summaryrefslogtreecommitdiffstats
path: root/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java')
-rw-r--r--pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java637
1 files changed, 300 insertions, 337 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index f9ff8385d..f31a2de2e 100644
--- a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.kra;
-
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FilterOutputStream;
@@ -52,9 +51,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit;
import com.netscape.cmscore.dbs.KeyRecord;
import com.netscape.cmsutil.util.Cert;
-
/**
* A class represents recovery request processor.
+ *
* @author Christina Fu (cfu)
* @version $Revision$, $Date$
*/
@@ -68,12 +67,10 @@ public class TokenKeyRecoveryService implements IService {
public static final String ATTR_TRANSPORT_PWD = "transportPwd";
public static final String ATTR_SIGNING_CERT = "signingCert";
public static final String ATTR_PKCS12 = "pkcs12";
- public static final String ATTR_ENCRYPTION_CERTS =
- "encryptionCerts";
- public static final String ATTR_AGENT_CREDENTIALS =
- "agentCredentials";
+ public static final String ATTR_ENCRYPTION_CERTS = "encryptionCerts";
+ public static final String ATTR_AGENT_CREDENTIALS = "agentCredentials";
// same as encryption certs
- public static final String ATTR_USER_CERT = "cert";
+ public static final String ATTR_USER_CERT = "cert";
public static final String ATTR_DELIVERY = "delivery";
private IKeyRecoveryAuthority mKRA = null;
@@ -81,13 +78,9 @@ public class TokenKeyRecoveryService implements IService {
private IStorageKeyUnit mStorageUnit = null;
private ITransportKeyUnit mTransportUnit = null;
- private final static String
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST =
- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
+ private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
- private final static String
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+ private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
/**
@@ -97,15 +90,15 @@ public class TokenKeyRecoveryService implements IService {
mKRA = kra;
mStorage = mKRA.getKeyRepository();
mStorageUnit = mKRA.getStorageKeyUnit();
- mTransportUnit = kra.getTransportKeyUnit();
+ mTransportUnit = kra.getTransportKeyUnit();
}
- /**
+ /**
* Process the HTTP request.
- *
+ *
* @param s The URL to decode
*/
- protected String URLdecode(String s) {
+ protected String URLdecode(String s) {
if (s == null)
return null;
ByteArrayOutputStream out = new ByteArrayOutputStream(s.length());
@@ -125,11 +118,11 @@ public class TokenKeyRecoveryService implements IService {
}
} // end for
return out.toString();
- }
+ }
public static String normalizeCertStr(String s) {
String val = "";
-
+
for (int i = 0; i < s.length(); i++) {
if (s.charAt(i) == '\\') {
i++;
@@ -151,11 +144,8 @@ public class TokenKeyRecoveryService implements IService {
// All this streaming is lame, but Base64OutputStream needs a
// PrintStream
ByteArrayOutputStream output = new ByteArrayOutputStream();
- Base64OutputStream b64 = new Base64OutputStream(new
- PrintStream(new
- FilterOutputStream(output)
- )
- );
+ Base64OutputStream b64 = new Base64OutputStream(new PrintStream(
+ new FilterOutputStream(output)));
b64.write(bytes);
b64.flush();
@@ -166,35 +156,30 @@ public class TokenKeyRecoveryService implements IService {
}
// this encrypts bytes with a symmetric key
- public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token,
- IVParameterSpec IV)
- {
- try {
- Cipher cipher = token.getCipherContext(
- EncryptionAlgorithm.DES3_CBC_PAD);
-
- cipher.initEncrypt(symKey, IV);
- byte pri[] = cipher.doFinal(toBeEncrypted);
- return pri;
- } catch (Exception e) {
- CMS.debug("initEncrypt() threw exception: "+e.toString());
+ public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey,
+ CryptoToken token, IVParameterSpec IV) {
+ try {
+ Cipher cipher = token
+ .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
+
+ cipher.initEncrypt(symKey, IV);
+ byte pri[] = cipher.doFinal(toBeEncrypted);
+ return pri;
+ } catch (Exception e) {
+ CMS.debug("initEncrypt() threw exception: " + e.toString());
return null;
}
}
-
/**
- * Processes a recovery request. The method reads
- * the key record from the database, and tries to recover the
- * key with the storage key unit. Once recovered, it wraps it
- * with desKey
- * In the params
- * - cert is used for recovery record search
- * - cuid may be used for additional validation check
- * - userid may be used for additional validation check
- * - wrappedDesKey is used for wrapping recovered private key
- *
+ * Processes a recovery request. The method reads the key record from the
+ * database, and tries to recover the key with the storage key unit. Once
+ * recovered, it wraps it with desKey In the params - cert is used for
+ * recovery record search - cuid may be used for additional validation check
+ * - userid may be used for additional validation check - wrappedDesKey is
+ * used for wrapping recovered private key
+ *
* @param request recovery request
* @return operation success or not
* @exception EBaseException failed to serve
@@ -205,59 +190,60 @@ public class TokenKeyRecoveryService implements IService {
String auditRequesterID = "TPSagent";
String auditRecoveryID = ILogger.UNIDENTIFIED;
String auditPublicKey = ILogger.UNIDENTIFIED;
- String iv_s ="";
+ String iv_s = "";
CMS.debug("KRA services token key recovery request");
byte[] wrapped_des_key;
- byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1};
+ byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
try {
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.nextBytes(iv);
} catch (Exception e) {
- CMS.debug("TokenKeyRecoveryService.serviceRequest: "+ e.toString());
+ CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString());
}
String id = request.getRequestId().toString();
if (id != null) {
auditRecoveryID = id.trim();
}
- SessionContext sContext = SessionContext.getContext();
- String agentId="";
- if (sContext != null) {
- agentId =
- (String) sContext.get(SessionContext.USER_ID);
- }
-
- Hashtable params = mKRA.getVolatileRequest(
- request.getRequestId());
+ SessionContext sContext = SessionContext.getContext();
+ String agentId = "";
+ if (sContext != null) {
+ agentId = (String) sContext.get(SessionContext.USER_ID);
+ }
+ Hashtable params = mKRA.getVolatileRequest(request.getRequestId());
if (params == null) {
// possibly we are in recovery mode
- CMS.debug("getVolatileRequest params null");
- // return true;
+ CMS.debug("getVolatileRequest params null");
+ // return true;
}
wrapped_des_key = null;
- PK11SymKey sk= null;
+ PK11SymKey sk = null;
String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID);
- String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID);
- String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY);
- auditSubjectID=rCUID+":"+rUserid;
-
- CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="+rWrappedDesKeyString);
- wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString);
+ String rUserid = request
+ .getExtDataInString(IRequest.NETKEY_ATTR_USERID);
+ String rWrappedDesKeyString = request
+ .getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY);
+ auditSubjectID = rCUID + ":" + rUserid;
+
+ CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="
+ + rWrappedDesKeyString);
+ wrapped_des_key = com.netscape.cmsutil.util.Utils
+ .SpecialDecode(rWrappedDesKeyString);
CMS.debug("TokenKeyRecoveryService: wrapped_des_key specialDecoded");
- if ((wrapped_des_key != null) &&
- (wrapped_des_key.length > 0)) {
+ if ((wrapped_des_key != null) && (wrapped_des_key.length > 0)) {
// unwrap the des key
- sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key);
+ sk = (PK11SymKey) mTransportUnit
+ .unwrap_encrypt_sym(wrapped_des_key);
if (sk == null) {
CMS.debug("TokenKeyRecoveryService: no des key");
@@ -269,11 +255,8 @@ public class TokenKeyRecoveryService implements IService {
CMS.debug("TokenKeyRecoveryService: not receive des key");
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
- agentId);
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId);
audit(auditMessage);
return false;
@@ -285,11 +268,8 @@ public class TokenKeyRecoveryService implements IService {
CMS.debug("TokenKeyRecoveryService: not receive cert");
request.setExtData(IRequest.RESULT, Integer.valueOf(3));
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
- agentId);
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId);
audit(auditMessage);
return false;
@@ -298,15 +278,13 @@ public class TokenKeyRecoveryService implements IService {
String cert = normalizeCertStr(cert_s);
java.security.cert.X509Certificate x509cert = null;
try {
- x509cert= (java.security.cert.X509Certificate) Cert.mapCert(cert);
+ x509cert = (java.security.cert.X509Certificate) Cert.mapCert(cert);
if (x509cert == null) {
CMS.debug("cert mapping failed");
request.setExtData(IRequest.RESULT, Integer.valueOf(5));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
audit(auditMessage);
@@ -316,301 +294,289 @@ public class TokenKeyRecoveryService implements IService {
CMS.debug("TokenKeyRecoveryService: mapCert failed");
request.setExtData(IRequest.RESULT, Integer.valueOf(6));
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
- agentId);
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId);
audit(auditMessage);
return false;
}
- try {
- /*
- CryptoToken internalToken =
- CryptoManager.getInstance().getInternalKeyStorageToken();
- */
- CryptoToken token = mStorageUnit.getToken();
- CMS.debug("TokenKeyRecoveryService: got token slot:"+token.getName());
- IVParameterSpec algParam = new IVParameterSpec(iv);
-
- Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
-
- KeyRecord keyRecord = null;
- CMS.debug( "KRA reading key record");
- try {
- keyRecord = (KeyRecord) mStorage.readKeyRecord(cert);
- if (keyRecord != null)
- CMS.debug("read key record");
- else {
- CMS.debug("key record not found");
- request.setExtData(IRequest.RESULT, Integer.valueOf(8));
- auditMessage = CMS.getLogMessage(
+ try {
+ /*
+ * CryptoToken internalToken =
+ * CryptoManager.getInstance().getInternalKeyStorageToken();
+ */
+ CryptoToken token = mStorageUnit.getToken();
+ CMS.debug("TokenKeyRecoveryService: got token slot:"
+ + token.getName());
+ IVParameterSpec algParam = new IVParameterSpec(iv);
+
+ Cipher cipher = token
+ .getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
+
+ KeyRecord keyRecord = null;
+ CMS.debug("KRA reading key record");
+ try {
+ keyRecord = (KeyRecord) mStorage.readKeyRecord(cert);
+ if (keyRecord != null)
+ CMS.debug("read key record");
+ else {
+ CMS.debug("key record not found");
+ request.setExtData(IRequest.RESULT, Integer.valueOf(8));
+ auditMessage = CMS
+ .getLogMessage(
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.FAILURE,
+ auditRecoveryID, agentId);
+
+ audit(auditMessage);
+ return false;
+ }
+ } catch (Exception e) {
+ com.netscape.cmscore.util.Debug.printStackTrace(e);
+ request.setExtData(IRequest.RESULT, Integer.valueOf(9));
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
- audit(auditMessage);
- return false;
- }
- }catch (Exception e) {
- com.netscape.cmscore.util.Debug.printStackTrace(e);
- request.setExtData(IRequest.RESULT, Integer.valueOf(9));
- auditMessage = CMS.getLogMessage(
+ audit(auditMessage);
+ return false;
+ }
+
+ // see if the owner name matches (cuid:userid) -XXX need make this
+ // optional
+ String owner = keyRecord.getOwnerName();
+ CMS.debug("TokenKeyRecoveryService: owner name on record =" + owner);
+ CMS.debug("TokenKeyRecoveryService: owner name from TPS =" + rCUID
+ + ":" + rUserid);
+ if (owner != null) {
+ if (owner.equals(rCUID + ":" + rUserid)) {
+ CMS.debug("TokenKeyRecoveryService: owner name matches");
+ } else {
+ CMS.debug("TokenKeyRecoveryService: owner name mismatches");
+ }
+ }
+
+ // see if the certificate matches the key
+ byte pubData[] = keyRecord.getPublicKeyData();
+ byte inputPubData[] = x509cert.getPublicKey().getEncoded();
+
+ if (inputPubData.length != pubData.length) {
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
- audit(auditMessage);
- return false;
- }
-
- // see if the owner name matches (cuid:userid) -XXX need make this optional
- String owner = keyRecord.getOwnerName();
- CMS.debug("TokenKeyRecoveryService: owner name on record =" +owner);
- CMS.debug("TokenKeyRecoveryService: owner name from TPS =" +rCUID+":"+rUserid);
- if (owner != null) {
- if (owner.equals(rCUID+":"+rUserid)) {
- CMS.debug("TokenKeyRecoveryService: owner name matches");
- } else {
- CMS.debug("TokenKeyRecoveryService: owner name mismatches");
- }
- }
-
- // see if the certificate matches the key
- byte pubData[] = keyRecord.getPublicKeyData();
- byte inputPubData[] = x509cert.getPublicKey().getEncoded();
-
- if (inputPubData.length != pubData.length) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
- auditMessage = CMS.getLogMessage(
+ audit(auditMessage);
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED"));
+ }
+
+ for (int i = 0; i < pubData.length; i++) {
+ if (pubData[i] != inputPubData[i]) {
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
+ auditMessage = CMS
+ .getLogMessage(
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.FAILURE,
+ auditRecoveryID, agentId);
+
+ audit(auditMessage);
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED"));
+ }
+ }
+
+ // Unwrap the archived private key
+ byte privateKeyData[] = null;
+ privateKeyData = recoverKey(params, keyRecord);
+ if (privateKeyData == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("TokenKeyRecoveryService: failed getting private key");
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
- audit(auditMessage);
- throw new EKRAException(
- CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED"));
- }
+ audit(auditMessage);
+ return false;
+ }
+ CMS.debug("TokenKeyRecoveryService: got private key...about to verify");
+
+ iv_s = /* base64Encode(iv); */com.netscape.cmsutil.util.Utils
+ .SpecialEncode(iv);
+ request.setExtData("iv_s", iv_s);
+
+ CMS.debug("request.setExtData: iv_s: " + iv_s);
+
+ /* LunaSA returns data with padding which we need to remove */
+ ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData);
+ DerValue dv = new DerValue(dis);
+ byte p[] = dv.toByteArray();
+ int l = p.length;
+ CMS.debug("length different data length=" + l + " real length="
+ + privateKeyData.length);
+ if (l != privateKeyData.length) {
+ privateKeyData = p;
+ }
- for (int i = 0; i < pubData.length; i++) {
- if (pubData[i] != inputPubData[i]) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
- auditMessage = CMS.getLogMessage(
+ if (verifyKeyPair(pubData, privateKeyData) == false) {
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
- audit(auditMessage);
- throw new EKRAException(
- CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED"));
- }
- }
-
- // Unwrap the archived private key
- byte privateKeyData[] = null;
- privateKeyData = recoverKey(params, keyRecord);
- if (privateKeyData == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("TokenKeyRecoveryService: failed getting private key");
- auditMessage = CMS.getLogMessage(
+ audit(auditMessage);
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
+ } else {
+ CMS.debug("TokenKeyRecoveryService: private key verified with public key");
+ }
+
+ // encrypt and put in private key
+ cipher.initEncrypt(sk, algParam);
+ byte wrapped[] = cipher.doFinal(privateKeyData);
+
+ String wrappedPrivKeyString = com.netscape.cmsutil.util.Utils
+ .SpecialEncode(wrapped);
+ if (wrappedPrivKeyString == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
- audit(auditMessage);
- return false;
- }
- CMS.debug("TokenKeyRecoveryService: got private key...about to verify");
-
- iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
- request.setExtData("iv_s", iv_s);
-
- CMS.debug("request.setExtData: iv_s: " + iv_s);
