diff options
Diffstat (limited to 'pki/base/common/src/com/netscape/certsrv/kra')
8 files changed, 1217 insertions, 0 deletions
diff --git a/pki/base/common/src/com/netscape/certsrv/kra/EKRAException.java b/pki/base/common/src/com/netscape/certsrv/kra/EKRAException.java new file mode 100644 index 000000000..7992d5fb0 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/EKRAException.java @@ -0,0 +1,88 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + + +import java.util.*; +import com.netscape.certsrv.base.*; + + +/** + * A class represents a KRA exception. This is the base + * exception for all the KRA specific exceptions. It is + * associated with <CODE>KRAResources</CODE>. + * <P> + * + * @version $Revision$, $Date$ + */ +public class EKRAException extends EBaseException { + + /** + * KRA resource class name. + * <P> + */ + private static final String KRA_RESOURCES = KRAResources.class.getName(); + + /** + * Constructs a KRA exception. + * <P> + * @param msgFormat constant from KRAResources. + */ + public EKRAException(String msgFormat) { + super(msgFormat); + } + + /** + * Constructs a KRA exception. + * <P> + * @param msgFormat constant from KRAResources. + * @param param additional parameters to the message. + */ + public EKRAException(String msgFormat, String param) { + super(msgFormat, param); + } + + /** + * Constructs a KRA exception. + * <P> + * @param msgFormat constant from KRAResources. + * @param e embedded exception. + */ + public EKRAException(String msgFormat, Exception e) { + super(msgFormat, e); + } + + /** + * Constructs a KRA exception. + * <P> + * @param msgFormat constant from KRAResources. + * @param params additional parameters to the message. + */ + public EKRAException(String msgFormat, Object params[]) { + super(msgFormat, params); + } + + /** + * Returns the bundle file name. + * <P> + * @return name of bundle class associated with this exception. + */ + protected String getBundleName() { + return KRA_RESOURCES; + } +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/IJoinShares.java b/pki/base/common/src/com/netscape/certsrv/kra/IJoinShares.java new file mode 100644 index 000000000..e130b95c2 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/IJoinShares.java @@ -0,0 +1,33 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +/** + * Use Java's reflection API to leverage CMS's + * old Share and JoinShares implementations. + * + * @deprecated + * @version $Revision$ $Date$ + */ +public interface IJoinShares { + + public void initialize(int threshold) throws Exception; + public void addShare(int shareNum, byte[] share); + public int getShareCount(); + public byte[] recoverSecret(); +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/pki/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java new file mode 100644 index 000000000..b2d02f2a3 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java @@ -0,0 +1,319 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + + +import java.util.*; +import java.io.*; +import java.net.*; +import java.security.*; +import java.math.*; +import netscape.security.x509.*; +import com.netscape.certsrv.logging.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.dbs.*; +import com.netscape.certsrv.dbs.keydb.*; +import com.netscape.certsrv.dbs.replicadb.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.policy.*; +import com.netscape.certsrv.security.*; +import org.mozilla.jss.crypto.*; + + +/** + * An interface represents key recovery authority. The + * key recovery authority is responsibile for archiving + * and recovering user encryption private keys. + * <P> + * + * @version $Revision$, $Date$ + */ +public interface IKeyRecoveryAuthority extends ISubsystem { + + public static final String ID = "kra"; + + public final static String PROP_NAME = "name"; + public final static String PROP_HTTP = "http"; + public final static String PROP_POLICY = "policy"; + public final static String PROP_DBS = "dbs"; + public final static String PROP_TOKEN = "token"; + public final static String PROP_SHARE = "share"; + public final static String PROP_PROTECTOR = "protector"; + public final static String PROP_LOGGING = "logging"; + public final static String PROP_QUEUE_REQUESTS = "queueRequests"; + public final static String PROP_STORAGE_KEY = "storageUnit"; + public final static String PROP_TRANSPORT_KEY = "transportUnit"; + public static final String PROP_NEW_NICKNAME = "newNickname"; + public static final String PROP_KEYDB_INC = "keydbInc"; + + public final static String PROP_NOTIFY_SUBSTORE = "notification"; + public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ"; + + /** + * Returns the name of this subsystem. + * <P> + * + * @return KRA name + */ + public X500Name getX500Name(); + + /** + * Retrieves