From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- .../com/netscape/certsrv/kra/EKRAException.java | 94 +++++ .../src/com/netscape/certsrv/kra/IJoinShares.java | 36 ++ .../certsrv/kra/IKeyRecoveryAuthority.java | 321 ++++++++++++++ .../src/com/netscape/certsrv/kra/IKeyService.java | 179 ++++++++ .../com/netscape/certsrv/kra/IProofOfArchival.java | 80 ++++ .../src/com/netscape/certsrv/kra/IShare.java | 33 ++ .../src/com/netscape/certsrv/kra/KRAResources.java | 39 ++ .../com/netscape/certsrv/kra/ProofOfArchival.java | 463 +++++++++++++++++++++ 8 files changed, 1245 insertions(+) create mode 100644 base/common/src/com/netscape/certsrv/kra/EKRAException.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IJoinShares.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IKeyService.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java create mode 100644 base/common/src/com/netscape/certsrv/kra/IShare.java create mode 100644 base/common/src/com/netscape/certsrv/kra/KRAResources.java create mode 100644 base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java (limited to 'base/common/src/com/netscape/certsrv/kra') diff --git a/base/common/src/com/netscape/certsrv/kra/EKRAException.java b/base/common/src/com/netscape/certsrv/kra/EKRAException.java new file mode 100644 index 000000000..3f23bfe78 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/EKRAException.java @@ -0,0 +1,94 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +import com.netscape.certsrv.base.EBaseException; + +/** + * A class represents a KRA exception. This is the base + * exception for all the KRA specific exceptions. It is + * associated with KRAResources. + *

+ * + * @version $Revision$, $Date$ + */ +public class EKRAException extends EBaseException { + + /** + * + */ + private static final long serialVersionUID = -6803576959258754821L; + /** + * KRA resource class name. + *

+ */ + private static final String KRA_RESOURCES = KRAResources.class.getName(); + + /** + * Constructs a KRA exception. + *

+ * + * @param msgFormat constant from KRAResources. + */ + public EKRAException(String msgFormat) { + super(msgFormat); + } + + /** + * Constructs a KRA exception. + *

+ * + * @param msgFormat constant from KRAResources. + * @param param additional parameters to the message. + */ + public EKRAException(String msgFormat, String param) { + super(msgFormat, param); + } + + /** + * Constructs a KRA exception. + *

+ * + * @param msgFormat constant from KRAResources. + * @param e embedded exception. + */ + public EKRAException(String msgFormat, Exception e) { + super(msgFormat, e); + } + + /** + * Constructs a KRA exception. + *

+ * + * @param msgFormat constant from KRAResources. + * @param params additional parameters to the message. + */ + public EKRAException(String msgFormat, Object params[]) { + super(msgFormat, params); + } + + /** + * Returns the bundle file name. + *