-
- /* LunaSA returns data with padding which we need to remove */
- ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData);
- DerValue dv = new DerValue(dis);
- byte p[] = dv.toByteArray();
- int l = p.length;
- CMS.debug("length different data length=" + l +
- " real length=" + privateKeyData.length );
- if (l != privateKeyData.length) {
- privateKeyData = p;
- }
+ audit(auditMessage);
+ return false;
+ } else {
+ CMS.debug("TokenKeyRecoveryService: got private key data wrapped");
+ request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
+ request.setExtData(IRequest.RESULT, Integer.valueOf(1));
+ CMS.debug("TokenKeyRecoveryService: key for " + rCUID + ":"
+ + rUserid + " recovered");
+ }
+
+ // convert and put in the public key
+ String b64PKey = base64Encode(pubData);
- if (verifyKeyPair(pubData, privateKeyData) == false) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
- agentId);
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, auditSubjectID,
+ ILogger.SUCCESS, auditRecoveryID, b64PKey);
audit(auditMessage);
- throw new EKRAException(
- CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
- } else {
- CMS.debug("TokenKeyRecoveryService: private key verified with public key");
- }
-
- //encrypt and put in private key
- cipher.initEncrypt(sk, algParam);
- byte wrapped[] = cipher.doFinal(privateKeyData);
-
- String wrappedPrivKeyString =
- com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped);
- if (wrappedPrivKeyString == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
- auditMessage = CMS.getLogMessage(
+
+ if (b64PKey == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded");
+ auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
+ auditSubjectID, ILogger.FAILURE, auditRecoveryID,
agentId);
- audit(auditMessage);
- return false;
- } else {
- CMS.debug("TokenKeyRecoveryService: got private key data wrapped");
- request.setExtData("wrappedUserPrivate",
- wrappedPrivKeyString);
- request.setExtData(IRequest.RESULT, Integer.valueOf(1));
- CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered");
- }
-
- //convert and put in the public key
- String b64PKey = base64Encode(pubData);
-
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
- auditSubjectID,
- ILogger.SUCCESS,
- auditRecoveryID,
- b64PKey);
-
audit(auditMessage);
-
- if (b64PKey == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded");
+ return false;
+ } else {
+ CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = "
+ + b64PKey);
+ }
+ request.setExtData("public_key", b64PKey);
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.FAILURE,
- auditRecoveryID,
- agentId);
+ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.SUCCESS, auditRecoveryID, agentId);
audit(auditMessage);
- return false;
- } else {
- CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = "+
- b64PKey);
- }
- request.setExtData("public_key", b64PKey);
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.SUCCESS,
- auditRecoveryID,
- agentId);
-
- audit(auditMessage);
- return true;
+ return true;
- } catch (Exception e) {
- CMS.debug("TokenKeyRecoveryService: " + e.toString());
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- }
+ } catch (Exception e) {
+ CMS.debug("TokenKeyRecoveryService: " + e.toString());
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ }
return true;
}
- public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[])
- {
- try {
- DerValue publicKeyVal = new DerValue(publicKeyData);
- DerInputStream publicKeyIn = publicKeyVal.data;
- publicKeyIn.getSequence(0);
- DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString());
- DerInputStream publicKeyDerIn = publicKeyDer.data;
- BigInt publicKeyModulus = publicKeyDerIn.getInteger();
- BigInt publicKeyExponent = publicKeyDerIn.getInteger();
-
- DerValue privateKeyVal = new DerValue(privateKeyData);
- if (privateKeyVal.tag != DerValue.tag_Sequence)
- return false;
- DerInputStream privateKeyIn = privateKeyVal.data;
- privateKeyIn.getInteger();