KRA request repository. + * <P> + * + * @return request repository + */ + public IRequestQueue getRequestQueue(); + + /** + * Retrieves the key repository. The key repository + * stores archived keys. + * <P> + */ + public IKeyRepository getKeyRepository(); + + /** + * Retrieves the Replica ID repository. + * + * @return KRA's Replica ID repository + */ + public IReplicaIDRepository getReplicaRepository(); + + /** + * Enables the auto recovery state. Once KRA is in the auto + * recovery state, no recovery agents need to be present for + * providing credentials. This feature is for enabling + * user-based recovery operation. + * <p> + * + * @param cs list of agent credentials + * @param on true if auto recovery state is on + * @return current auto recovery state + */ + public boolean setAutoRecoveryState(Credential cs[], boolean on); + + /** + * Returns the current auto recovery state. + * + * @return true if auto recvoery state is on + */ + public boolean getAutoRecoveryState(); + + /** + * Adds credentials to the given authorizated recovery operation. + * In distributed recovery mode, recovery agent login to the + * agent interface and submit its credential for a particular + * recovery operation. + * + * @param id authorization identifier + * @param creds list of credentials + */ + public void addAutoRecovery(String id, Credential creds[]); + + /** + * Removes a particular auto recovery operation. + * + * @param id authorization identifier + */ + public void removeAutoRecovery(String id); + + /** + * Returns the number of required agents. In M-out-of-N + * recovery schema, only M agents are required even there + * are N agents. This method returns M. + * + * @return number of required agents + */ + public int getNoOfRequiredAgents() throws EBaseException; + + /** + * Sets the number of required recovery agents + * + * @param number number of agents + */ + public void setNoOfRequiredAgents(int number) throws EBaseException; + + /** + * Returns the current recovery identifier. + * + * @return recovery identifier + */ + public String getRecoveryID(); + + /** + * Returns a list of recovery identifiers. + * + * @return list of auto recovery identifiers + */ + public Enumeration getAutoRecoveryIDs(); + + /** + * Returns the storage key unit that manages the + * stoarge key. + * + * @return storage key unit + */ + public IStorageKeyUnit getStorageKeyUnit(); + + /** + * Returns the transport key unit that manages the + * transport key. + * + * @return transport key unit + */ + public ITransportKeyUnit getTransportKeyUnit(); + + /** + * Returns the token that generates user key pairs for supporting server-side keygen + * + * @return keygen token + */ + public CryptoToken getKeygenToken(); + + /** + * Adds entropy to the token used for supporting server-side keygen + * Parameters are set in the config file + * @param logflag create log messages at info level to report entropy shortage + */ + public void addEntropy(boolean logflag); + + + /** + * Returns the request listener that listens on + * the request completion event. + * + * @return request listener + */ + public IRequestListener getRequestInQListener(); + + /** + * Returns policy processor of the key recovery + * authority. + * + * @return policy processor + */ + public IPolicyProcessor getPolicyProcessor(); + + /** + * Returns the nickname of the transport certificate. + * + * @return transport certificate nickname. + */ + public String getNickname(); + + /** + * Sets the nickname of the transport certificate. + * + * @param str nickname + */ + public void setNickname(String str); + + /** + * Returns the new nickname of the transport certifiate. + * + * @return new nickname + */ + public String getNewNickName() throws EBaseException; + + /** + * Sets the new nickname of the transport certifiate. + * + * @param name new nickname + */ + public void setNewNickName(String name); + + /** + * Logs event into key recovery authority logging. + * + * @param level log level + * @param msg log message + */ + public void log(int level, String msg); + + /** + * Creates a request object to store attributes that + * will not be serialized. Currently, request queue + * framework will try to serialize all the attribute into + * persistent storage. Things like passwords are not + * desirable to be stored. + * + * @param id request id + * @return volatile requests + */ + public Hashtable createVolatileRequest(RequestId id); + + /** + * Retrieves the request object. + * + * @param id request id + * @return volatile requests + */ + public Hashtable getVolatileRequest(RequestId id); + + /** + * Destroys the request object. + * + * @param id request id + */ + public void destroyVolatileRequest(RequestId id); + + public Vector getAppAgents( + String recoveryID) throws EBaseException; + + /** + * Creates error for a specific recovery operation. + * + * @param recoveryID recovery id + * @param error error + * @exception EBaseException failed to create error + */ + public void createError(String recoveryID, String error) + throws EBaseException; + + /** + * Retrieves error by recovery identifier. + * + * @param recoveryID recovery id + * @return error message + */ + public String getError(String recoveryID) + throws EBaseException; + + /** + * Retrieves PKCS12 package by recovery identifier. + * + * @param recoveryID recovery id + * @return pkcs12 package in bytes + */ + public byte[] getPk12(String recoveryID) + throws EBaseException; + + /** + * Creates PKCS12 package in memory. + * + * @param recoveryID recovery id + * @param pk12 package in bytes + */ + public void createPk12(String recoveryID, byte[] pk12) + throws EBaseException; + + /** + * Retrieves the transport certificate. + */ + public org.mozilla.jss.crypto.X509Certificate getTransportCert(); +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/IKeyService.java b/pki/base/common/src/com/netscape/certsrv/kra/IKeyService.java new file mode 100644 index 000000000..5fe5a4025 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/IKeyService.java @@ -0,0 +1,177 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + + +import java.math.BigInteger; +import java.util.Hashtable; +import java.security.cert.X509Certificate; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.security.*; +import netscape.security.x509.X509CertImpl; + + +/** + * An interface representing a recovery service. + * <P> + * + * @version $Revision$, $Date$ + */ +public interface IKeyService { + + /** + * Retrieves number of agent required to perform + * key recovery operation. + * + * @return number of required recovery agents + * @exception EBaseException failed to retrieve value + */ + public int getNoOfRequiredAgents() throws EBaseException; + + /** + * is async recovery request status APPROVED - + * i.e. all required # of recovery agents approved + * @param reqID request id + * @return true if # of recovery required agents approved; false otherwise + */ + public boolean isApprovedAsyncKeyRecovery(String reqID) + throws EBaseException; + + /** + * get async recovery request initiating agent + * @param reqID request id + * @return agentUID + */ + public String getInitAgentAsyncKeyRecovery(String reqID) + throws EBaseException; + + /** + * Initiate asynchronous key recovery + * @param kid key identifier + * @param cert certificate embedded in PKCS12 + * @return requestId + * @exception EBaseException failed to initiate async recovery + */ + public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent) + throws EBaseException; + + /** + * add approving agent in asynchronous key recovery + * @param reqID request id + * @param agentID agent id + * @exception EBaseException failed to initiate async recovery + */ + public void addAgentAsyncKeyRecovery(String reqID, String agentID) + throws EBaseException; + + /** + * Performs administrator-initiated key recovery. + * + * @param kid key identifier + * @param creds list of credentials (id and password) + * @param pwd password to protect PKCS12 + * @param cert certificate embedded in PKCS12 + * @param delivery delivery mechanism + * @return pkcs12 + * @exception EBaseException failed to perform recovery + */ + public byte[] doKeyRecovery(BigInteger kid, + Credential creds[], String pwd, X509CertImpl cert, + String delivery, String nickname, String agent) throws EBaseException; + + /** + * Async Recovers key for administrators. This method is + * invoked by the agent operation of the key recovery servlet. + * <P> + * + * <ul> + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever + * a user private key recovery request is made (this is when the DRM + * receives the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever + * a user private key recovery request is processed (this is when the DRM + * processes the request) + * </ul> + * @param reqID request id + * @param password password of the PKCS12 package + * subsystem + * @exception EBaseException failed to recover key + * @return a byte array containing the key + */ + public byte[] doKeyRecovery( + String reqID, + String password) + throws EBaseException; + + /** + * Retrieves recovery identifier. + * + * @return recovery id + */ + public String getRecoveryID(); + + /** + * Creates recovery parameters for the given recovery operation. + * + * @param recoveryID recovery id + * @return recovery parameters + * @exception EBaseException failed to create + */ + public Hashtable createRecoveryParams(String recoveryID) + throws EBaseException; + + /** + * Destroys recovery parameters for the given recovery operation. + * + * @param recoveryID recovery id + * @exception EBaseException failed to destroy + */ + public void destroyRecoveryParams(String recoveryID) + throws EBaseException; + + /** + * Retrieves recovery parameters for the given recovery operation. + * + * @param recoveryID recovery id + * @return recovery parameters + * @exception EBaseException failed to retrieve + */ + public Hashtable getRecoveryParams(String recoveryID) + throws EBaseException; + + /** + * Adds password in the distributed recovery operation. + * + * @param recoveryID recovery id + * @param uid agent uid + * @param pwd agent password + * @exception EBaseException failed to add + */ + public void addDistributedCredential(String recoveryID, + String uid, String pwd) throws EBaseException; + + /** + * Retrieves credentials in the distributed recovery operation. + * + * @param recoveryID recovery id + * @return agent's credentials + * @exception EBaseException failed to retrieve + */ + public Credential[] getDistributedCredentials(String recoveryID) + throws EBaseException; +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java b/pki/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java new file mode 100644 index 000000000..571380eaf --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java @@ -0,0 +1,87 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + + +import java.io.*; +import java.math.*; +import java.util.*; +import java.security.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; +import netscape.security.x509.*; +import com.netscape.certsrv.base.*; + + +/** + * An interface represents a proof of archival. + * <P> + * Here is the ASN1 definition of a proof of escrow: + * <PRE> + * ProofOfArchival ::= SIGNED { + * SEQUENCE { + * version [0] Version DEFAULT v1, + * serialNumber INTEGER, + * subjectName Name, + * issuerName Name, + * dateOfArchival Time, + * extensions [1] Extensions OPTIONAL + * } + * } + * </PRE> + * <P> + * + * @version $Revision$, $Date$ + */ +public interface IProofOfArchival { + + /** + * Retrieves version of this proof. + * + * @return version + */ + public BigInteger getVersion(); + + /** + * Retrieves the serial number. + * + * @return serial number + */ + public BigInteger getSerialNumber(); + + /** + * Retrieves the subject name. + * + * @return subject name + */ + public String getSubjectName(); + + /** + * Retrieves the issuer name. + * + * @return issuer name + */ + public String getIssuerName(); + + /** + * Returns the beginning of the escrowed perioid. + * + * @return date of archival + */ + public Date getDateOfArchival(); +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/IShare.java b/pki/base/common/src/com/netscape/certsrv/kra/IShare.java new file mode 100644 index 000000000..c4d58f0a0 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/IShare.java @@ -0,0 +1,32 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +/** + * Use Java's reflection API to leverage CMS's + * old Share and JoinShares implementations. + * + * @deprecated + * @version $Revision$ $Date$ + */ +public interface IShare { + + public void initialize(byte[] secret, int threshold) throws Exception; + public byte[] createShare(int sharenumber); + +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/KRAResources.java b/pki/base/common/src/com/netscape/certsrv/kra/KRAResources.java new file mode 100644 index 000000000..74f66992b --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/KRAResources.java @@ -0,0 +1,41 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + + +import java.util.*; + + +/** + * A class represents a resource bundle for KRA subsystem. + * <P> + * + * @version $Revision$, $Date$ + */ +public class KRAResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + */ + public Object[][] getContents() { + return contents; + } + + static final Object[][] contents = { + }; +} diff --git a/pki/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java b/pki/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java new file mode 100644 index 000000000..5fe06f921 --- /dev/null +++ b/pki/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java @@ -0,0 +1,440 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + + +import java.io.*; +import java.math.*; +import java.util.*; +import java.security.*; +import netscape.security.util.*; +import netscape.security.pkcs.*; +import netscape.security.x509.*; +//import com.netscape.cmscore.util.*; +import com.netscape.certsrv.apps.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.dbs.*; + + +/** + * A class represents a proof of escrow. It indicates a key + * pairs have been escrowed by appropriate authority. The + * structure of this object is very similar (if not exact) to + * X.509 certificate. A proof of escrow is signed by an escrow + * authority. It is possible to have a CMS policy to reject + * the certificate issuance request if proof of escrow is not + * presented. + * <P> + * Here is the ASN1 definition of a proof of escrow: + * <PRE> + * ProofOfEscrow ::= SIGNED { + * SEQUENCE { + * version [0] Version DEFAULT v1, + * serialNumber INTEGER, + * subjectName Name, + * issuerName Name, + * dateOfArchival Time, + * extensions [1] Extensions OPTIONAL + * } + * } + * </PRE> + * <P> + * + * @author thomask + * @version $Revision$, $Date$ + */ +public class ProofOfArchival implements IDBObj, IProofOfArchival, Serializable { + + /** + * Constants + */ + public static final BigInteger DEFAULT_VERSION = new BigInteger("1"); + + public static final String ATTR_VERSION = "pofVersion"; + public static final String ATTR_SERIALNO = "pofSerialNo"; + public static final String ATTR_SUBJECT = "pofSubject"; + public static final String ATTR_ISSUER = "pofIssuer"; + public static final String ATTR_DATE_OF_ARCHIVAL = "pofDateOfArchival"; + + protected BigInteger mSerialNo = null; + protected BigInteger mVersion = null; + protected String mSubject = null; + protected String mIssuer = null; + protected Date mDateOfArchival = null; + + protected static Vector mNames = new Vector(); + static { + mNames.addElement(ATTR_VERSION); + mNames.addElement(ATTR_SERIALNO); + mNames.addElement(ATTR_SUBJECT); + mNames.addElement(ATTR_ISSUER); + mNames.addElement(ATTR_DATE_OF_ARCHIVAL); + } + + /** + * Constructs a proof of escrow. + * <P> + * @param serialNo serial number of proof + * @param subject subject name + * @param issuer issuer name + * @param dateOfArchival date of archival + */ + public ProofOfArchival(BigInteger serialNo, String subject, + String issuer, Date dateOfArchival) { + mVersion = DEFAULT_VERSION; + mSerialNo = serialNo; + mSubject = subject; + mIssuer = issuer; + mDateOfArchival = dateOfArchival; + } + + /** + * Constructs proof of escrow from input stream. + * <P> + * @param in encoding source + * @exception EBaseException failed to decode + */ + public ProofOfArchival(InputStream in) throws EBaseException { + decode(in); + } + + /** + * Sets an attribute value. + * <P> + * @param name attribute name + * @param obj attribute value + * @exception EBaseException failed to set attribute + */ + public void set(String name, Object obj) throws EBaseException { + if (name.equals(ATTR_VERSION)) { + mVersion = (BigInteger) obj; + } else if (name.equals(ATTR_SERIALNO)) { + mSerialNo = (BigInteger) obj; + } else if (name.equals(ATTR_SUBJECT)) { + mSubject = (String) obj; + } else if (name.equals(ATTR_ISSUER)) { + mIssuer = (String) obj; + } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) { + mDateOfArchival = (Date) obj; + } else { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); + } + } + + /** + * Retrieves the value of an named attribute. + * <P> + * @param name attribute name + * @return attribute value + * @exception EBaseException failed to get attribute + */ + public Object get(String name) throws EBaseException { + if (name.equals(ATTR_VERSION)) { + return mVersion; + } else if (name.equals(ATTR_SERIALNO)) { + return mSerialNo; + } else if (name.equals(ATTR_SUBJECT)) { + return mSubject; + } else if (name.equals(ATTR_ISSUER)) { + return mIssuer; + } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) { + return mDateOfArchival; + } else { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); + } + } + + /** + * Deletes an attribute. + * <P> + * @param name attribute name + * @exception EBaseException failed to get attribute + */ + public void delete(String name) throws EBaseException { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); + } + + /** + * Retrieves a list of possible attribute names. + * <P> + * + * @return a list of names + */ + public Enumeration getElements() { + return mNames.elements(); + } + + /** + * Retrieves serializable attribute names. + * + * @return a list of serializable attribute names + */ + public Enumeration getSerializableAttrNames() { + return mNames.elements(); + } + + /** + * Retrieves version of this proof. + * <P> + * @return version + */ + public BigInteger getVersion() { + return mVersion; + } + + /** + * Retrieves the serial number. + * <P> + * @return serial number + */ + public BigInteger getSerialNumber() { + return mSerialNo; + } + + /** + * Retrieves the subject name. + * <P> + * @return subject name + */ + public String getSubjectName() { + return mSubject; + } + + /** + * Retrieves the issuer name. + * <P> + * @return issuer name + */ + public String getIssuerName() { + return mIssuer; + } + + /** + * Returns the beginning of the escrowed perioid. + * <P> + * @return date of archival + */ + public Date