5 files changed, 380 insertions, 0 deletions

diff --git a/pki/base/migrate/kra/RecoverKey.class b/pki/base/migrate/kra/RecoverKey.class
new file mode 100755
index 000000000..756380e8d
--- /dev/null
+++ b/pki/base/migrate/kra/RecoverKey.class
diff --git a/pki/base/migrate/kra/RecoverKey.java b/pki/base/migrate/kra/RecoverKey.java
new file mode 100755
index 000000000..06e5fc55f
--- /dev/null
+++ b/pki/base/migrate/kra/RecoverKey.java
@@ -0,0 +1,101 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+
+// package com.netscape.cmstools;
+
+import org.mozilla.jss.pkix.cmc.*;
+import org.mozilla.jss.pkix.cms.*;
+import org.mozilla.jss.pkix.cert.*;
+import org.mozilla.jss.pkix.primitive.*;
+import org.mozilla.jss.asn1.*;
+import org.mozilla.jss.pkcs10.*;
+import org.mozilla.jss.crypto.*;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.SignatureAlgorithm;
+import org.mozilla.jss.crypto.DigestAlgorithm;
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.util.*;
+import org.mozilla.jss.*;
+
+import sun.misc.BASE64Encoder;
+import sun.misc.*;
+
+import java.io.*;
+import java.util.*;
+
+import com.netscape.cmscore.shares.*;
+
+public class RecoverKey {
+    
+    public static void main(String args[]) throws Exception
+    {
+       if (args.length != 6) {
+             System.out.println("Usage: RecoverKey <alias directory> <prefix> <password> <pin> <nickname> <kra-key.db path>");
+             System.exit(0);
+        }
+
+        String alias = args[0];
+        String prefix = args[1];
+        String password = args[2];
+        String pin = args[3];
+        String nickname = args[4];
+        String db_path = args[5];
+
+        CryptoManager.InitializationValues vals = 
+                 new CryptoManager.InitializationValues(alias,
+                 prefix, prefix, "secmod.db");
+
+        CryptoManager.initialize(vals);
+        CryptoManager cm = CryptoManager.getInstance();
+
+        CryptoToken token = cm.getInternalKeyStorageToken();
+        token.login(new Password(password.toCharArray()));
+
+        // retrieve public key
+        X509Certificate cert = cm.findCertByNickname(nickname);
+
+        // retrieve encrypted private key material
+        File priFile = new File(db_path);
+        byte priData[] = new byte[(new Long(priFile.length())).intValue()];
+        FileInputStream fi = new FileInputStream(priFile);
+        fi.read(priData);
+        fi.close();
+
+        // recover private key
+        Password pass = new Password(pin.toCharArray());
+        KeyGenerator kg = token.getKeyGenerator(
+                        PBEAlgorithm.PBE_SHA1_DES3_CBC);
+        byte iv[] = {0x01, 0x01, 0x01, 0x01,
+                 0x01, 0x01, 0x01, 0x01};
+        PBEKeyGenParams kgp = new PBEKeyGenParams(pass,
+                    iv, 5);
+
+        pass.clear();
+        kg.initialize(kgp);
+        SymmetricKey sk = kg.generate();
+
+        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+        wrapper.initUnwrap(sk, new IVParameterSpec(iv));
+        PrivateKey pk = wrapper.unwrapPrivate(priData,
+                    PrivateKey.RSA, cert.getPublicKey());
+
+        System.out.println("=> Private is '" + pk + "'");
+    }
+}
diff --git a/pki/base/migrate/kra/RecoverPin.class b/pki/base/migrate/kra/RecoverPin.class
new file mode 100755
index 000000000..75db9d5f9
--- /dev/null
+++ b/pki/base/migrate/kra/RecoverPin.class
diff --git a/pki/base/migrate/kra/RecoverPin.java b/pki/base/migrate/kra/RecoverPin.java
new file mode 100755
index 000000000..2ad268c37
--- /dev/null
+++ b/pki/base/migrate/kra/RecoverPin.java
@@ -0,0 +1,149 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2007 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+
+// package com.netscape.cmstools;
+
+import org.mozilla.jss.pkix.cmc.*;
+import org.mozilla.jss.pkix.cms.*;
+import org.mozilla.jss.pkix.cert.*;
+import org.mozilla.jss.pkix.primitive.*;
+import org.mozilla.jss.asn1.*;
+import org.mozilla.jss.pkcs10.*;
+import org.mozilla.jss.crypto.*;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.SignatureAlgorithm;
+import org.mozilla.jss.crypto.DigestAlgorithm;
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.util.*;
+import org.mozilla.jss.*;
+
+import sun.misc.BASE64Encoder;
+import sun.misc.*;
+
+import java.io.*;
+import java.util.*;
+
+import com.netscape.cmscore.shares.*;
+
+public class RecoverPin {
+    
+    public static String getPassword(Hashtable shares) throws Exception
+    {
+        System.out.println("Share size '" + shares.size() + "'");
+        JoinShares j = new JoinShares(shares.size());
