summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
Diffstat (limited to 'base')
-rw-r--r--base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java8
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java4
-rw-r--r--base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java12
-rw-r--r--base/common/src/com/netscape/cmscore/dbs/KeyRecord.java14
-rw-r--r--base/kra/src/com/netscape/kra/EncryptionUnit.java5
-rw-r--r--base/kra/src/com/netscape/kra/EnrollmentService.java152
-rw-r--r--base/kra/src/com/netscape/kra/RecoveryService.java7
-rw-r--r--base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java92
8 files changed, 254 insertions, 40 deletions
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
index 7da212469..6a02c612d 100644
--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.dbs.keydb;
import java.math.BigInteger;
import java.util.Date;
+import com.netscape.certsrv.base.MetaInfo;
import com.netscape.certsrv.base.EBaseException;
/**
@@ -90,6 +91,13 @@ public interface IKeyRecord {
public Integer getKeySize() throws EBaseException;
/**
+ * Retrieves meta info.
+ *
+ * @return MetaInfo
+ */
+ public MetaInfo getMetaInfo();
+
+ /**
* Retrieves client ID.
*
* @return client id
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
index 678145a92..bd557fa7a 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java
@@ -510,14 +510,14 @@ public class SizePanel extends WizardPanelBase {
CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
pair = CryptoUtil.generateECCKeyPair(token, curveName,
null,
- ECDH_usages_mask);
+ ECDH_usages_mask, false, -1, -1);
} else {
if (ct.equals("sslserver")) {
CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA");
}
pair = CryptoUtil.generateECCKeyPair(token, curveName,
null,
- usages_mask);
+ usages_mask, false, -1, -1);
}
// XXX - store curve , w
diff --git a/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java
index aeee624c0..ed770ea91 100644
--- a/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java
+++ b/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java
@@ -23,6 +23,7 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IArgBlock;
import com.netscape.certsrv.base.IPrettyPrintFormat;
+import com.netscape.certsrv.base.MetaInfo;
import com.netscape.certsrv.dbs.keydb.IKeyRecord;
/**
@@ -38,6 +39,7 @@ public class KeyRecordParser {
public final static String OUT_KEY_ALGORITHM = "keyAlgorithm";
public final static String OUT_PUBLIC_KEY = "publicKey";
public final static String OUT_KEY_LEN = "keyLength";
+ public final static String OUT_KEY_EC_CURVE = "EllipticCurve";
public final static String OUT_ARCHIVED_BY = "archivedBy";
public final static String OUT_ARCHIVED_ON = "archivedOn";
public final static String OUT_RECOVERED_BY = "recoveredBy";
@@ -71,6 +73,16 @@ public class KeyRecordParser {
} else {
rarg.addIntegerValue(OUT_KEY_LEN, keySize.intValue());
}
+
+ // handles EC
+ MetaInfo metaInfo = rec.getMetaInfo();
+ if (metaInfo != null) {
+ String curve = (String)metaInfo.get(OUT_KEY_EC_CURVE);
+ if (curve != null) {
+ rarg.addStringValue(OUT_KEY_EC_CURVE, curve);
+ }
+ }
+
rarg.addStringValue(OUT_ARCHIVED_BY,
rec.getArchivedBy());
rarg.addLongValue(OUT_ARCHIVED_ON,
diff --git a/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java
index f7773e3fa..e8122b6b8 100644
--- a/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -281,6 +281,16 @@ public class KeyRecord implements IDBObj, IKeyRecord {
}
/**
+ * Retrieves the metaInfo.
+ * <P>
+ *
+ * @return metaInfo
+ */
+ public MetaInfo getMetaInfo() {
+ return mMetaInfo;
+ }
+
+ /**
* Sets key size.
* <P>
*/
@@ -343,10 +353,6 @@ public class KeyRecord implements IDBObj, IKeyRecord {
return mAlgorithm;
}
- public MetaInfo getMetaInfo() {
- return mMetaInfo;
- }
-
/**
* Retrieves the creation time of this record.
