diff options
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/RecoveryService.java')
-rw-r--r-- | pki/base/kra/src/com/netscape/kra/RecoveryService.java | 484 |
1 files changed, 253 insertions, 231 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java index 0760d7078..f364bf4ff 100644 --- a/pki/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; + import java.io.ByteArrayOutputStream; import java.io.CharConversionException; import java.math.BigInteger; @@ -70,15 +71,16 @@ import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmscore.util.Debug; /** - * A class represents recovery request processor. There are 2 types of recovery - * modes: (1) administrator or (2) end-entity. + * A class represents recovery request processor. There + * are 2 types of recovery modes: (1) administrator or + * (2) end-entity. * <P> - * Administrator recovery will create a PKCS12 file where stores the certificate - * and the recovered key. + * Administrator recovery will create a PKCS12 file where + * stores the certificate and the recovered key. * <P> - * End Entity recovery will send RA or CA a response where stores the recovered - * key. - * + * End Entity recovery will send RA or CA a response where + * stores the recovered key. + * * @author thomask (original) * @author cfu (non-RSA keys; private keys secure handling); * @version $Revision$, $Date$ @@ -94,10 +96,12 @@ public class RecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; // for Async Key Recovery @@ -117,10 +121,11 @@ public class RecoveryService implements IService { } /** - * Processes a recovery request. Based on the recovery mode (either - * Administrator or End-Entity), the method reads the key record from the - * database, and tried to recover the key with the storage key unit. - * + * Processes a recovery request. Based on the recovery mode + * (either Administrator or End-Entity), the method reads + * the key record from the database, and tried to recover the + * key with the storage key unit. + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -141,25 +146,22 @@ public class RecoveryService implements IService { CMS.debug("RecoveryService: serviceRequest: use internal token "); ct = cm.getInternalCryptoToken(); } else { - CMS.debug("RecoveryService: serviceRequest: tokenName=" - + tokName); + CMS.debug("RecoveryService: serviceRequest: tokenName="+tokName); ct = cm.getTokenByName(tokName); } - allowEncDecrypt_recovery = config.getBoolean( - "kra.allowEncDecrypt.recovery", false); + allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false); } catch (Exception e) { CMS.debug("RecoveryService exception: use internal token :" - + e.toString()); + + e.toString()); ct = cm.getInternalCryptoToken(); } if (ct == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR" - + "cannot get crypto token")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR"+ "cannot get crypto token")); } - IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("recovery", true /* main action */); + statsSub.startTiming("recovery", true /* main action */); } if (Debug.ON) @@ -169,7 +171,8 @@ public class RecoveryService implements IService { // byte publicKey[] = (byte[])request.get(ATTR_PUBLIC_KEY_DATA); // X500Name owner = (X500Name)request.get(ATTR_OWNER_NAME); - Hashtable params = mKRA.getVolatileRequest(request.getRequestId()); + Hashtable params = mKRA.getVolatileRequest( + request.getRequestId()); if (params == null) { // possibly we are in recovery mode @@ -181,28 +184,27 @@ public class RecoveryService implements IService { mKRA.log(ILogger.LL_INFO, "KRA reading key record"); if (statsSub != null) { - statsSub.startTiming("get_key"); + statsSub.startTiming("get_key"); } KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno); if (statsSub != null) { - statsSub.endTiming("get_key"); + statsSub.endTiming("get_key"); } // see if the certificate matches the key byte pubData[] = keyRecord.getPublicKeyData(); - X509Certificate x509cert = request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = + request.getExtDataInCert(ATTR_USER_CERT); byte inputPubData[] = x509cert.getPublicKey().getEncoded(); if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } for (int i = 0; i < pubData.length; i++) { if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } @@ -210,50 +212,49 @@ public class RecoveryService implements IService { boolean isRSA = true; String keyAlg = x509cert.getPublicKey().getAlgorithm(); - if (keyAlg != null) { - CMS.debug("RecoveryService: publicKey alg =" + keyAlg); - if (!keyAlg.equals("RSA")) - isRSA = false; + if (keyAlg != null) { + CMS.debug("RecoveryService: publicKey alg ="+keyAlg); + if (!keyAlg.equals("RSA")) isRSA = false; } // Unwrap the archived private key byte privateKeyData[] = null; - X509Certificate transportCert = request - .getExtDataInCert(ATTR_TRANSPORT_CERT); + X509Certificate transportCert = + request.getExtDataInCert(ATTR_TRANSPORT_CERT); if (transportCert == null) { if (statsSub != null) { - statsSub.startTiming("recover_key"); + statsSub.startTiming("recover_key"); } PrivateKey privKey = null; if (allowEncDecrypt_recovery == true) { privateKeyData = recoverKey(params, keyRecord); } else { - privKey = recoverKey(params, keyRecord, isRSA); + privKey= recoverKey(params, keyRecord, isRSA); } if (statsSub != null) { - statsSub.endTiming("recover_key"); + statsSub.endTiming("recover_key"); } if ((isRSA == true) && (allowEncDecrypt_recovery == true)) { if (statsSub != null) { - statsSub.startTiming("verify_key"); + statsSub.startTiming("verify_key"); } // verifyKeyPair() is RSA-centric if (verifyKeyPair(pubData, privateKeyData) == false) { mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } if (statsSub != null) { - statsSub.endTiming("verify_key"); + statsSub.endTiming("verify_key"); } } if (statsSub != null) { - statsSub.startTiming("create_p12"); + statsSub.startTiming("create_p12"); } if (allowEncDecrypt_recovery == true) { createPFX(request, params, privateKeyData); @@ -261,29 +262,31 @@ public class RecoveryService implements IService { createPFX(request, params, privKey, ct); } if (statsSub != null) { - statsSub.endTiming("create_p12"); + statsSub.endTiming("create_p12"); } } else { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) params - .get(ATTR_AGENT_CREDENTIALS); - mKRA.getStorageKeyUnit().login(creds); + Credential creds[] = (Credential[]) + params.get(ATTR_AGENT_CREDENTIALS); + mKRA.getStorageKeyUnit().login(creds); } if (statsSub != null) { - statsSub.startTiming("unwrap_key"); + statsSub.startTiming("unwrap_key"); } PrivateKey privateKey = mKRA.getStorageKeyUnit().unwrap( keyRecord.getPrivateKeyData(), null); if (statsSub != null) { - statsSub.endTiming("unwrap_key"); + statsSub.endTiming("unwrap_key"); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mKRA.getStorageKeyUnit().logout(); + mKRA.getStorageKeyUnit().logout(); } } - mKRA.log(ILogger.LL_INFO, "key " + serialno.toString() + " recovered"); + mKRA.log(ILogger.LL_INFO, "key " + + serialno.toString() + + " recovered"); // for audit log String authMgr = AuditFormat.NOAUTH; @@ -291,29 +294,33 @@ public class RecoveryService implements IService { SessionContext sContext = SessionContext.getContext(); if (sContext != null) { - String agentId = (String) sContext.get(SessionContext.USER_ID); + String agentId = + (String) sContext.get(SessionContext.USER_ID); initiative = AuditFormat.FROMAGENT + " agentID: " + agentId; - AuthToken authToken = (AuthToken) sContext - .get(SessionContext.AUTH_TOKEN); - + AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); + if (authToken != null) { - authMgr = authToken - .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); + authMgr = + authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } } - CMS.getLogger().log( - ILogger.EV_AUDIT, - ILogger.S_KRA, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { IRequest.KEYRECOVERY_REQUEST, - request.getRequestId(), initiative, authMgr, - "completed", ((X509CertImpl) x509cert).getSubjectDN(), - "serial number: 0x" + serialno.toString(16) }); + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + IRequest.KEYRECOVERY_REQUEST, + request.getRequestId(), + initiative, + authMgr, + "completed", + ((X509CertImpl) x509cert).getSubjectDN(), + "serial number: 0x" + serialno.toString(16)} + ); if (statsSub != null) { - statsSub.endTiming("recovery"); + statsSub.endTiming("recovery"); } return true; @@ -322,67 +329,63 @@ public class RecoveryService implements IService { /* * verifyKeyPair()- RSA-centric key verification */ - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" - + publicKeyModulus + " privateKeyModulus=" - + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" - + publicKeyExponent + " privateKeyExponent=" - + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) + { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } /** - * Recovers key. (using unwrapping/wrapping on token) - used when - * allowEncDecrypt_recovery is false + * Recovers key. (using unwrapping/wrapping on token) + * - used when allowEncDecrypt_recovery is false */ - public synchronized PrivateKey recoverKey(Hashtable request, - KeyRecord keyRecord, boolean isRSA) throws EBaseException { + public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean isRSA) + throws EBaseException { - if (!isRSA) { + if (!isRSA) { CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false"); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); - } - try { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); + } + try { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) request - .get(ATTR_AGENT_CREDENTIALS); + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); - mStorageUnit.login(creds); + mStorageUnit.login(creds); } /* wrapped retrieve session key and private key */ @@ -397,53 +400,50 @@ public class RecoveryService implements IService { byte publicKeyData[] = keyRecord.getPublicKeyData(); PublicKey pubkey = null; try { - pubkey = X509Key.parsePublicKey(new DerValue(publicKeyData)); + pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); } catch (Exception e) { - CMS.debug("RecoverService: after parsePublicKey:" - + e.toString()); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_RECOVERY_FAILED_1", - "pubic key parsing failure")); + CMS.debug("RecoverService: after parsePublicKey:"+e.toString()); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "pubic key parsing failure")); } - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - PrivateKey privKey = mStorageUnit.unwrap(session, - keyRecord.getAlgorithm(), iv, pri, (PublicKey) pubkey); + byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + PrivateKey privKey = + mStorageUnit.unwrap( + session, + keyRecord.getAlgorithm(), + iv, + pri, + (PublicKey) pubkey); if (privKey == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_RECOVERY_FAILED_1", - "private key unwrapping failure")); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key unwrapping failure")); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); + mStorageUnit.logout(); } return privKey; } catch (Exception e) { - CMS.debug("RecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:" - + e.toString()); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_RECOVERY_FAILED_1", - "recoverKey() failed with allowEncDecrypt_recovery=false:" - + e.toString())); + CMS.debug("RecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString()); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString())); } } + /** - * Creates a PFX (PKCS12) file. (the unwrapping/wrapping way) - used when - * allowEncDecrypt_recovery is false - * + * Creates a PFX (PKCS12) file. (the unwrapping/wrapping way) + * - used when allowEncDecrypt_recovery is false + * * @param request CRMF recovery request * @param priKey private key handle * @exception EBaseException failed to create P12 file */ - public void createPFX(IRequest request, Hashtable params, - PrivateKey priKey, CryptoToken ct) throws EBaseException { + public void createPFX(IRequest request, Hashtable params, + PrivateKey priKey, CryptoToken ct) throws EBaseException { CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false"); try { // create p12 - X509Certificate x509cert = request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = + request.getExtDataInCert(ATTR_USER_CERT); String pwd = (String) params.get(ATTR_TRANSPORT_PWD); // add certificate @@ -457,49 +457,61 @@ public class RecoveryService implements IService { nickname = x509cert.getSubjectDN().toString(); } byte localKeyId[] = createLocalKeyId(x509cert); - SET certAttrs = createBagAttrs(nickname, localKeyId); + SET certAttrs = createBagAttrs( + nickname, localKeyId); // attributes: user friendly name, Local Key