getDateOfArchival() { + return mDateOfArchival; + } + + /** + * Encodes this proof of escrow into the given + * output stream. + * <P> + */ + public void encode(DerOutputStream out) throws EBaseException { + try { + DerOutputStream seq = new DerOutputStream(); + + // version (OPTIONAL) + if (!mVersion.equals(DEFAULT_VERSION)) { + DerOutputStream version = new DerOutputStream(); + + version.putInteger(new BigInt(mVersion)); + seq.write(DerValue.createTag( + DerValue.TAG_CONTEXT, true, (byte) 0), + version); + } + + // serial number + DerOutputStream serialno = new DerOutputStream(); + + seq.putInteger(new BigInt(mSerialNo)); + + // subject name + DerOutputStream subject = new DerOutputStream(); + + (new X500Name(mSubject)).encode(seq); + + // issuer name + DerOutputStream issuer = new DerOutputStream(); + + (new X500Name(mIssuer)).encode(seq); + + // issue date + seq.putUTCTime(mDateOfArchival); + out.write(DerValue.tag_Sequence, seq); + + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED", e.toString())); + } + } + + /** + * Encodes and signs this proof of escrow. + * <P> + */ + public void encodeAndSign(PrivateKey key, String algorithm, + String provider, DerOutputStream out) + throws EBaseException { + + try { + Signature sigEngine = null; + + if (provider == null) { + sigEngine = Signature.getInstance(algorithm); + } else { + sigEngine = Signature.getInstance(algorithm, + provider); + } + + sigEngine.initSign(key); + DerOutputStream tmp = new DerOutputStream(); + + encode(tmp); + + AlgorithmId sigAlgId = AlgorithmId.get( + sigEngine.getAlgorithm()); + + sigAlgId.encode(tmp); + byte dataToSign[] = tmp.toByteArray(); + + sigEngine.update(dataToSign, 0, dataToSign.length); + byte signature[] = sigEngine.sign(); + + tmp.putBitString(signature); + out.write(DerValue.tag_Sequence, tmp); + return; + } catch (NoSuchAlgorithmException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (NoSuchProviderException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (InvalidKeyException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (SignatureException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } + } + + /** + * Decodes the input stream. + * <P> + */ + public void decode(InputStream in) throws EBaseException { + try { + // POA is a SIGNED ASN.1 macro, a three element sequence: + // - Data to be signed (ToBeSigned) -- the "raw" data + // - Signature algorithm (SigAlgId) + // - The Signature bits + + DerValue val = new DerValue(in); + + DerValue seq[] = new DerValue[3]; + + seq[0] = val.data.getDerValue(); + if (seq[0].tag == DerValue.tag_Sequence) { + // with signature + seq[1] = val.data.getDerValue(); + seq[2] = val.data.getDerValue(); + if (seq[1].data.available() != 0) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", + "no algorithm found")); + } + + if (seq[2].data.available() != 0) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", + "no signature found")); + } + + AlgorithmId algid = AlgorithmId.parse(seq[1]); + byte signature[] = seq[2].getBitString(); + + decodePOA(val, null); + } else { + // without signature + decodePOA(val, seq[0]); + } + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString())); + } + } + + /** + * Decodes proof of escrow. + * <P> + */ + private void decodePOA(DerValue val, DerValue preprocessed) + throws EBaseException { + try { + DerValue tmp = null; + + if (preprocessed == null) { + if (val.tag != DerValue.tag_Sequence) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", + "not start with sequence")); + } + tmp = val.data.getDerValue(); + } else { + tmp = preprocessed; + } + + // version + if (tmp.isContextSpecific((byte) 0)) { + if (tmp.isConstructed() && tmp.isContextSpecific()) { + DerValue version = tmp.data.getDerValue(); + BigInt ver = version.getInteger(); + + mVersion = ver.toBigInteger(); + tmp = val.data.getDerValue(); + } + } else { + mVersion = DEFAULT_VERSION; + } + + // serial number + DerValue serialno = tmp; + + mSerialNo = serialno.getInteger().toBigInteger(); + + // subject + DerValue subject = val.data.getDerValue(); + + // mSubject = new X500Name(subject); // doesnt work + mSubject = new String(subject.toByteArray()); + + // issuer + DerValue issuer = val.data.getDerValue(); + + mIssuer = new String(issuer.toByteArray()); + + // date of archival + mDateOfArchival = val.data.getUTCTime(); + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString())); + } + } + + /** + * Retrieves the string reprensetation of this + * proof of archival. + */ + public String toString() { + return "Version: " + mVersion.toString() + "\n" + + "SerialNo: " + mSerialNo.toString() + "\n" + + "Subject: " + mSubject + "\n" + + "Issuer: " + mIssuer + "\n" + + "DateOfArchival: " + mDateOfArchival.toString(); + } + +} |