diff options
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/EnrollmentService.java')
-rw-r--r-- | pki/base/kra/src/com/netscape/kra/EnrollmentService.java | 614 |
1 files changed, 305 insertions, 309 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java index 397793bfc..84307d0be 100644 --- a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; @@ -76,21 +75,17 @@ import com.netscape.cmscore.crmf.CRMFParser; import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer; import com.netscape.cmscore.dbs.KeyRecord; - /** - * A class represents archival request processor. It - * passes the request to the policy processor, and - * process the request according to the policy decision. + * A class represents archival request processor. It passes the request to the + * policy processor, and process the request according to the policy decision. * <P> - * If policy returns ACCEPTED, the request will be - * processed immediately. + * If policy returns ACCEPTED, the request will be processed immediately. * <P> - * Upon processing, the incoming user key is unwrapped - * with the transport key of KRA, and then wrapped - * with the storage key. The encrypted key is stored - * in the internal database for long term storage. + * Upon processing, the incoming user key is unwrapped with the transport key of + * KRA, and then wrapped with the storage key. The encrypted key is stored in + * the internal database for long term storage. * <P> - * + * * @author thomask (original) * @author cfu (non-RSA keys; private keys secure handling); * @version $Revision$, $Date$ @@ -100,27 +95,20 @@ public class EnrollmentService implements IService { // constants public static final String CRMF_REQUEST = "CRMFRequest"; public final static String ATTR_KEY_RECORD = "keyRecord"; - public final static String ATTR_PROOF_OF_ARCHIVAL = - "proofOfArchival"; + public final static String ATTR_PROOF_OF_ARCHIVAL = "proofOfArchival"; - // private + // private private IKeyRecoveryAuthority mKRA = null; private ITransportKeyUnit mTransportUnit = null; private IStorageKeyUnit mStorageUnit = null; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + /** * Constructs request processor. * <P> @@ -138,28 +126,27 @@ public class EnrollmentService implements IService { PKIArchiveOptions archOpts = null; try { - archOpts = (PKIArchiveOptions) - (new PKIArchiveOptions.Template()).decode(bis); + archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template()) + .decode(bis); } catch (Exception e) { CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString()); } return archOpts; } - + /** * Services an enrollment/archival request. * <P> - * + * * @param request enrollment request * @return serving successful or not * @exception EBaseException failed to serve */ - public boolean serviceRequest(IRequest request) - throws EBaseException { + public boolean serviceRequest(IRequest request) throws EBaseException { - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("archival", true /* main action */); + statsSub.startTiming("archival", true /* main action */); } String auditMessage = null; @@ -177,7 +164,8 @@ public class EnrollmentService implements IService { SessionContext sContext = SessionContext.getContext(); String agentId = (String) sContext.get(SessionContext.USER_ID); - AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); + AuthToken authToken = (AuthToken) sContext + .get(SessionContext.AUTH_TOKEN); mKRA.log(ILogger.LL_INFO, "KRA services enrollment request"); // unwrap user key with transport @@ -188,15 +176,14 @@ public class EnrollmentService implements IService { if (profileId == null || profileId.equals("")) { try { - aOpts = CRMFParser.getPKIArchiveOptions( - request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST)); + aOpts = CRMFParser + .getPKIArchiveOptions(request.getExtDataInString( + IRequest.HTTP_PARAMS, CRMF_REQUEST)); } catch (IOException e) { auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -205,44 +192,39 @@ public class EnrollmentService implements IService { } } else { // profile-based request - PKIArchiveOptions options = (PKIArchiveOptions) - toPKIArchiveOptions( - request.getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS)); + PKIArchiveOptions options = (PKIArchiveOptions) toPKIArchiveOptions(request + .getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS)); aOpts = new PKIArchiveOptionsContainer[1]; - aOpts[0] = new PKIArchiveOptionsContainer(options, - 0/* not matter */); + aOpts[0] = new PKIArchiveOptionsContainer(options, 0/* not matter */); request.setExtData("dbStatus", "NOT_UPDATED"); - } + } for (int i = 0; i < aOpts.length; i++) { ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); if (statsSub != null) { - statsSub.startTiming("decrypt_user_key"); + statsSub.startTiming("decrypt_user_key"); } mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); if (CMS.debugOn()) - CMS.debug("EnrollmentService::about to decryptExternalPrivate"); + CMS.debug("EnrollmentService::about to