+
+        Enumeration e = shares.keys();
+        while (e.hasMoreElements()) {
+          String next = (String) e.nextElement();
+System.out.println("Add share " + (int)(Integer.parseInt(next) + 1));
+          j.addShare(Integer.parseInt(next) + 1,
+                (byte[]) shares.get(next));
+        }
+        byte secret[] = j.recoverSecret();
+        String pwd = new String(secret);
+        return pwd;
+    }
+
+    public static byte[] resizeShare(byte share[]) {
+        byte data[] = new byte[share.length - 2];
+
+        for (int i = 2; i < share.length; i++) {
+            data[i - 2] = share[i];
+        }
+        return data;
+    }
+
+    public static Hashtable getShares(CryptoToken token,
+              Properties kra_mn_p) throws Exception
+    {
+        BufferedReader br = new BufferedReader( new InputStreamReader(System.in));
+        Hashtable v = new Hashtable();
+        Enumeration e = kra_mn_p.keys();
+        int n = Integer.parseInt((String)kra_mn_p.get("n"));
+        for (int i = 0; i < n; i++) {
+          String uid = (String)kra_mn_p.get("uid"+i);
+          System.out.println("Got uid '" + uid + "'");
+
+          String encrypted = (String)kra_mn_p.get("share"+i);
+          System.out.println("Got share '" + encrypted + "'");
+
+          BASE64Decoder decoder = new BASE64Decoder();
+          byte share[] = decoder.decodeBuffer(encrypted);
+          System.out.println("Got encrypted share length '" + 
+                  share.length + "'");
+
+          System.out.println("Please input password for " + uid + ":");
+          String pwd = br.readLine();
+          System.out.println("Got password '" + pwd + "'");
+
+          Cipher cipher = token.getCipherContext(
+                    EncryptionAlgorithm.DES3_CBC_PAD);
+          byte iv[] = {0x01, 0x01, 0x01, 0x01, 0x01,
+                    0x01, 0x01, 0x01};
+          Password pass = new Password(pwd.toCharArray());
+          KeyGenerator kg = token.getKeyGenerator(
+                        PBEAlgorithm.PBE_SHA1_DES3_CBC);
+          PBEKeyGenParams kgp = new PBEKeyGenParams(pass,
+                    iv, 5);
+          kg.initialize(kgp);
+          SymmetricKey sk = kg.generate();
+          cipher.initDecrypt(sk, new IVParameterSpec(iv));
+          byte dec[] = cipher.doFinal(share);
+          System.out.println("Got decrypted share length '" + dec.length + "'");
+          System.out.println("Got share[0] '" + dec[0] + "'");
+          System.out.println("Got share[1] '" + dec[1] + "'");
+          byte res[] = resizeShare(dec);
+          v.put(Integer.toString(i), res);
+        }
+        return v;
+    }
+
+    public static void main(String args[]) throws Exception
+    {
+       if (args.length != 4) {
+             System.out.println("Usage: RecoverPin <alias directory> <prefix> <password> <kra-mn.conf path>");
+             System.exit(0);
+        }
+
+        String alias = args[0];
+        String prefix = args[1];
+        String password = args[2];
+        String path_kra_mn = args[3];
+
+        CryptoManager.InitializationValues vals = 
+                 new CryptoManager.InitializationValues(alias,
+                 prefix, prefix, "secmod.db");
+
+        CryptoManager.initialize(vals);
+        CryptoManager cm = CryptoManager.getInstance();
+
+        // load files into properties
+        Properties kra_mn_p = new Properties();
+        kra_mn_p.load(new FileInputStream(path_kra_mn));
+
+        CryptoToken token = cm.getInternalKeyStorageToken();
+        token.login(new Password(password.toCharArray()));
+
+        Hashtable shares = getShares(token, kra_mn_p);
+
+        String pwd = getPassword(shares);
+        System.out.println("=> Pin is '" + pwd + "'");
+    }
+}
diff --git a/pki/base/migrate/kra/readme.txt b/pki/base/migrate/kra/readme.txt
new file mode 100755
index 000000000..8b7b69b49
--- /dev/null
+++ b/pki/base/migrate/kra/readme.txt
@@ -0,0 +1,130 @@
+Date
+
+  Tue Oct 17 16:11:07 PDT 2006
+
+Version
+
+  CMS 6.1
+
+Overview
+
+  In CMS6.1 Data Recovery Manager (DRM), it has deployed a 
+  complicated key splitting scheme where software token and 
+  hardware token are treated differently.
+
+  Both software and hardware token requires a group of N recovery agents
+  to be present during the configuration. A Pin is randomly generated
+  and splitted into N pieces called shares. Each share is encrypted with
+  a password provided by the individual recovery agent. This is to 
+  ensure no single recovery agent to access the pin.