*/
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
index 946f57613..1d06fd2d5 100644
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
@@ -370,6 +370,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
PrivateKey.Type keytype = null;
String alg = pubKey.getAlgorithm();
+ CMS.debug("EncryptionUnit.unwrap alg ="+ alg);
if (alg.equals("DSA")) {
keytype = PrivateKey.DSA;
} else if (alg.equals("EC")) {
@@ -384,18 +385,22 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
} catch (TokenException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (NoSuchAlgorithmException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (InvalidAlgorithmParameterException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (InvalidKeyException e) {
CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString()));
Debug.trace("EncryptionUnit::unwrap " + e.toString());
+ CMS.debug("EncryptionUnit.unwrap "+ e.toString());
return null;
} catch (Exception e) {
CMS.debug("EncryptionUnit.unwrap : Exception:"+e.toString());
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 37d1aea53..c65a6ea62 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -22,6 +22,8 @@ import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.cert.CertificateException;
+import java.security.PublicKey;
+import java.util.Arrays;
import java.util.StringTokenizer;
import java.util.Vector;
@@ -35,11 +37,15 @@ import netscape.security.x509.CertificateX509Key;
import netscape.security.x509.X509CertInfo;
import netscape.security.x509.X509Key;
+import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.asn1.ASN1Util;
import org.mozilla.jss.asn1.ASN1Value;
import org.mozilla.jss.asn1.InvalidBERException;
import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
import org.mozilla.jss.asn1.SEQUENCE;
+import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import org.mozilla.jss.pkcs11.PK11ParameterSpec;
import org.mozilla.jss.pkix.crmf.CertReqMsg;
import org.mozilla.jss.pkix.crmf.CertRequest;
import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
@@ -48,8 +54,11 @@ import org.mozilla.jss.pkix.primitive.AVA;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.AuthToken;
import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.base.MetaInfo;
import com.netscape.certsrv.base.SessionContext;
import com.netscape.certsrv.dbs.keydb.IKeyRepository;
+import com.netscape.certsrv.dbs.keydb.IKeyRecord;
import com.netscape.certsrv.kra.EKRAException;
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
import com.netscape.certsrv.kra.ProofOfArchival;
@@ -61,6 +70,7 @@ import com.netscape.certsrv.request.IService;
import com.netscape.certsrv.security.IStorageKeyUnit;
import com.netscape.certsrv.security.ITransportKeyUnit;
import com.netscape.certsrv.util.IStatsSubsystem;
+import com.netscape.cms.servlet.key.KeyRecordParser;
import com.netscape.cmscore.crmf.CRMFParser;
import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer;
import com.netscape.kra.ArchiveOptions;
@@ -141,6 +151,17 @@ public class EnrollmentService implements IService {
*/
public boolean serviceRequest(IRequest request)
throws EBaseException {
+ CryptoManager cm = null;
+ IConfigStore config = null;
+ Boolean allowEncDecrypt_archival = false;
+
+ try {
+ cm = CryptoManager.getInstance();
+ config = CMS.getConfigStore();
+ allowEncDecrypt_archival = config.getBoolean("kra.allowEncDecrypt.archival", false);
+ } catch (Exception e) {
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString()));
+ }
IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
if (statsSub != null) {
@@ -167,6 +188,7 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_INFO, "KRA services enrollment request");
// unwrap user key with transport
byte unwrapped[] = null;
+ byte tmp_unwrapped[] = null;
PKIArchiveOptionsContainer aOpts[] = null;
String profileId = request.getExtDataInString("profileId");
@@ -204,13 +226,14 @@ public class EnrollmentService implements IService {
for (int i = 0; i < aOpts.length; i++) {
ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO);
+ if (allowEncDecrypt_archival == true) {
if (statsSub != null) {
statsSub.startTiming("decrypt_user_key");
}
mKRA.log(ILogger.LL_INFO, "KRA decrypts external private");
if (CMS.debugOn())
CMS.debug("EnrollmentService::about to decryptExternalPrivate");
- unwrapped = mTransportUnit.decryptExternalPrivate(
+ tmp_unwrapped = mTransportUnit.decryptExternalPrivate(
opts.getEncSymmKey(),
opts.getSymmAlgOID(),
opts.getSymmAlgParams(),
@@ -220,7 +243,7 @@ public class EnrollmentService implements IService {
}
if (CMS.debugOn())
CMS.debug("EnrollmentService::finished decryptExternalPrivate");
- if (unwrapped == null) {
+ if (tmp_unwrapped == null) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
auditMessage = CMS.getLogMessage(
@@ -235,6 +258,17 @@ public class EnrollmentService implements IService {
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
+ /* making sure leading 0's are removed */
+ int first=0;
+ for (int j=0; (j< tmp_unwrapped.length) && (tmp_unwrapped[j]==0); j++) {
+ first++;
+ }
+ unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length);
+ } /*else { allowEncDecrypt_archival != true
+ this is done below with unwrap()
+ }
+ */
+
// retrieve pubic key
X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos);
byte publicKeyData[] = publicKey.getEncoded();
@@ -255,28 +289,51 @@ public class EnrollmentService implements IService {
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
}
- /* Bugscape #54948 - verify public and private key before archiving key */
+ String keyAlg = publicKey.getAlgorithm();
+ CMS.debug("EnrollmentService: algorithm of key to archive is: "+ keyAlg);
- if (statsSub != null) {
- statsSub.startTiming("verify_key");
- }
- if (verifyKeyPair(publicKeyData, unwrapped) == false) {
- mKRA.log(ILogger.LL_FAILURE,
+ PublicKey pubkey = null;
+ org.mozilla.jss.crypto.PrivateKey entityPrivKey = null;
+ if ( allowEncDecrypt_archival == false) {
+ try {
+ pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData));
+ } catch (Exception e) {
+ CMS.debug("EnrollmentService: parsePublicKey:"+e.toString());
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+ }
+ entityPrivKey =
+ mTransportUnit.unwrap(
+ opts.getEncSymmKey(),
+ opts.getSymmAlgOID(),
+ opts.getSymmAlgParams(),
+ opts.getEncValue(),
+ (PublicKey) pubkey);
+ } // !allowEncDecrypt_archival
+
+ /* Bugscape #54948 - verify public and private key before archiving key */
+ if (keyAlg.equals("RSA") && (allowEncDecrypt_archival == true)) {
+ if (statsSub != null) {
+ statsSub.startTiming("verify_key");
+ }
+ if (verifyKeyPair(publicKeyData, unwrapped) == false) {
+ mKRA.log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
- auditMessage = CMS.getLogMessage(
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
auditSubjectID,
ILogger.FAILURE,
auditRequesterID,
auditArchiveID);
- audit(auditMessage);
- throw new EKRAException(
+ audit(auditMessage);
+ throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
- }
- if (statsSub != null) {
- statsSub.endTiming("verify_key");
+ }
+ if (statsSub != null) {
+ statsSub.endTiming("verify_key");
+ }
}
/**
@@ -309,8 +366,15 @@ public class EnrollmentService implements IService {
if (statsSub != null) {
statsSub.startTiming("encrypt_user_key");
}
- byte privateKeyData[] = mStorageUnit.encryptInternalPrivate(
+ byte privateKeyData[] = null;
+
+ if (allowEncDecrypt_archival == true) {
+ privateKeyData = mStorageUnit.encryptInternalPrivate(
unwrapped);
+ } else {
+ privateKeyData = mStorageUnit.wrap(entityPrivKey);
+ }
+
if (statsSub != null) {
statsSub.endTiming("encrypt_user_key");
}
@@ -335,12 +399,7 @@ public class EnrollmentService implements IService {
privateKeyData, owner,
publicKey.getAlgorithmId().getOID().toString(), agentId);
- // we deal with RSA key only
- try {
- RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
-
- rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
- } catch (InvalidKeyException e) {
+ if (rec == null) {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
@@ -353,6 +412,57 @@ public class EnrollmentService implements IService {
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
+ if (keyAlg.equals("RSA")) {
+ try {
+ RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
+
+ rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
+ } catch (InvalidKeyException e) {
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID,
+ ILogger.FAILURE,
+ auditRequesterID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+ }
+ } else if (keyAlg.equals("EC")) {
+
+ String oidDescription = "UNDETERMINED";
+ // for KeyRecordParser
+ MetaInfo metaInfo = new MetaInfo();
+
+ try {
+ byte curve[] =
+ ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData,
+ false /* without tag and size */);
+ if (curve.length != 0) {
+ oidDescription = ASN1Util.getOIDdescription(curve);
+ } else {
+ /* this is to be used by derdump */
+ byte curveTS[] =
+ ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData,
+ true /* with tag and size */);
+ if (curveTS.length != 0) {
+ oidDescription = CMS.BtoA(curveTS);
+ }
+ }
+ } catch (Exception e) {
+ CMS.debug("EnrollmentService: ASN1Util.getECCurveBytesByX509PublicKeyByte() throws exception: "+ e.toString());
+ CMS.debug("EnrollmentService: exception alowed. continue");
+ }
+
+ metaInfo.set(KeyRecordParser.OUT_KEY_EC_CURVE,
+ oidDescription);
+
+ rec.set(IKeyRecord.ATTR_META_INFO, metaInfo);
+ // key size does not apply to EC;
+ rec.setKeySize(-1);
+ }
+
// if record alreay has a serial number, yell out.