decryptExternalPrivate"); unwrapped = mTransportUnit.decryptExternalPrivate( - opts.getEncSymmKey(), - opts.getSymmAlgOID(), - opts.getSymmAlgParams(), - opts.getEncValue()); + opts.getEncSymmKey(), opts.getSymmAlgOID(), + opts.getSymmAlgParams(), opts.getEncValue()); if (statsSub != null) { - statsSub.endTiming("decrypt_user_key"); + statsSub.endTiming("decrypt_user_key"); } if (CMS.debugOn()) - CMS.debug("EnrollmentService::finished decryptExternalPrivate"); + CMS.debug("EnrollmentService::finished decryptExternalPrivate"); if (unwrapped == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -255,15 +237,12 @@ public class EnrollmentService implements IService { byte publicKeyData[] = publicKey.getEncoded(); if (publicKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -271,21 +250,21 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } - /* Bugscape #54948 - verify public and private key before archiving key */ + /* + * Bugscape #54948 - verify public and private key before archiving + * key + */ if (statsSub != null) { - statsSub.startTiming("verify_key"); + statsSub.startTiming("verify_key"); } if (verifyKeyPair(publicKeyData, unwrapped) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -293,53 +272,52 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } if (statsSub != null) { - statsSub.endTiming("verify_key"); + statsSub.endTiming("verify_key"); } /** - mTransportKeyUnit.verify(pKey, unwrapped); + * mTransportKeyUnit.verify(pKey, unwrapped); **/ // retrieve owner name String owner = getOwnerName(request, aOpts[i].mReqPos); if (owner == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } // // privateKeyData ::= SEQUENCE { - // sessionKey OCTET_STRING, - // encKey OCTET_STRING, - // } + // sessionKey OCTET_STRING, + // encKey OCTET_STRING, + // } // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); if (statsSub != null) { - statsSub.startTiming("encrypt_user_key"); + statsSub.startTiming("encrypt_user_key"); } - byte privateKeyData[] = mStorageUnit.encryptInternalPrivate( - unwrapped); + byte privateKeyData[] = mStorageUnit + .encryptInternalPrivate(unwrapped); if (statsSub != null) { - statsSub.endTiming("encrypt_user_key"); + statsSub.endTiming("encrypt_user_key"); } if (privateKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); @@ -348,9 +326,9 @@ public class EnrollmentService implements IService { } // create key record - KeyRecord rec = new KeyRecord(null, publicKeyData, - privateKeyData, owner, - publicKey.getAlgorithmId().getOID().toString(), agentId); + KeyRecord rec = new KeyRecord(null, publicKeyData, privateKeyData, + owner, publicKey.getAlgorithmId().getOID().toString(), + agentId); // we deal with RSA key only try { @@ -361,49 +339,44 @@ public class EnrollmentService implements IService { auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } - // if record alreay has a serial number, yell out. if (rec.getSerialNumber() != null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", - rec.getSerialNumber().toString())); - + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec + .getSerialNumber().toString())); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } IKeyRepository storage = mKRA.getKeyRepository(); BigInteger serialNo = storage.getNextSerialNumber(); if (serialNo == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.FAILURE, - auditRequesterID, + auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } if (i == 0) { rec.set(KeyRecord.ATTR_ID, serialNo); @@ -415,67 +388,57 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_INFO, "KRA adding key record " + serialNo); if (statsSub != null) { - statsSub.startTiming("store_key"); + statsSub.startTiming("store_key"); } storage.addKeyRecord(rec); if (statsSub != null) { - statsSub.endTiming("store_key"); + statsSub.endTiming("store_key"); } - + if (CMS.debugOn()) - CMS.debug("EnrollmentService: key record 0x" + serialNo.toString(16) - + " (" + owner + ") archived"); + CMS.debug("EnrollmentService: key record 0x" + + serialNo.toString(16) + " (" + owner + ") archived"); - mKRA.log(ILogger.LL_INFO, "key record 0x" + - serialNo.toString(16) - + " (" + owner + ") archived"); + mKRA.log(ILogger.LL_INFO, "key record 0x" + serialNo.toString(16) + + " (" + owner + ") archived"); // for audit log String authMgr = AuditFormat.NOAUTH; - + if (authToken != null) { - authMgr = - authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = authToken + .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_KRA, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - IRequest.KEYARCHIVAL_REQUEST, - request.getRequestId(), - AuditFormat.FROMAGENT + " agentID: " + agentId, - authMgr, - "completed", - owner, - "serial number: 0x" + serialNo.toString(16)} - ); - - + CMS.getLogger().log( + ILogger.EV_AUDIT, + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { IRequest.KEYARCHIVAL_REQUEST, + request.getRequestId(), + AuditFormat.FROMAGENT + " agentID: " + agentId, + authMgr, "completed", owner, + "serial number: 0x" + serialNo.toString(16) }); + // store a message in the signed audit log file auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + auditSubjectID, ILogger.SUCCESS, auditRequesterID, + auditArchiveID); audit(auditMessage); // store a message in the signed audit log file auditPublicKey = auditPublicKey(rec); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + auditSubjectID, ILogger.SUCCESS, auditPublicKey); audit(auditMessage); // Xxx - should sign this proof of archival - ProofOfArchival mProof = new ProofOfArchival(serialNo, - owner, mKRA.getX500Name().toString(), - rec.getCreateTime()); + ProofOfArchival mProof = new ProofOfArchival(serialNo, owner, mKRA + .getX500Name().toString(), rec.getCreateTime()); DerOutputStream mProofOut = new DerOutputStream(); mProof.encode(mProofOut); @@ -486,16 +449,16 @@ public class EnrollmentService implements IService { request.setExtData(ATTR_PROOF_OF_ARCHIVAL + i, mProofOut.toByteArray()); } - + } // for /* - request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME); - request.delete(IEnrollProfile.REQUEST_EXTENSIONS); - request.delete(IEnrollProfile.REQUEST_VALIDITY); - request.delete(IEnrollProfile.REQUEST_KEY); - request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM); - request.delete(IEnrollProfile.REQUEST_LOCALE); + * request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME); + * request.delete(IEnrollProfile.REQUEST_EXTENSIONS); + * request.delete(IEnrollProfile.REQUEST_VALIDITY); + * request.delete(IEnrollProfile.REQUEST_KEY); + * request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM); + * request.delete(IEnrollProfile.REQUEST_LOCALE); */ request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); @@ -505,92 +468,94 @@ public class EnrollmentService implements IService { mKRA.getRequestQueue().updateRequest(request); if (statsSub != null) { - statsSub.endTiming("archival"); + statsSub.endTiming("archival"); } - + return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + + publicKeyModulus + " privateKeyModulus=" + + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + + publicKeyExponent + " privateKeyExponent=" + + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } - private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = - new OBJECT_IDENTIFIER(new long[] {1, 3, 6, 1, 5, 5, 7, 5, 1, 4} - ); + private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = new OBJECT_IDENTIFIER( + new long[] { 1, 3, 6, 1, 5, 5, 7, 5, 1, 4 }); /** * Retrieves PKIArchiveOptions from CRMF request. - * + * * @param crmfBlob CRMF request * @return PKIArchiveOptions * @exception EBaseException failed to extrace option */ - public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(String crmfBlob) - throws EBaseException { + public static PKIArchiveOptionsContainer[] getPKIArchiveOptions( + String crmfBlob) throws EBaseException { Vector options = new Vector(); if (CMS.debugOn()) - CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob=" + crmfBlob); + CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob=" + + crmfBlob); byte[] crmfBerBlob = null; crmfBerBlob = com.netscape.osutil.OSUtil.AtoB(crmfBlob); - ByteArrayInputStream crmfBerBlobIn = new - ByteArrayInputStream(crmfBerBlob); + ByteArrayInputStream crmfBerBlobIn = new ByteArrayInputStream( + crmfBerBlob); SEQUENCE crmfmsgs = null; try { - crmfmsgs = (SEQUENCE) new - SEQUENCE.OF_Template(new - CertReqMsg.Template()).decode( - crmfBerBlobIn); + crmfmsgs = (SEQUENCE) new SEQUENCE.OF_Template( + new CertReqMsg.Template()).decode(crmfBerBlobIn); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); } catch (InvalidBERException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); } for (int z = 0; z < crmfmsgs.size(); z++) { - CertReqMsg certReqMsg = (CertReqMsg) - crmfmsgs.elementAt(z); - CertRequest certReq = certReqMsg.getCertReq(); - + CertReqMsg certReqMsg = (CertReqMsg) crmfmsgs.elementAt(z); + CertRequest certReq = certReqMsg.getCertReq(); + // try to locate PKIArchiveOption control AVA archAva = null; @@ -605,29 +570,38 @@ public class EnrollmentService implements IService { } } } catch (Exception e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "no PKIArchiveOptions found " + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", + "no PKIArchiveOptions found " + e.toString())); } if (archAva != null) { ASN1Value archVal = archAva.getValue(); - ByteArrayInputStream bis = new ByteArrayInputStream(ASN1Util.encode(archVal)); + ByteArrayInputStream bis = new ByteArrayInputStream( + ASN1Util.encode(archVal)); PKIArchiveOptions archOpts = null; try { - archOpts = (PKIArchiveOptions) - (new PKIArchiveOptions.Template()).decode(bis); + archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template()) + .decode(bis); } catch (IOException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + + e.toString())); } catch (InvalidBERException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + + e.toString())); } options.addElement(new PKIArchiveOptionsContainer(archOpts, z)); } } if (options.size() == 0) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found")); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found")); } else { - PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options.size()]; + PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options + .size()]; options.copyInto(p); return p; @@ -636,7 +610,7 @@ public class EnrollmentService implements IService { /** * Retrieves public key from request. - * + * * @param request CRMF request * @return JSS public key * @exception EBaseException failed to retrieve public key @@ -645,7 +619,8 @@ public class EnrollmentService implements IService { String profileId = request.getExtDataInString("profileId"); if (profileId != null && !profileId.equals("")) { - byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); + byte[] certKeyData = request + .getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); if (certKeyData != null) { try { CertificateX509Key x509key = new CertificateX509Key( @@ -653,78 +628,95 @@ public class EnrollmentService implements IService { return (X509Key) x509key.get(CertificateX509Key.KEY); } catch (Exception e1) { - CMS.debug("EnrollService: (Archival) getPublicKey " + - e1.toString()); + CMS.debug("EnrollService: (Archival) getPublicKey " + + e1.toString()); } } return null; } // retrieve x509 Key from request - X509CertInfo certInfo[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = request + .getExtDataInCertInfoArray(IRequest.CERT_INFO); CertificateX509Key pX509Key = null; try { - pX509Key = (CertificateX509Key) - certInfo[i].get(X509CertInfo.KEY); + pX509Key = (CertificateX509Key) certInfo[i].get(X509CertInfo.KEY); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + + e.toString())); } catch (CertificateException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + + e.toString())); } X509Key pKey = null; try { - pKey = (X509Key) pX509Key.get( - CertificateX509Key.KEY); + pKey = (X509Key) pX509Key.get(CertificateX509Key.KEY); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + + "]" + e.toString())); } return pKey; } /** * Retrieves key's owner name from request. - * + * * @param request CRMF request * @return owner name (subject name) * @exception EBaseException failed to retrieve public key */ - private String getOwnerName(IRequest request, int i) - throws EBaseException { + private String getOwnerName(IRequest request, int i) throws EBaseException { String profileId = request.getExtDataInString("profileId"); if (profileId != null && !profileId.equals("")) { - CertificateSubjectName sub = request.getExtDataInCertSubjectName( - IEnrollProfile.REQUEST_SUBJECT_NAME); + CertificateSubjectName sub = request + .getExtDataInCertSubjectName(IEnrollProfile.REQUEST_SUBJECT_NAME); if (sub != null) { return sub.toString(); } } - X509CertInfo certInfo[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + X509CertInfo certInfo[] = request + .getExtDataInCertInfoArray(IRequest.CERT_INFO); CertificateSubjectName pSub = null; try { - pSub = (CertificateSubjectName) - certInfo[0].get(X509CertInfo.SUBJECT); + pSub = (CertificateSubjectName) certInfo[0] + .get(X509CertInfo.SUBJECT); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + + "]" + e.toString())); } catch (CertificateException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); + mKRA.log( + ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + + "]" + e.toString())); } String owner = pSub.toString(); @@ -733,11 +725,11 @@ public class EnrollmentService implements IService { /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "KeyRecord" for a signed audit log message. * <P> - * + * * @param rec a Key Record * @return key string containing the certificate's public key */ @@ -770,29 +762,30 @@ public class EnrollmentService implements IService { // extract all line separators from the "base64Data" StringTokenizer st = new StringTokenizer(base64Data, "\r\n"); while (st.hasMoreTokens()) { - key += st.nextToken(); + key += st.nextToken(); } } key = key.trim(); - if (key.equals("")) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } else { - return key; - } + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } } + /** * Signed Audit Log Subject ID - * - * This method is called to obtain the "SubjectID" for - * a signed audit log message. + * + * This method is called to obtain the "SubjectID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ - private String auditSubjectID() { + private String auditSubjectID() { // if no signed audit object exists, bail if (mSignedAuditLogger == null) { return null; @@ -804,8 +797,7 @@ public class EnrollmentService implements IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - subjectID = (String) - auditContext.get(SessionContext.USER_ID); + subjectID = (String) auditContext.get(SessionContext.USER_ID); if (subjectID != null) { subjectID = subjectID.trim(); @@ -818,13 +810,14 @@ public class EnrollmentService implements IService { return subjectID; } + /** * Signed Audit Log Requester ID - * - * This method is called to obtain the "RequesterID" for - * a signed audit log message. + * + * This method is called to obtain the "RequesterID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RequesterID */ private String auditRequesterID() { @@ -839,8 +832,8 @@ public class EnrollmentService implements IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - requesterID = (String) - auditContext.get(SessionContext.REQUESTER_ID); + requesterID = (String) auditContext + .get(SessionContext.REQUESTER_ID); if (requesterID != null) { requesterID = requesterID.trim(); @@ -856,11 +849,11 @@ public class EnrollmentService implements IService { /** * Signed Audit Log Recovery ID - * - * This method is called to obtain the "RecoveryID" for - * a signed audit log message. + * + * This method is called to obtain the "RecoveryID" for a signed audit log + * message. * <P> - * + * * @return id string containing the signed audit log message RecoveryID */ private String auditRecoveryID() { @@ -875,8 +868,7 @@ public class EnrollmentService implements IService { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { - recoveryID = (String) - auditContext.get(SessionContext.RECOVERY_ID); + recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); if (recoveryID != null) { recoveryID = recoveryID.trim(); @@ -890,13 +882,12 @@ public class EnrollmentService implements IService { return recoveryID; } - /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -907,15 +898,11 @@ public class EnrollmentService implements IService { return; } - mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null, + ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg); } } - /** * Parsed and Flattened structure of PKIArchiveOptions. */ @@ -924,6 +911,7 @@ class ArchiveOptions { private byte mSymmAlgParams[] = null; private byte mEncSymmKey[] = null; private byte mEncValue[] = null; + public ArchiveOptions(PKIArchiveOptions opts) throws EBaseException { try { EncryptedKey key = opts.getEncryptedKey(); @@ -938,21 +926,24 @@ class ArchiveOptions { enveloped_val = key.getEnvelopedData(); byte[] env_b = enveloped_val.getEncoded(); EnvelopedData.Template env_template = new EnvelopedData.Template(); - EnvelopedData env_data = - (EnvelopedData) env_template.decode(new ByteArrayInputStream(env_b)); + EnvelopedData env_data = (EnvelopedData) env_template + .decode(new ByteArrayInputStream(env_b)); EncryptedContentInfo eCI = env_data.getEncryptedContentInfo(); symmAlg = eCI.getContentEncryptionAlgorithm(); mSymmAlgOID = symmAlg.getOID().toString(); - mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray(); + mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()) + .decodeWith(OCTET_STRING.getTemplate())).toByteArray(); SET recipients = env_data.getRecipientInfos(); if (recipients.size() <= 0) { - CMS.debug("EnrollService: ArchiveOptions() - missing recipient information "); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] missing recipient information ")); + CMS.debug("EnrollService: ArchiveOptions() - missing recipient information "); + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", + "[PKIArchiveOptions] missing recipient information ")); } - //check recpient - later - //we only handle one recipient here anyways. so, either the key - //can be decrypted or it can't. No risk here. + // check recpient - later + // we only handle one recipient here anyways. so, either the key + // can be decrypted or it can't. No risk here. RecipientInfo ri = (RecipientInfo) recipients.elementAt(0); OCTET_STRING key_o = ri.getEncryptedKey(); mEncSymmKey = key_o.toByteArray(); @@ -967,7 +958,8 @@ class ArchiveOptions { val = key.getEncryptedValue(); symmAlg = val.getSymmAlg(); mSymmAlgOID = symmAlg.getOID().toString(); - mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray(); + mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()) + .decodeWith(OCTET_STRING.getTemplate())).toByteArray(); BIT_STRING encSymmKey = val.getEncSymmKey(); mEncSymmKey = encSymmKey.getBits(); @@ -977,20 +969,24 @@ class ArchiveOptions { CMS.debug("EnrollService: ArchiveOptions() EncryptedKey type= ENCRYPTED_VALUE done"); } else { CMS.debug("EnrollService: ArchiveOptions() invalid EncryptedKey type"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] type " + key.getType())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", + "[PKIArchiveOptions] type " + key.getType())); } } catch (InvalidBERException e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INVALID_ATTRIBUTE", + "[PKIArchiveOptions]" + e.toString())); } catch (IOException e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException("ArchiveOptions() exception caught: "+ - e.toString()); + throw new EBaseException("ArchiveOptions() exception caught: " + + e.toString()); } catch (Exception e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException("ArchiveOptions() exception caught: "+ - e.toString()); + throw new EBaseException("ArchiveOptions() exception caught: " + + e.toString()); } } |