- privateKeyIn.getSequence(0);
- DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString());
- DerInputStream privateKeyDerIn = privateKeyDer.data;
- BigInt privateKeyVersion = privateKeyDerIn.getInteger();
- BigInt privateKeyModulus = privateKeyDerIn.getInteger();
- BigInt privateKeyExponent = privateKeyDerIn.getInteger();
-
- if (!publicKeyModulus.equals(privateKeyModulus)) {
- CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus);
- return false;
- }
-
- if (!publicKeyExponent.equals(privateKeyExponent)) {
- CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent);
- return false;
- }
-
- return true;
- } catch (Exception e) {
- CMS.debug("verifyKeyPair error " + e);
- return false;
- }
+ public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) {
+ try {
+ DerValue publicKeyVal = new DerValue(publicKeyData);
+ DerInputStream publicKeyIn = publicKeyVal.data;
+ publicKeyIn.getSequence(0);
+ DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString());
+ DerInputStream publicKeyDerIn = publicKeyDer.data;
+ BigInt publicKeyModulus = publicKeyDerIn.getInteger();
+ BigInt publicKeyExponent = publicKeyDerIn.getInteger();
+
+ DerValue privateKeyVal = new DerValue(privateKeyData);
+ if (privateKeyVal.tag != DerValue.tag_Sequence)
+ return false;
+ DerInputStream privateKeyIn = privateKeyVal.data;
+ privateKeyIn.getInteger();
+ privateKeyIn.getSequence(0);
+ DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString());
+ DerInputStream privateKeyDerIn = privateKeyDer.data;
+ BigInt privateKeyVersion = privateKeyDerIn.getInteger();
+ BigInt privateKeyModulus = privateKeyDerIn.getInteger();
+ BigInt privateKeyExponent = privateKeyDerIn.getInteger();
+
+ if (!publicKeyModulus.equals(privateKeyModulus)) {
+ CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus="
+ + publicKeyModulus + " privateKeyModulus="
+ + privateKeyModulus);
+ return false;
+ }
+
+ if (!publicKeyExponent.equals(privateKeyExponent)) {
+ CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent="
+ + publicKeyExponent + " privateKeyExponent="
+ + privateKeyExponent);
+ return false;
+ }
+
+ return true;
+ } catch (Exception e) {
+ CMS.debug("verifyKeyPair error " + e);
+ return false;
+ }
}
-
+
/**
* Recovers key.
*/
- public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord)
- throws EBaseException {
- /*
- Credential creds[] = (Credential[])
- request.get(ATTR_AGENT_CREDENTIALS);
-
- mStorageUnit.login(creds);
- */
- CMS.debug( "KRA decrypts internal private");
- byte privateKeyData[] =
- mStorageUnit.decryptInternalPrivate(
- keyRecord.getPrivateKeyData());
- /*
- mStorageUnit.logout();
- */
+ public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord)
+ throws EBaseException {
+ /*
+ * Credential creds[] = (Credential[])
+ * request.get(ATTR_AGENT_CREDENTIALS);
+ *
+ * mStorageUnit.login(creds);
+ */
+ CMS.debug("KRA decrypts internal private");
+ byte privateKeyData[] = mStorageUnit.decryptInternalPrivate(keyRecord
+ .getPrivateKeyData());
+ /*
+ * mStorageUnit.logout();
+ */
if (privateKeyData == null) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key"));
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
+ throw new EKRAException(CMS.getUserMessage(
+ "CMS_KRA_RECOVERY_FAILED_1", "no private key"));
}
return privateKeyData;
}
+
/**
- * Signed Audit Log
- *y
- * This method is called to store messages to the signed audit log.
+ * Signed Audit Log y This method is called to store messages to the signed
+ * audit log.
* <P>
- *
+ *
* @param msg signed audit log message
*/
private void audit(String msg) {
@@ -621,11 +587,8 @@ public class TokenKeyRecoveryService implements IService {
return;
}
- mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
- null,
- ILogger.S_SIGNED_AUDIT,
- ILogger.LL_SECURITY,
- msg);
+ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null,
+ ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg);
}
}
generated by cgit (git 2.34.1) at 2024-07-03 13:31:38 +0000