+ * + * @return name of bundle class associated with this exception. + */ + protected String getBundleName() { + return KRA_RESOURCES; + } +} diff --git a/base/common/src/com/netscape/certsrv/kra/IJoinShares.java b/base/common/src/com/netscape/certsrv/kra/IJoinShares.java new file mode 100644 index 000000000..e9a5ecae5 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/IJoinShares.java @@ -0,0 +1,36 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +/** + * Use Java's reflection API to leverage CMS's + * old Share and JoinShares implementations. + * + * @deprecated + * @version $Revision$ $Date$ + */ +public interface IJoinShares { + + public void initialize(int threshold) throws Exception; + + public void addShare(int shareNum, byte[] share); + + public int getShareCount(); + + public byte[] recoverSecret(); +} diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java new file mode 100644 index 000000000..a7cc40507 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java @@ -0,0 +1,321 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +import java.util.Enumeration; +import java.util.Hashtable; +import java.util.Vector; + +import netscape.security.x509.X500Name; + +import org.mozilla.jss.crypto.CryptoToken; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; +import com.netscape.certsrv.policy.IPolicyProcessor; +import com.netscape.certsrv.request.IRequestListener; +import com.netscape.certsrv.request.IRequestQueue; +import com.netscape.certsrv.request.RequestId; +import com.netscape.certsrv.security.Credential; +import com.netscape.certsrv.security.IStorageKeyUnit; +import com.netscape.certsrv.security.ITransportKeyUnit; + +/** + * An interface represents key recovery authority. The + * key recovery authority is responsibile for archiving + * and recovering user encryption private keys. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IKeyRecoveryAuthority extends ISubsystem { + + public static final String ID = "kra"; + + public final static String PROP_NAME = "name"; + public final static String PROP_HTTP = "http"; + public final static String PROP_POLICY = "policy"; + public final static String PROP_DBS = "dbs"; + public final static String PROP_TOKEN = "token"; + public final static String PROP_SHARE = "share"; + public final static String PROP_PROTECTOR = "protector"; + public final static String PROP_LOGGING = "logging"; + public final static String PROP_QUEUE_REQUESTS = "queueRequests"; + public final static String PROP_STORAGE_KEY = "storageUnit"; + public final static String PROP_TRANSPORT_KEY = "transportUnit"; + public static final String PROP_NEW_NICKNAME = "newNickname"; + public static final String PROP_KEYDB_INC = "keydbInc"; + + public final static String PROP_NOTIFY_SUBSTORE = "notification"; + public final static String PROP_REQ_IN_Q_SUBSTORE = "requestInQ"; + + /** + * Returns the name of this subsystem. + *

+ * + * @return KRA name + */ + public X500Name getX500Name(); + + /** + * Retrieves KRA request repository. + *

+ * + * @return request repository + */ + public IRequestQueue getRequestQueue(); + + /** + * Retrieves the key repository. The key repository + * stores archived keys. + *

+ */ + public IKeyRepository getKeyRepository(); + + /** + * Retrieves the Replica ID repository. + * + * @return KRA's Replica ID repository + */ + public IReplicaIDRepository getReplicaRepository(); + + /** + * Enables the auto recovery state. Once KRA is in the auto + * recovery state, no recovery agents need to be present for + * providing credentials. This feature is for enabling + * user-based recovery operation. + *