if (rec.getSerialNumber() != null) {
mKRA.log(ILogger.LL_FAILURE,
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index c8ecdcf5a..0cbe2009f 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -377,10 +377,9 @@ public class RecoveryService implements IService {
public synchronized PrivateKey recoverKey(Hashtable<String, Object> request, KeyRecord keyRecord, boolean isRSA)
throws EBaseException {
- if (!isRSA) {
- CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false");
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported"));
- }
+ CMS.debug("RecoverService: recoverKey: key to recover is RSA? "+
+ isRSA);
+
try {
if (CMS.getConfigStore().getBoolean("kra.keySplitting")) {
Credential creds[] = (Credential[])
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 06f177887..82a98c082 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -218,15 +218,46 @@ public class CryptoUtil {
NoSuchTokenException,
NoSuchAlgorithmException,
TokenException {
+ return generateECCKeyPair(token, keysize, usage_ops, usage_mask,
+ false, -1, -1);
+ }
+
+ /*
+ * temporary, sensitive, and extractable usages are per defined in
+ * JSS pkcs11/PK11KeyPairGenerator.java
+ */
+ public static KeyPair generateECCKeyPair(String token, int keysize,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask,
+ boolean temporary, int sensitive, int extractable)
+ throws CryptoManager.NotInitializedException,
+ NoSuchTokenException,
+ NoSuchAlgorithmException,
+ TokenException {
+
CryptoToken t = getTokenByName(token);
KeyPairAlgorithm alg = KeyPairAlgorithm.EC;
- KeyPairGenerator g = t.getKeyPairGenerator(alg);
+ KeyPairGenerator keygen = t.getKeyPairGenerator(alg);
- g.setKeyPairUsages(usage_ops, usage_mask);
- g.initialize(keysize);
+ keygen.setKeyPairUsages(usage_ops, usage_mask);
+ keygen.initialize(keysize);
+ keygen.setKeyPairUsages(usage_ops, usage_mask);
+ keygen.temporaryPairs(temporary);
- KeyPair pair = g.genKeyPair();
+ if (sensitive == 1 )
+ keygen.sensitivePairs(true);
+ else if (sensitive == 0)
+ keygen.sensitivePairs(false);
+
+ if (extractable == 1 )
+ keygen.extractablePairs(true);
+ else if (extractable == 0)
+ keygen.extractablePairs(false);
+
+ keygen.initialize(keysize);
+
+ KeyPair pair = keygen.genKeyPair();
return pair;
}
@@ -261,6 +292,20 @@ public class CryptoUtil {
return generateECCKeyPair(t, curveName, usage_ops, usage_mask);
}
+ public static KeyPair generateECCKeyPair(String token, String curveName,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask,
+ boolean temporary, int sensitive, int extractable)
+ throws CryptoManager.NotInitializedException,
+ NoSuchTokenException,
+ NoSuchAlgorithmException,
+ TokenException {
+ CryptoToken t = getTokenByName(token);
+ return generateECCKeyPair(t, curveName, usage_ops, usage_mask,
+ temporary, sensitive, extractable);
+ }
+
+
public static KeyPair generateECCKeyPair(CryptoToken token, String curveName,
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask)
@@ -268,23 +313,52 @@ public class CryptoUtil {
NoSuchTokenException,
NoSuchAlgorithmException,
TokenException {
+ return generateECCKeyPair(token, curveName, usage_ops, usage_mask,
+ false, -1, -1);
+ }
+
+ /*
+ * temporary, sensitive, and extractable usages are per defined in
+ * JSS pkcs11/PK11KeyPairGenerator.java
+ */
+ public static KeyPair generateECCKeyPair(CryptoToken token, String curveName,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask,
+ boolean temporary, int sensitive, int extractable)
+ throws CryptoManager.NotInitializedException,
+ NoSuchTokenException,
+ NoSuchAlgorithmException,
+ TokenException {
+
KeyPairAlgorithm alg = KeyPairAlgorithm.EC;
- KeyPairGenerator g = token.getKeyPairGenerator(alg);
+ KeyPairGenerator keygen = token.getKeyPairGenerator(alg);
+
+ keygen.setKeyPairUsages(usage_ops, usage_mask);
+ keygen.setKeyPairUsages(usage_ops, usage_mask);
+ keygen.temporaryPairs(temporary);
- g.setKeyPairUsages(usage_ops, usage_mask);
+ if (sensitive == 1 )
+ keygen.sensitivePairs(true);
+ else if (sensitive == 0)
+ keygen.sensitivePairs(false);
+
+ if (extractable == 1 )
+ keygen.extractablePairs(true);
+ else if (extractable == 0)
+ keygen.extractablePairs(false);
System.out.println("CryptoUtil: generateECCKeyPair: curve = " + curveName);
int curveCode = 0;
try {
- curveCode = g.getCurveCodeByName(curveName);
+ curveCode = keygen.getCurveCodeByName(curveName);
} catch (Exception e) {
System.out.println("CryptoUtil: generateECCKeyPair: " + e.toString());
throw new NoSuchAlgorithmException();
}
- g.initialize(curveCode);
+ keygen.initialize(curveCode);
System.out.println("CryptoUtil: generateECCKeyPair: after KeyPairGenerator initialize with:" + curveName);
- KeyPair pair = g.genKeyPair();
+ KeyPair pair = keygen.genKeyPair();
return pair;
}