ID - SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, new CertBag( - CertBag.X509_CERT_TYPE, cert), certAttrs); + SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, + new CertBag(CertBag.X509_CERT_TYPE, cert), + certAttrs); encSafeContents.addElement(certBag); // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); CMS.debug("RecoverService: createPFX() adds key to P12"); - org.mozilla.jss.util.Password pass = new org.mozilla.jss.util.Password( + org.mozilla.jss.util.Password pass = new + org.mozilla.jss.util.Password( pwd.toCharArray()); SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new PasswordConverter(); - byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; + PasswordConverter passConverter = new + PasswordConverter(); + byte salt[] = {0x01, 0x01, 0x01, 0x01}; ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, - passConverter, priKey, ct); + PBEAlgorithm.PBE_SHA1_DES3_CBC, + pass, salt, 1, passConverter, priKey, ct); - SET keyAttrs = createBagAttrs(x509cert.getSubjectDN().toString(), + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), localKeyId); - SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, key, + SafeBag keyBag = new SafeBag( + SafeBag.PKCS8_SHROUDED_KEY_BAG, key, keyAttrs); // ?? safeContents.addElement(keyBag); // build contents - AuthenticatedSafes authSafes = new AuthenticatedSafes(); - - authSafes.addSafeContents(safeContents); - authSafes.addSafeContents(encSafeContents); - - // authSafes.addEncryptedSafeContents( - // authSafes.DEFAULT_KEY_GEN_ALG, - // pass, null, 1, - // encSafeContents); + AuthenticatedSafes authSafes = new + AuthenticatedSafes(); + + authSafes.addSafeContents( + safeContents + ); + authSafes.addSafeContents( + encSafeContents + ); + + // authSafes.addEncryptedSafeContents( + // authSafes.DEFAULT_KEY_GEN_ALG, + // pass, null, 1, + // encSafeContents); PFX pfx = new PFX(authSafes); pfx.computeMacData(pass, null, 5); // ?? - ByteArrayOutputStream fos = new ByteArrayOutputStream(); + ByteArrayOutputStream fos = new + ByteArrayOutputStream(); pfx.encode(fos); pass.clear(); @@ -507,56 +519,57 @@ public class RecoveryService implements IService { // put final PKCS12 into volatile request params.put(ATTR_PKCS12, fos.toByteArray()); } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSCORE_KRA_CONSTRUCT_P12", e.toString())); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_PKCS12_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); } // update request mKRA.getRequestQueue().updateRequest(request); } + /** - * Recovers key. - used when allowEncDecrypt_recovery is true + * Recovers key. + * - used when allowEncDecrypt_recovery is true */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) request - .get(ATTR_AGENT_CREDENTIALS); + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); - mStorageUnit.login(creds); + mStorageUnit.login(creds); } mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private"); - byte privateKeyData[] = mStorageUnit.decryptInternalPrivate(keyRecord - .getPrivateKeyData()); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); + mStorageUnit.logout(); } if (privateKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_RECOVERY_FAILED_1", "no private key")); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } /** - * Creates a PFX (PKCS12) file. - used when allowEncDecrypt_recovery is true - * + * Creates a PFX (PKCS12) file. + * - used when allowEncDecrypt_recovery is true + * * @param request CRMF recovery request * @param priData decrypted private key (PrivateKeyInfo) * @exception EBaseException failed to create P12 file */ - public void createPFX(IRequest request, Hashtable params, byte priData[]) - throws EBaseException { + public void createPFX(IRequest request, Hashtable params, + byte priData[]) throws EBaseException { CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true"); try { // create p12 - X509Certificate x509cert = request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = + request.getExtDataInCert(ATTR_USER_CERT); String pwd = (String) params.get(ATTR_TRANSPORT_PWD); // add certificate @@ -569,47 +582,60 @@ public class RecoveryService implements IService { nickname = x509cert.getSubjectDN().toString(); } byte