+ * + * @param cs list of agent credentials + * @param on true if auto recovery state is on + * @return current auto recovery state + */ + public boolean setAutoRecoveryState(Credential cs[], boolean on); + + /** + * Returns the current auto recovery state. + * + * @return true if auto recvoery state is on + */ + public boolean getAutoRecoveryState(); + + /** + * Adds credentials to the given authorizated recovery operation. + * In distributed recovery mode, recovery agent login to the + * agent interface and submit its credential for a particular + * recovery operation. + * + * @param id authorization identifier + * @param creds list of credentials + */ + public void addAutoRecovery(String id, Credential creds[]); + + /** + * Removes a particular auto recovery operation. + * + * @param id authorization identifier + */ + public void removeAutoRecovery(String id); + + /** + * Returns the number of required agents. In M-out-of-N + * recovery schema, only M agents are required even there + * are N agents. This method returns M. + * + * @return number of required agents + */ + public int getNoOfRequiredAgents() throws EBaseException; + + /** + * Sets the number of required recovery agents + * + * @param number number of agents + */ + public void setNoOfRequiredAgents(int number) throws EBaseException; + + /** + * Returns the current recovery identifier. + * + * @return recovery identifier + */ + public String getRecoveryID(); + + /** + * Returns a list of recovery identifiers. + * + * @return list of auto recovery identifiers + */ + public Enumeration getAutoRecoveryIDs(); + + /** + * Returns the storage key unit that manages the + * stoarge key. + * + * @return storage key unit + */ + public IStorageKeyUnit getStorageKeyUnit(); + + /** + * Returns the transport key unit that manages the + * transport key. + * + * @return transport key unit + */ + public ITransportKeyUnit getTransportKeyUnit(); + + /** + * Returns the token that generates user key pairs for supporting server-side keygen + * + * @return keygen token + */ + public CryptoToken getKeygenToken(); + + /** + * Adds entropy to the token used for supporting server-side keygen + * Parameters are set in the config file + * + * @param logflag create log messages at info level to report entropy shortage + */ + public void addEntropy(boolean logflag); + + /** + * Returns the request listener that listens on + * the request completion event. + * + * @return request listener + */ + public IRequestListener getRequestInQListener(); + + /** + * Returns policy processor of the key recovery + * authority. + * @deprecated + * @return policy processor + */ + public IPolicyProcessor getPolicyProcessor(); + + /** + * Returns the nickname of the transport certificate. + * + * @return transport certificate nickname. + */ + public String getNickname(); + + /** + * Sets the nickname of the transport certificate. + * + * @param str nickname + */ + public void setNickname(String str); + + /** + * Returns the new nickname of the transport certifiate. + * + * @return new nickname + */ + public String getNewNickName() throws EBaseException; + + /** + * Sets the new nickname of the transport certifiate. + * + * @param name new nickname + */ + public void setNewNickName(String name); + + /** + * Logs event into key recovery authority logging. + * + * @param level log level + * @param msg log message + */ + public void log(int level, String msg); + + /** + * Creates a request object to store attributes that + * will not be serialized. Currently, request queue + * framework will try to serialize all the attribute into + * persistent storage. Things like passwords are not + * desirable to be stored. + * + * @param id request id + * @return volatile requests + */ + public Hashtable createVolatileRequest(RequestId id); + + /** + * Retrieves the request object. + * + * @param id request id + * @return volatile requests + */ + public Hashtable getVolatileRequest(RequestId id); + + /** + * Destroys the request object. + * + * @param id request id + */ + public void destroyVolatileRequest(RequestId id); + + public Vector getAppAgents( + String recoveryID) throws EBaseException; + + /** + * Creates error for a specific recovery operation. + * + * @param recoveryID recovery id + * @param error error + * @exception EBaseException failed to create error + */ + public void createError(String recoveryID, String error) + throws EBaseException; + + /** + * Retrieves error by recovery identifier. + * + * @param recoveryID recovery id + * @return error message + */ + public String getError(String recoveryID) + throws EBaseException; + + /** + * Retrieves PKCS12 package by recovery identifier. + * + * @param recoveryID recovery id + * @return pkcs12 package in bytes + */ + public byte[] getPk12(String recoveryID) + throws EBaseException; + + /** + * Creates PKCS12 package in memory. + * + * @param recoveryID recovery id + * @param pk12 package in bytes + */ + public void createPk12(String recoveryID, byte[] pk12) + throws EBaseException; + + /** + * Retrieves the transport certificate. + */ + public org.mozilla.jss.crypto.X509Certificate getTransportCert(); +} diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyService.java b/base/common/src/com/netscape/certsrv/kra/IKeyService.java new file mode 100644 index 000000000..13748f2d1 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/IKeyService.java @@ -0,0 +1,179 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +import java.math.BigInteger; +import java.util.Hashtable; + +import netscape.security.x509.X509CertImpl; + +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.security.Credential; + +/** + * An interface representing a recovery service. + *

+ * + * @version $Revision$, $Date$ + */ +public interface IKeyService { + + /** + * Retrieves number of agent required to perform + * key recovery operation. + * + * @return number of required recovery agents + * @exception EBaseException failed to retrieve value + */ + public int getNoOfRequiredAgents() throws EBaseException; + + /** + * is async recovery request status APPROVED - + * i.e. all required # of recovery agents approved + * + * @param reqID request id + * @return true if # of recovery required agents approved; false otherwise + */ + public boolean isApprovedAsyncKeyRecovery(String reqID) + throws EBaseException; + + /** + * get async recovery request initiating agent + * + * @param reqID request id + * @return agentUID + */ + public String getInitAgentAsyncKeyRecovery(String reqID) + throws EBaseException; + + /** + * Initiate asynchronous key recovery + * + * @param kid key identifier + * @param cert certificate embedded in PKCS12 + * @return requestId + * @exception EBaseException failed to initiate async recovery + */ + public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent) + throws EBaseException; + + /** + * add approving agent in asynchronous key recovery + * + * @param reqID request id + * @param agentID agent id + * @exception EBaseException failed to initiate async recovery + */ + public void addAgentAsyncKeyRecovery(String reqID, String agentID) + throws EBaseException; + + /** + * Performs administrator-initiated key recovery. + * + * @param kid key identifier + * @param creds list of credentials (id and password) + * @param pwd password to protect PKCS12 + * @param cert certificate embedded in PKCS12 + * @param delivery delivery mechanism + * @return pkcs12 + * @exception EBaseException failed to perform recovery + */ + public byte[] doKeyRecovery(BigInteger kid, + Credential creds[], String pwd, X509CertImpl cert, + String delivery, String nickname, String agent) throws EBaseException; + + /** + * Async Recovers key for administrators. This method is + * invoked by the agent operation of the key recovery servlet. + *

