servlet.key.KeyRecordParser; import com.netscape.cmscore.crmf.CRMFParser; import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer; import com.netscape.kra.ArchiveOptions; @@ -141,6 +151,17 @@ public class EnrollmentService implements IService { */ public boolean serviceRequest(IRequest request) throws EBaseException { + CryptoManager cm = null; + IConfigStore config = null; + Boolean allowEncDecrypt_archival = false; + + try { + cm = CryptoManager.getInstance(); + config = CMS.getConfigStore(); + allowEncDecrypt_archival = config.getBoolean("kra.allowEncDecrypt.archival", false); + } catch (Exception e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { @@ -167,6 +188,7 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_INFO, "KRA services enrollment request"); // unwrap user key with transport byte unwrapped[] = null; + byte tmp_unwrapped[] = null; PKIArchiveOptionsContainer aOpts[] = null; String profileId = request.getExtDataInString("profileId"); @@ -204,13 +226,14 @@ public class EnrollmentService implements IService { for (int i = 0; i < aOpts.length; i++) { ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); + if (allowEncDecrypt_archival == true) { if (statsSub != null) { statsSub.startTiming("decrypt_user_key"); } mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); if (CMS.debugOn()) CMS.debug("EnrollmentService::about to decryptExternalPrivate"); - unwrapped = mTransportUnit.decryptExternalPrivate( + tmp_unwrapped = mTransportUnit.decryptExternalPrivate( opts.getEncSymmKey(), opts.getSymmAlgOID(), opts.getSymmAlgParams(), @@ -220,7 +243,7 @@ public class EnrollmentService implements IService { } if (CMS.debugOn()) CMS.debug("EnrollmentService::finished decryptExternalPrivate"); - if (unwrapped == null) { + if (tmp_unwrapped == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); auditMessage = CMS.getLogMessage( @@ -235,6 +258,17 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } + /* making sure leading 0's are removed */ + int first=0; + for (int j=0; (j< tmp_unwrapped.length) && (tmp_unwrapped[j]==0); j++) { + first++; + } + unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length); + } /*else { allowEncDecrypt_archival != true + this is done below with unwrap() + } + */ + // retrieve pubic key X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos); byte publicKeyData[] = publicKey.getEncoded(); @@ -255,28 +289,51 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } - /* Bugscape #54948 - verify public and private key before archiving key */ + String keyAlg = publicKey.getAlgorithm(); + CMS.debug("EnrollmentService: algorithm of key to archive is: "+ keyAlg); - if (statsSub != null) { - statsSub.startTiming("verify_key"); - } - if (verifyKeyPair(publicKeyData, unwrapped) == false) { - mKRA.log(ILogger.LL_FAILURE, + PublicKey pubkey = null; + org.mozilla.jss.crypto.PrivateKey entityPrivKey = null; + if ( allowEncDecrypt_archival == false) { + try { + pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); + } catch (Exception e) { + CMS.debug("EnrollmentService: parsePublicKey:"+e.toString()); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } + entityPrivKey = + mTransportUnit.unwrap( + opts.getEncSymmKey(), + opts.getSymmAlgOID(), + opts.getSymmAlgParams(), + opts.getEncValue(), + (PublicKey) pubkey); + } // !allowEncDecrypt_archival + + /* Bugscape #54948 - verify public and private key before archiving key */ + if (keyAlg.equals("RSA") && (allowEncDecrypt_archival == true)) { + if (statsSub != null) { + statsSub.startTiming("verify_key"); + } + if (verifyKeyPair(publicKeyData, unwrapped) == false) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); - audit(auditMessage); - throw new EKRAException( + audit(auditMessage); + throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } - if (statsSub != null) { - statsSub.endTiming("verify_key"); + } + if (statsSub != null) { + statsSub.endTiming("verify_key"); + } } /** @@ -309,8 +366,15 @@ public class EnrollmentService implements IService { if (statsSub != null) { statsSub.startTiming("encrypt_user_key"); } - byte privateKeyData[] = mStorageUnit.encryptInternalPrivate( + byte privateKeyData[] = null; + + if (allowEncDecrypt_archival == true) { + privateKeyData = mStorageUnit.encryptInternalPrivate( unwrapped); + } else { + privateKeyData = mStorageUnit.wrap(entityPrivKey); + } + if (statsSub != null) { statsSub.endTiming("encrypt_user_key"); } @@ -335,12 +399,7 @@ public class EnrollmentService implements IService { privateKeyData, owner, publicKey.getAlgorithmId().getOID().toString(), agentId); - // we deal with RSA key only - try { - RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); - - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { + if (rec == null) { auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -353,6 +412,57 @@ public class EnrollmentService implements IService { throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } + if (keyAlg.equals("RSA")) { + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, + ILogger.FAILURE, + auditRequesterID, + auditArchiveID); + + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + } else if (keyAlg.equals("EC")) { + + String oidDescription = "UNDETERMINED"; + // for KeyRecordParser + MetaInfo metaInfo = new MetaInfo(); + + try { + byte curve[] = + ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData, + false /* without tag and size */); + if (curve.length != 0) { + oidDescription = ASN1Util.getOIDdescription(curve); + } else { + /* this is to be used by derdump */ + byte curveTS[] = + ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData, + true /* with tag and size */); + if (curveTS.length != 0) { + oidDescription = CMS.BtoA(curveTS); + } + } + } catch (Exception e) { + CMS.debug("EnrollmentService: ASN1Util.getECCurveBytesByX509PublicKeyByte() throws exception: "+ e.toString()); + CMS.debug("EnrollmentService: exception alowed. continue"); + } + + metaInfo.set(KeyRecordParser.OUT_KEY_EC_CURVE, + oidDescription); + + rec.set(IKeyRecord.ATTR_META_INFO, metaInfo); + // key size does not apply to EC; + rec.setKeySize(-1); + } + // if record alreay has a serial number, yell out. if (rec.getSerialNumber() != null) { mKRA.log(ILogger.LL_FAILURE, diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index c8ecdcf5a..0cbe2009f 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -377,10 +377,9 @@ public class RecoveryService implements IService { public synchronized PrivateKey recoverKey(Hashtable<String, Object> request, KeyRecord keyRecord, boolean isRSA) throws EBaseException { - if (!isRSA) { - CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false"); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); - } + CMS.debug("RecoverService: recoverKey: key to recover is RSA? "+ + isRSA); + try { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { Credential creds[] = (Credential[]) |