+
+  For software token, during configuration, a storage key pair is
+  generated, and the private key portion is then encrypted by the 
+  Pin mentioned above. The encrypted key is stored in a file called
+  kra-key.db in the conf directory. The configuration deletes 
+  the private key from the software token. For each recovery 
+  operation, the private key is then reconstructed and imported 
+  into the software token.
+
+  For hardware token, during configuration, a storage key pair is
+  generated on the selected token, then the configuration changes the
+  hardware token's pin to the randomly generated pin mentioned above.
+  For each recovery operation, the token's pin is reconstructed and
+  private key is accessed.
+
+  To provide migration on the user keys that were encrypted with the
+  storage keys of CS6.1, we need to be able to migrate the public and
+  private keys to the new system. To access the private key, we need
+  to have a way to reconstruct the pin.
+
+  This support package provides 2 utilities that can assist the
+  migration.
+
+Programs
+
+  RecoverPin - This command is to reconstruct the pin. It reads
+               the shares from conf/kra-mn.conf, and prompts for
+               agent passwords. It then reconstructs and prints the
+               pin to the screen.
+
+  RecoverKey - For software token deployment, the encrypted private 
+               key is stored in the file conf/kra-key.db. To recover
+               the private key, the user needs to use the pin obtained
+               from RecoverPin. Once the private key is recovered into
+               the security database. The user can use pk12util to 
+               migrate key to the new installation. For hardware token 
+               deployment, this command is not necessary.
+
+Examples
+
+  Here is an example of RecoverPin usage
+
+  java -classpath <server-root>/bin/cert/jars/cmscore.jar:<server-root>/bin/cert/jars/nsutil.jar:<server-root>/bin/cert/jars/jss3.jar:.  RecoverPin <path to alias directory> <prefix> <password> <key splitting scheme file>
+
+  For example,
+
+  java -classpath /home/user/cs61/servers/bin/cert/jars/cmscore.jar:/export/home/user/cs61/servers/bin/cert/jars/nsutil.jar:/export/home/user/cs61/servers/bin/cert/jars/jss3.jar:.  RecoverPin /export/home/user/cs61/servers/alias "cert-drm-sunburst-" netscape /export/home/user/cs61/servers/cert-drm/config/kra-mn.conf 
+
+  The output is:
+
+  Got uid 'agent1'
+  Got share 'A23UO/q9f40='
+  Got encrypted share length '8'
+  Please input password for agent1:
+  netscape1
+  Got password 'netscape1'
+  Got decrypted share length '2'
+  Got share[0] '0'
+  Got share[1] '0'
+  Got uid 'agent2'
+  Got share 'R+zGVd5zczI='
+  Got encrypted share length '8'
+  Please input password for agent2:
+  netscape2
+  Got password 'netscape2'
+  Got decrypted share length '2'
+  Got share[0] '0'
+  Got share[1] '0'
+  Got uid 'agent3'
+  Got share 'lsipE7cM8jg='
+  Got encrypted share length '8'
+  Please input password for agent3:
+  netscape3
+  Got password 'netscape3'
+  Got decrypted share length '2'
+  Got share[0] '0'
+  Got share[1] '0'
+  Share size '3'
+  Add share 3
+  Add share 2
+  Add share 1
+  => Pin is ''
+
+  Here is an example of RecoverKey usage
+
+  java -classpath <server-root>/bin/cert/jars/cmscore.jar:<server-root>/bin/cert/jars/nsutil.jar:<server-root>/bin/cert/jars/jss3.jar:.  RecoverKey <alias path> <prefix> <db password> <pin from RecoverPin> <nickname> <key db path>
+
+  For example,
+
+  java -classpath /export/home/user/cs61/servers/bin/cert/jars/cmscore.jar:/export/home/user/cs61/servers/bin/cert/jars/nsutil.jar:/export/home/user/cs61/servers/bin/cert/jars/jss3.jar:.  RecoverKey /export/home/user/cs61/servers/alias cert-drm-sunburst- "netscape" "" "kraStorageCert 1161121005622" /export/home/user/cs61/servers/cert-drm/config/kra-key.db
+
+  The output is:
+
+  => Private is 'org.mozilla.jss.pkcs11.PK11RSAPrivateKey@1ab8f9e'
+
+To make the private and public key exportable via pk12util. You need to first
+backup the storage certificate, delete it, and then import it 
+again. For example,
+
+  certutil -d . -P cert-drm-sunburst- \
+                -n "kraStorageCert 1161121005622" -a > storageCert.txt
+
+  certutil -d . -P cert-drm-sunburst- -D -n "kraStorageCert 1161121005622"
+
+  certutil -d . -P cert-drm-sunburst- -A -t "u,u,u" \
+                -n "kraStorageCert 1161121005622" -i storageCert.txt
+
+Finally, you can export the private and public key using pk12util
+
+  pk12util -o storage.p12 -d . -P cert-drm-sunburst- \
+           -n "kraStorageCert 1161121005622"