diff options
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java')
-rw-r--r-- | pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 548 |
1 files changed, 271 insertions, 277 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index f9ff8385d..a9287b59d 100644 --- a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; @@ -52,9 +51,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.util.Cert; - /** * A class represents recovery request processor. + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ @@ -68,12 +67,12 @@ public class TokenKeyRecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = - "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = - "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; private IKeyRecoveryAuthority mKRA = null; @@ -81,13 +80,11 @@ public class TokenKeyRecoveryService implements IService { private IStorageKeyUnit mStorageUnit = null; private ITransportKeyUnit mTransportUnit = null; - private final static String - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); /** @@ -97,15 +94,15 @@ public class TokenKeyRecoveryService implements IService { mKRA = kra; mStorage = mKRA.getKeyRepository(); mStorageUnit = mKRA.getStorageKeyUnit(); - mTransportUnit = kra.getTransportKeyUnit(); + mTransportUnit = kra.getTransportKeyUnit(); } - /** + /** * Process the HTTP request. - * + * * @param s The URL to decode */ - protected String URLdecode(String s) { + protected String URLdecode(String s) { if (s == null) return null; ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); @@ -125,11 +122,11 @@ public class TokenKeyRecoveryService implements IService { } } // end for return out.toString(); - } + } public static String normalizeCertStr(String s) { String val = ""; - + for (int i = 0; i < s.length(); i++) { if (s.charAt(i) == '\\') { i++; @@ -153,9 +150,9 @@ public class TokenKeyRecoveryService implements IService { ByteArrayOutputStream output = new ByteArrayOutputStream(); Base64OutputStream b64 = new Base64OutputStream(new PrintStream(new - FilterOutputStream(output) + FilterOutputStream(output) ) - ); + ); b64.write(bytes); b64.flush(); @@ -167,34 +164,32 @@ public class TokenKeyRecoveryService implements IService { // this encrypts bytes with a symmetric key public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) - { - try { - Cipher cipher = token.getCipherContext( + IVParameterSpec IV) { + try { + Cipher cipher = token.getCipherContext( EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("initEncrypt() threw exception: "+e.toString()); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("initEncrypt() threw exception: " + e.toString()); return null; } } - /** * Processes a recovery request. The method reads * the key record from the database, and tries to recover the - * key with the storage key unit. Once recovered, it wraps it + * key with the storage key unit. Once recovered, it wraps it * with desKey * In the params - * - cert is used for recovery record search - * - cuid may be used for additional validation check - * - userid may be used for additional validation check - * - wrappedDesKey is used for wrapping recovered private key - * + * - cert is used for recovery record search + * - cuid may be used for additional validation check + * - userid may be used for additional validation check + * - wrappedDesKey is used for wrapping recovered private key + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -205,56 +200,55 @@ public class TokenKeyRecoveryService implements IService { String auditRequesterID = "TPSagent"; String auditRecoveryID = ILogger.UNIDENTIFIED; String auditPublicKey = ILogger.UNIDENTIFIED; - String iv_s =""; + String iv_s = ""; CMS.debug("KRA services token key recovery request"); byte[] wrapped_des_key; - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService.serviceRequest: "+ e.toString()); + CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); } String id = request.getRequestId().toString(); if (id != null) { auditRecoveryID = id.trim(); } - SessionContext sContext = SessionContext.getContext(); - String agentId=""; - if (sContext != null) { + SessionContext sContext = SessionContext.getContext(); + String agentId = ""; + if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); - } + (String) sContext.get(SessionContext.USER_ID); + } Hashtable params = mKRA.getVolatileRequest( request.getRequestId()); - if (params == null) { // possibly we are in recovery mode - CMS.debug("getVolatileRequest params null"); - // return true; + CMS.debug("getVolatileRequest params null"); + // return true; } wrapped_des_key = null; - PK11SymKey sk= null; + PK11SymKey sk = null; String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - auditSubjectID=rCUID+":"+rUserid; + auditSubjectID = rCUID + ":" + rUserid; - CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="+rWrappedDesKeyString); + CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key =" + rWrappedDesKeyString); wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); CMS.debug("TokenKeyRecoveryService: wrapped_des_key specialDecoded"); if ((wrapped_des_key != null) && - (wrapped_des_key.length > 0)) { + (wrapped_des_key.length > 0)) { // unwrap the des key sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key); @@ -298,7 +292,7 @@ public class TokenKeyRecoveryService implements IService { String cert = normalizeCertStr(cert_s); java.security.cert.X509Certificate x509cert = null; try { - x509cert= (java.security.cert.X509Certificate) Cert.mapCert(cert); + x509cert = (java.security.cert.X509Certificate) Cert.mapCert(cert); if (x509cert == null) { CMS.debug("cert mapping failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(5)); @@ -326,291 +320,291 @@ public class TokenKeyRecoveryService implements IService { return false; } - try { - /* - CryptoToken internalToken = - CryptoManager.getInstance().getInternalKeyStorageToken(); - */ - CryptoToken token = mStorageUnit.getToken(); - CMS.debug("TokenKeyRecoveryService: got token slot:"+token.getName()); - IVParameterSpec algParam = new IVParameterSpec(iv); - - Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - KeyRecord keyRecord = null; - CMS.debug( "KRA reading key record"); - try { - keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); - if (keyRecord != null) - CMS.debug("read key record"); - else { - CMS.debug("key record not found"); - request.setExtData(IRequest.RESULT, Integer.valueOf(8)); - auditMessage = CMS.getLogMessage( + try { + /* + CryptoToken internalToken = + CryptoManager.getInstance().getInternalKeyStorageToken(); + */ + CryptoToken token = mStorageUnit.getToken(); + CMS.debug("TokenKeyRecoveryService: got token slot:" + token.getName()); + IVParameterSpec algParam = new IVParameterSpec(iv); + + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + KeyRecord keyRecord = null; + CMS.debug("KRA reading key record"); + try { + keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + if (keyRecord != null) + CMS.debug("read key record"); + else { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + return false; + } + } catch (Exception e) { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - }catch (Exception e) { - com.netscape.cmscore.util.Debug.printStackTrace(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(9)); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + audit(auditMessage); + return false; + } - audit(auditMessage); - return false; - } - - // see if the owner name matches (cuid:userid) -XXX need make this optional - String owner = keyRecord.getOwnerName(); - CMS.debug("TokenKeyRecoveryService: owner name on record =" +owner); - CMS.debug("TokenKeyRecoveryService: owner name from TPS =" +rCUID+":"+rUserid); - if (owner != null) { - if (owner.equals(rCUID+":"+rUserid)) { - CMS.debug("TokenKeyRecoveryService: owner name matches"); - } else { - CMS.debug("TokenKeyRecoveryService: owner name mismatches"); - } - } - - // see if the certificate matches the key - byte pubData[] = keyRecord.getPublicKeyData(); - byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + // see if the owner name matches (cuid:userid) -XXX need make this optional + String owner = keyRecord.getOwnerName(); + CMS.debug("TokenKeyRecoveryService: owner name on record =" + owner); + CMS.debug("TokenKeyRecoveryService: owner name from TPS =" + rCUID + ":" + rUserid); + if (owner != null) { + if (owner.equals(rCUID + ":" + rUserid)) { + CMS.debug("TokenKeyRecoveryService: owner name matches"); + } else { + CMS.debug("TokenKeyRecoveryService: owner name mismatches"); + } + } - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } + // see if the certificate matches the key + byte pubData[] = keyRecord.getPublicKeyData(); + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - for (int i = 0; i < pubData.length; i++) { - if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } - } - - // Unwrap the archived private key - byte privateKeyData[] = null; - privateKeyData = recoverKey(params, keyRecord); - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); - - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - - CMS.debug("request.setExtData: iv_s: " + iv_s); - - /* LunaSA returns data with padding which we need to remove */ - ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); - DerValue dv = new DerValue(dis); - byte p[] = dv.toByteArray(); - int l = p.length; - CMS.debug("length different data length=" + l + - " real length=" + privateKeyData.length ); - if (l != privateKeyData.length) { - privateKeyData = p; - } + audit(auditMessage); + return false; + } + CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); + + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + CMS.debug("request.setExtData: iv_s: " + iv_s); + + /* LunaSA returns data with padding which we need to remove */ + ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); + DerValue dv = new DerValue(dis); + byte p[] = dv.toByteArray(); + int l = p.length; + CMS.debug("length different data length=" + l + + " real length=" + privateKeyData.length); + if (l != privateKeyData.length) { + privateKeyData = p; + } - if (verifyKeyPair(pubData, privateKeyData) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } else { - CMS.debug("TokenKeyRecoveryService: private key verified with public key"); - } + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { + CMS.debug("TokenKeyRecoveryService: private key verified with public key"); + } - //encrypt and put in private key - cipher.initEncrypt(sk, algParam); - byte wrapped[] = cipher.doFinal(privateKeyData); + //encrypt and put in private key + cipher.initEncrypt(sk, algParam); + byte wrapped[] = cipher.doFinal(privateKeyData); - String wrappedPrivKeyString = + String wrappedPrivKeyString = com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); - request.setExtData("wrappedUserPrivate", - wrappedPrivKeyString); - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered"); - } - - //convert and put in the public key - String b64PKey = base64Encode(pubData); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - b64PKey); - audit(auditMessage); - - if (b64PKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); + request.setExtData("wrappedUserPrivate", + wrappedPrivKeyString); + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + CMS.debug("TokenKeyRecoveryService: key for " + rCUID + ":" + rUserid + " recovered"); + } + + //convert and put in the public key + String b64PKey = base64Encode(pubData); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + b64PKey); + + audit(auditMessage); + + if (b64PKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); + audit(auditMessage); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + + b64PKey); + } + request.setExtData("public_key", b64PKey); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + agentId); + audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = "+ - b64PKey); - } - request.setExtData("public_key", b64PKey); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - agentId); - - audit(auditMessage); - return true; + return true; - } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService: " + e.toString()); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - } + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService: " + e.toString()); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } - + /** * Recovers key. */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { - /* - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); - - mStorageUnit.login(creds); - */ - CMS.debug( "KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); - /* - mStorageUnit.logout(); - */ + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { + /* + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); + + mStorageUnit.login(creds); + */ + CMS.debug("KRA decrypts internal private"); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); + /* + mStorageUnit.logout(); + */ if (privateKeyData == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } + /** * Signed Audit Log - *y + * y * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -622,10 +616,10 @@ public class TokenKeyRecoveryService implements IService { } mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } } |