From 7b3df7e287eb544a0bacba93abeea48e72e49db6 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Sun, 30 Sep 2012 17:40:43 -0700 Subject: https://fedorahosted.org/pki/ticket/252 - TMS - ECC Key Recovery --- .../com/netscape/kra/TokenKeyRecoveryService.java | 10 +-- base/tps/src/engine/RA.cpp | 11 ++- base/tps/src/processor/RA_Enroll_Processor.cpp | 82 ++++++++++++++++------ 3 files changed, 74 insertions(+), 29 deletions(-) diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 8fa409cf5..8109cee68 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -516,18 +516,18 @@ public class TokenKeyRecoveryService implements IService { } //convert and put in the public key - String b64PKey = base64Encode(pubData); + String PubKey = com.netscape.cmsutil.util.Utils.SpecialEncode(pubData); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, auditSubjectID, ILogger.SUCCESS, auditRecoveryID, - b64PKey); + PubKey); audit(auditMessage); - if (b64PKey == null) { + if (PubKey == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); auditMessage = CMS.getLogMessage( @@ -541,9 +541,9 @@ public class TokenKeyRecoveryService implements IService { return false; } else { CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + - b64PKey); + PubKey); } - request.setExtData("public_key", b64PKey); + request.setExtData("public_key", PubKey); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, diff --git a/base/tps/src/engine/RA.cpp b/base/tps/src/engine/RA.cpp index 2502cf259..436225045 100644 --- a/base/tps/src/engine/RA.cpp +++ b/base/tps/src/engine/RA.cpp @@ -1233,7 +1233,14 @@ void RA::RecoverKey(RA_Session *session, const char* cuid, goto loser; } else { RA::Debug(LL_PER_PDU, "RecoverKey", "got public key =%s", tmp); - *publicKey_s = PL_strdup(tmp); + char *tmp_publicKey_s = PL_strdup(tmp); + Buffer *decodePubKey = Util::URLDecode(tmp_publicKey_s); + *publicKey_s = + BTOA_DataToAscii(decodePubKey->getBuf(), decodePubKey->getLen()); + if (tmp_publicKey_s) + PR_Free (tmp_publicKey_s); + if (decodePubKey) + PR_Free(decodePubKey); } tmp = NULL; @@ -1251,7 +1258,7 @@ void RA::RecoverKey(RA_Session *session, const char* cuid, RA::Error(LL_PER_PDU, "RecoverKey", "did not get iv_param for recovered key in DRM response"); } else { - RA::Debug(LL_PER_PDU, "ServerSideKeyGen", "got iv_param for recovered key =%s", tmp); + RA::Debug(LL_PER_PDU, "RecoverKey", "got iv_param for recovered key =%s", tmp); *ivParam_s = PL_strdup(tmp); } diff --git a/base/tps/src/processor/RA_Enroll_Processor.cpp b/base/tps/src/processor/RA_Enroll_Processor.cpp index 874720685..6922dc2aa 100644 --- a/base/tps/src/processor/RA_Enroll_Processor.cpp +++ b/base/tps/src/processor/RA_Enroll_Processor.cpp @@ -4222,6 +4222,12 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se int isGenerateandRecover = 0; const char *FN="RA_Enroll_Processor::ProcessRecovery"; + bool isECC = false; + BYTE algorithm; + CERTSubjectPublicKeyInfo* spkix = NULL; + SECKEYECParams *eccParams = NULL; + SECKEYPublicKey *pk_p = NULL; + RA::Debug("RA_Enroll_Processor::ProcessRecovery","entering..."); // get key version for audit logs if (channel != NULL) { @@ -4242,6 +4248,16 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se goto loser; } + PR_snprintf((char *)configname, 256, "op.enroll.%s.keyGen.encryption.alg", tokenType); + //Default RSA_CRT=2 + algorithm = (BYTE) RA::GetConfigStore()->GetConfigAsInt(configname, 2); + isECC = RA::isAlgorithmECC(algorithm); + if (isECC) { + RA::Debug("RA_Enroll_Processor::ProcessRecovery", "algorithm is ECC"); + } else { + RA::Debug("RA_Enroll_Processor::ProcessRecovery", "algorithm is not ECC"); + } + //We will have to rifle through the configuration to see if there any recovery operations with //scheme "GenerateNewKeyandRecoverLast" which allows for recovering the old key AND generating a new // one for the encryption type only. If this scheme is present, the number of certs for bump by @@ -4426,14 +4442,13 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se RA::Debug("RA_Enroll_Processor::ProcessRecovery", "begin recovery code"); - SECKEYPublicKey *pk_p = NULL; SECItem si_mod; Buffer *modulus=NULL; SECItem *si_kid = NULL; Buffer *keyid=NULL; SECItem si_exp; Buffer *exponent=NULL; - CERTSubjectPublicKeyInfo* spkix = NULL; + CERTSubjectPublicKeyInfo* spki = NULL; //Now we have to get the original config params for the encryption cert and keys @@ -4608,7 +4623,7 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se goto rloser; */ } else - RA::Debug(LL_PER_PDU, "DoEnrollment", "o_priv = %s", o_priv); + RA::Debug(LL_PER_PDU, "DoEnrollment", "o_priv not NULL"); if (ivParam == NULL) { RA::Debug(LL_PER_CONNECTION,"RA_Enroll_Processor::ProcessRecovery", @@ -4628,7 +4643,6 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se */ SECStatus rv; SECItem der; - CERTSubjectPublicKeyInfo* spki; der.type = (SECItemType) 0; /* initialize it, since convertAsciiToItem does not set it */ rv = ATOB_ConvertAsciiToItem (&der, o_pub); @@ -4643,7 +4657,6 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se RA::Debug(LL_PER_PDU, "ProcessRecovery", "item len=%d, item type=%d",der.len, der.type); spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&der); - SECITEM_FreeItem(&der, PR_FALSE); if (spki != NULL) { RA::Debug("RA_Enroll_Processor::ProcessRecovery", "after converting public key spki is not NULL"); @@ -4656,6 +4669,7 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se RA::Debug("RA_Enroll_Processor::ProcessRecovery", "after converting public key, spki is NULL"); } + SECITEM_FreeItem(&der, PR_FALSE); SECKEY_DestroySubjectPublicKeyInfo(spki); if( pk_p == NULL ) { @@ -4682,11 +4696,12 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se keyVersion != NULL? keyVersion : "", "key recovered successfully"); + if (!isECC) { + /* fill in keyid, modulus, and exponent */ - /* fill in keyid, modulus, and exponent */ - - si_mod = pk_p->u.rsa.modulus; - modulus = new Buffer((BYTE*) si_mod.data, si_mod.len); + si_mod = pk_p->u.rsa.modulus; + modulus = new Buffer((BYTE*) si_mod.data, si_mod.len); + } spkix = SECKEY_CreateSubjectPublicKeyInfo(pk_p); @@ -4702,11 +4717,14 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se SECKEY_DestroySubjectPublicKeyInfo(spkix); keyid = new Buffer((BYTE*) si_kid->data, si_kid->len); - si_exp = pk_p->u.rsa.publicExponent; - exponent = new Buffer((BYTE*) si_exp.data, si_exp.len); - RA::Debug(LL_PER_PDU, "RA_Enroll_Processor::Process", - " keyid, modulus and exponent are retrieved"); + if (!isECC) { + si_exp = pk_p->u.rsa.publicExponent; + exponent = new Buffer((BYTE*) si_exp.data, si_exp.len); + + RA::Debug(LL_PER_PDU, "RA_Enroll_Processor::Process", + " keyid, modulus and exponent are retrieved"); + } ktypes[actualCertIndex] = PL_strdup(keyTypeValue); // We now store the token id of the original token @@ -4836,8 +4854,8 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se pkcs11objx->AddObjectSpec(objSpec); } { - Buffer b = channel->CreatePKCS11CertAttrsBuffer( - KEY_TYPE_ENCRYPTION , certAttrId, label, keyid); + Buffer b = channel->CreatePKCS11CertAttrsBuffer( + KEY_TYPE_ENCRYPTION , certAttrId, label, keyid); ObjectSpec *objSpec = ObjectSpec::ParseFromTokenData( (certAttrId[0] << 24) + @@ -4847,9 +4865,18 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se } { - Buffer b = channel->CreatePKCS11PriKeyAttrsBuffer(KEY_TYPE_ENCRYPTION, - privateKeyAttrId, label, keyid, modulus, OP_PREFIX, - tokenType, keyTypePrefix); + Buffer b; + if (!isECC) { + b = channel->CreatePKCS11PriKeyAttrsBuffer(KEY_TYPE_ENCRYPTION, + privateKeyAttrId, label, keyid, modulus, OP_PREFIX, + tokenType, keyTypePrefix); + } else { //isECC + eccParams = &pk_p->u.ec.DEREncodedParams; + b = channel->CreatePKCS11ECCPriKeyAttrsBuffer(KEY_TYPE_ENCRYPTION, + privateKeyAttrId, label, keyid, eccParams, OP_PREFIX, + tokenType, keyTypePrefix); + } + ObjectSpec *objSpec = ObjectSpec::ParseFromTokenData( (privateKeyAttrId[0] << 24) + @@ -4859,9 +4886,17 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se } { - Buffer b = channel->CreatePKCS11PubKeyAttrsBuffer(KEY_TYPE_ENCRYPTION, - publicKeyAttrId, label, keyid, - exponent, modulus, OP_PREFIX, tokenType, keyTypePrefix); + Buffer b; + if (!isECC) { + b = channel->CreatePKCS11PubKeyAttrsBuffer(KEY_TYPE_ENCRYPTION, + publicKeyAttrId, label, keyid, + exponent, modulus, OP_PREFIX, tokenType, keyTypePrefix); + } else { + b = channel->CreatePKCS11ECCPubKeyAttrsBuffer(KEY_TYPE_ENCRYPTION, + publicKeyAttrId, label, keyid,&pk_p->u.ec, eccParams, + OP_PREFIX, tokenType, keyTypePrefix); + } + ObjectSpec *objSpec = ObjectSpec::ParseFromTokenData( (publicKeyAttrId[0] << 24) + @@ -4986,8 +5021,11 @@ bool RA_Enroll_Processor::ProcessRecovery(AuthParams *login, char *reason, RA_Se if( result != NULL ) { ldap_msgfree( result ); } + if (pk_p != NULL) { + RA::Debug(LL_PER_CONNECTION,FN,"ProcessRecovery about to call SECKEY_DestroyPublicKey on pk_p"); + SECKEY_DestroyPublicKey(pk_p); + } - RA::Debug("RA_Enroll_Processor::ProcessRecovery","leaving whole function..."); return r; } -- cgit