+ * + *

+ * + * @param reqID request id + * @param password password of the PKCS12 package + * subsystem + * @exception EBaseException failed to recover key + * @return a byte array containing the key + */ + public byte[] doKeyRecovery( + String reqID, + String password) + throws EBaseException; + + /** + * Retrieves recovery identifier. + * + * @return recovery id + */ + public String getRecoveryID(); + + /** + * Creates recovery parameters for the given recovery operation. + * + * @param recoveryID recovery id + * @return recovery parameters + * @exception EBaseException failed to create + */ + public Hashtable createRecoveryParams(String recoveryID) + throws EBaseException; + + /** + * Destroys recovery parameters for the given recovery operation. + * + * @param recoveryID recovery id + * @exception EBaseException failed to destroy + */ + public void destroyRecoveryParams(String recoveryID) + throws EBaseException; + + /** + * Retrieves recovery parameters for the given recovery operation. + * + * @param recoveryID recovery id + * @return recovery parameters + * @exception EBaseException failed to retrieve + */ + public Hashtable getRecoveryParams(String recoveryID) + throws EBaseException; + + /** + * Adds password in the distributed recovery operation. + * + * @param recoveryID recovery id + * @param uid agent uid + * @param pwd agent password + * @exception EBaseException failed to add + */ + public void addDistributedCredential(String recoveryID, + String uid, String pwd) throws EBaseException; + + /** + * Retrieves credentials in the distributed recovery operation. + * + * @param recoveryID recovery id + * @return agent's credentials + * @exception EBaseException failed to retrieve + */ + public Credential[] getDistributedCredentials(String recoveryID) + throws EBaseException; +} diff --git a/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java b/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java new file mode 100644 index 000000000..20ac336e5 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/IProofOfArchival.java @@ -0,0 +1,80 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +import java.math.BigInteger; +import java.util.Date; + +/** + * An interface represents a proof of archival. + *

+ * Here is the ASN1 definition of a proof of escrow: + * + * 

+ * ProofOfArchival ::= SIGNED {
+ *   SEQUENCE {
+ *     version [0] Version DEFAULT v1,
+ *     serialNumber INTEGER,
+ *     subjectName Name,
+ *     issuerName Name,
+ *     dateOfArchival Time,
+ *     extensions [1] Extensions OPTIONAL
+ *   }
+ * }
+ *
+ *

+ * + * @version $Revision$, $Date$ + */ +public interface IProofOfArchival { + + /** + * Retrieves version of this proof. + * + * @return version + */ + public BigInteger getVersion(); + + /** + * Retrieves the serial number. + * + * @return serial number + */ + public BigInteger getSerialNumber(); + + /** + * Retrieves the subject name. + * + * @return subject name + */ + public String getSubjectName(); + + /** + * Retrieves the issuer name. + * + * @return issuer name + */ + public String getIssuerName(); + + /** + * Returns the beginning of the escrowed perioid. + * + * @return date of archival + */ + public Date getDateOfArchival(); +} diff --git a/base/common/src/com/netscape/certsrv/kra/IShare.java b/base/common/src/com/netscape/certsrv/kra/IShare.java new file mode 100644 index 000000000..19e7d7ce2 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/IShare.java @@ -0,0 +1,33 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +/** + * Use Java's reflection API to leverage CMS's + * old Share and JoinShares implementations. + * + * @deprecated + * @version $Revision$ $Date$ + */ +public interface IShare { + + public void initialize(byte[] secret, int threshold) throws Exception; + + public byte[] createShare(int sharenumber); + +} diff --git a/base/common/src/com/netscape/certsrv/kra/KRAResources.java b/base/common/src/com/netscape/certsrv/kra/KRAResources.java new file mode 100644 index 000000000..14b686e63 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/KRAResources.java @@ -0,0 +1,39 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +import java.util.ListResourceBundle; + +/** + * A class represents a resource bundle for KRA subsystem. + *

+ * + * @version $Revision$, $Date$ + */ +public class KRAResources extends ListResourceBundle { + + /** + * Returns the content of this resource. + */ + public Object[][] getContents() { + return contents; + } + + static final Object[][] contents = { + }; +} diff --git a/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java b/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java new file mode 100644 index 000000000..df05c882f --- /dev/null +++ b/base/common/src/com/netscape/certsrv/kra/ProofOfArchival.java @@ -0,0 +1,463 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.kra; + +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.Signature; +import java.security.SignatureException; +import java.util.Date; +import java.util.Enumeration; +import java.util.Vector; + +import netscape.security.util.BigInt; +import netscape.security.util.DerOutputStream; +import netscape.security.util.DerValue; +import netscape.security.x509.AlgorithmId; +import netscape.security.x509.X500Name; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.dbs.IDBObj; + +/** + * A class represents a proof of escrow. It indicates a key + * pairs have been escrowed by appropriate authority. The + * structure of this object is very similar (if not exact) to + * X.509 certificate. A proof of escrow is signed by an escrow + * authority. It is possible to have a CMS policy to reject + * the certificate issuance request if proof of escrow is not + * presented. + *

+ * Here is the ASN1 definition of a proof of escrow: + * + * 

+ * ProofOfEscrow ::= SIGNED {
+ *   SEQUENCE {
+ *     version [0] Version DEFAULT v1,
+ *     serialNumber INTEGER,
+ *     subjectName Name,
+ *     issuerName Name,
+ *     dateOfArchival Time,
+ *     extensions [1] Extensions OPTIONAL
+ *   }
+ * }
+ *
+ *

+ * + * @author thomask + * @version $Revision$, $Date$ + */ +public class ProofOfArchival implements IDBObj, IProofOfArchival, Serializable { + + /** + * + */ + private static final long serialVersionUID = -2533562170977678799L; + + /** + * Constants + */ + public static final BigInteger DEFAULT_VERSION = new BigInteger("1"); + + public static final String ATTR_VERSION = "pofVersion"; + public static final String ATTR_SERIALNO = "pofSerialNo"; + public static final String ATTR_SUBJECT = "pofSubject"; + public static final String ATTR_ISSUER = "pofIssuer"; + public static final String ATTR_DATE_OF_ARCHIVAL = "pofDateOfArchival"; + + protected BigInteger mSerialNo = null; + protected BigInteger mVersion = null; + protected String mSubject = null; + protected String mIssuer = null; + protected Date mDateOfArchival = null; + + protected static Vector mNames = new Vector(); + static { + mNames.addElement(ATTR_VERSION); + mNames.addElement(ATTR_SERIALNO); + mNames.addElement(ATTR_SUBJECT); + mNames.addElement(ATTR_ISSUER); + mNames.addElement(ATTR_DATE_OF_ARCHIVAL); + } + + /** + * Constructs a proof of escrow. + *

+ * + * @param serialNo serial number of proof + * @param subject subject name + * @param issuer issuer name + * @param dateOfArchival date of archival + */ + public ProofOfArchival(BigInteger serialNo, String subject, + String issuer, Date dateOfArchival) { + mVersion = DEFAULT_VERSION; + mSerialNo = serialNo; + mSubject = subject; + mIssuer = issuer; + mDateOfArchival = dateOfArchival; + } + + /** + * Constructs proof of escrow from input stream. + *

+ * + * @param in encoding source + * @exception EBaseException failed to decode + */ + public ProofOfArchival(InputStream in) throws EBaseException { + decode(in); + } + + /** + * Sets an attribute value. + *