localKeyId[] = createLocalKeyId(x509cert); - SET certAttrs = createBagAttrs(nickname, localKeyId); + SET certAttrs = createBagAttrs( + nickname, localKeyId); // attributes: user friendly name, Local Key ID - SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, new CertBag( - CertBag.X509_CERT_TYPE, cert), certAttrs); + SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, + new CertBag(CertBag.X509_CERT_TYPE, cert), + certAttrs); encSafeContents.addElement(certBag); // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); - org.mozilla.jss.util.Password pass = new org.mozilla.jss.util.Password( + org.mozilla.jss.util.Password pass = new + org.mozilla.jss.util.Password( pwd.toCharArray()); SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new PasswordConverter(); - byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; - PrivateKeyInfo pki = (PrivateKeyInfo) ASN1Util.decode( - PrivateKeyInfo.getTemplate(), priData); + PasswordConverter passConverter = new + PasswordConverter(); + byte salt[] = {0x01, 0x01, 0x01, 0x01}; + PrivateKeyInfo pki = (PrivateKeyInfo) + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, - passConverter, pki); - SET keyAttrs = createBagAttrs(x509cert.getSubjectDN().toString(), + PBEAlgorithm.PBE_SHA1_DES3_CBC, + pass, salt, 1, passConverter, pki); + SET keyAttrs = createBagAttrs( + x509cert.getSubjectDN().toString(), localKeyId); - SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG, key, + SafeBag keyBag = new SafeBag( + SafeBag.PKCS8_SHROUDED_KEY_BAG, key, keyAttrs); // ?? safeContents.addElement(keyBag); // build contents - AuthenticatedSafes authSafes = new AuthenticatedSafes(); - - authSafes.addSafeContents(safeContents); - authSafes.addSafeContents(encSafeContents); - - // authSafes.addEncryptedSafeContents( - // authSafes.DEFAULT_KEY_GEN_ALG, - // pass, null, 1, - // encSafeContents); + AuthenticatedSafes authSafes = new + AuthenticatedSafes(); + + authSafes.addSafeContents( + safeContents + ); + authSafes.addSafeContents( + encSafeContents + ); + + // authSafes.addEncryptedSafeContents( + // authSafes.DEFAULT_KEY_GEN_ALG, + // pass, null, 1, + // encSafeContents); PFX pfx = new PFX(authSafes); pfx.computeMacData(pass, null, 5); // ?? - ByteArrayOutputStream fos = new ByteArrayOutputStream(); + ByteArrayOutputStream fos = new + ByteArrayOutputStream(); pfx.encode(fos); pass.clear(); @@ -617,10 +643,8 @@ public class RecoveryService implements IService { // put final PKCS12 into volatile request params.put(ATTR_PKCS12, fos.toByteArray()); } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSCORE_KRA_CONSTRUCT_P12", e.toString())); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_PKCS12_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); } // update request @@ -630,7 +654,8 @@ public class RecoveryService implements IService { /** * Creates local key identifier. */ - public byte[] createLocalKeyId(X509Certificate cert) throws EBaseException { + public byte[] createLocalKeyId(X509Certificate cert) + throws EBaseException { try { // SHA1 hash of the X509Cert der encoding byte certDer[] = cert.getEncoded(); @@ -641,23 +666,21 @@ public class RecoveryService implements IService { md.update(certDer); return md.digest(); } catch (CertificateEncodingException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_KEYID_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); } catch (NoSuchAlgorithmException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_KEYID_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); } } /** * Creates bag attributes. */ - public SET createBagAttrs(String nickName, byte localKeyId[]) - throws EBaseException { + public SET createBagAttrs(String nickName, byte localKeyId[]) + throws EBaseException { try { SET attrs = new SET(); SEQUENCE nickNameAttr = new SEQUENCE(); @@ -678,10 +701,9 @@ public class RecoveryService implements IService { attrs.addElement(localKeyAttr); return attrs; } catch (CharConversionException e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage( - "CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); - throw new EKRAException(CMS.getUserMessage( - "CMS_KRA_KEYBAG_FAILED_1", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYBAG_FAILED_1", e.toString())); } } } |