+ * + * @param name attribute name + * @param obj attribute value + * @exception EBaseException failed to set attribute + */ + public void set(String name, Object obj) throws EBaseException { + if (name.equals(ATTR_VERSION)) { + mVersion = (BigInteger) obj; + } else if (name.equals(ATTR_SERIALNO)) { + mSerialNo = (BigInteger) obj; + } else if (name.equals(ATTR_SUBJECT)) { + mSubject = (String) obj; + } else if (name.equals(ATTR_ISSUER)) { + mIssuer = (String) obj; + } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) { + mDateOfArchival = (Date) obj; + } else { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); + } + } + + /** + * Retrieves the value of an named attribute. + *

+ * + * @param name attribute name + * @return attribute value + * @exception EBaseException failed to get attribute + */ + public Object get(String name) throws EBaseException { + if (name.equals(ATTR_VERSION)) { + return mVersion; + } else if (name.equals(ATTR_SERIALNO)) { + return mSerialNo; + } else if (name.equals(ATTR_SUBJECT)) { + return mSubject; + } else if (name.equals(ATTR_ISSUER)) { + return mIssuer; + } else if (name.equals(ATTR_DATE_OF_ARCHIVAL)) { + return mDateOfArchival; + } else { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); + } + } + + /** + * Deletes an attribute. + *

+ * + * @param name attribute name + * @exception EBaseException failed to get attribute + */ + public void delete(String name) throws EBaseException { + throw new EBaseException( + CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); + } + + /** + * Retrieves a list of possible attribute names. + *

+ * + * @return a list of names + */ + public Enumeration getElements() { + return mNames.elements(); + } + + /** + * Retrieves serializable attribute names. + * + * @return a list of serializable attribute names + */ + public Enumeration getSerializableAttrNames() { + return mNames.elements(); + } + + /** + * Retrieves version of this proof. + *

+ * + * @return version + */ + public BigInteger getVersion() { + return mVersion; + } + + /** + * Retrieves the serial number. + *

+ * + * @return serial number + */ + public BigInteger getSerialNumber() { + return mSerialNo; + } + + /** + * Retrieves the subject name. + *

+ * + * @return subject name + */ + public String getSubjectName() { + return mSubject; + } + + /** + * Retrieves the issuer name. + *

+ * + * @return issuer name + */ + public String getIssuerName() { + return mIssuer; + } + + /** + * Returns the beginning of the escrowed perioid. + *

+ * + * @return date of archival + */ + public Date getDateOfArchival() { + return mDateOfArchival; + } + + /** + * Encodes this proof of escrow into the given + * output stream. + *

+ */ + public void encode(DerOutputStream out) throws EBaseException { + try { + DerOutputStream seq = new DerOutputStream(); + + // version (OPTIONAL) + if (!mVersion.equals(DEFAULT_VERSION)) { + DerOutputStream version = new DerOutputStream(); + + version.putInteger(new BigInt(mVersion)); + seq.write(DerValue.createTag( + DerValue.TAG_CONTEXT, true, (byte) 0), + version); + } + + // serial number + seq.putInteger(new BigInt(mSerialNo)); + + // subject name + new X500Name(mSubject).encode(seq); + + // issuer name + new X500Name(mIssuer).encode(seq); + + // issue date + seq.putUTCTime(mDateOfArchival); + out.write(DerValue.tag_Sequence, seq); + + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED", e.toString())); + } + } + + /** + * Encodes and signs this proof of escrow. + *

+ */ + public void encodeAndSign(PrivateKey key, String algorithm, + String provider, DerOutputStream out) + throws EBaseException { + + try { + Signature sigEngine = null; + + if (provider == null) { + sigEngine = Signature.getInstance(algorithm); + } else { + sigEngine = Signature.getInstance(algorithm, + provider); + } + + sigEngine.initSign(key); + DerOutputStream tmp = new DerOutputStream(); + + encode(tmp); + + AlgorithmId sigAlgId = AlgorithmId.get( + sigEngine.getAlgorithm()); + + sigAlgId.encode(tmp); + byte dataToSign[] = tmp.toByteArray(); + + sigEngine.update(dataToSign, 0, dataToSign.length); + byte signature[] = sigEngine.sign(); + + tmp.putBitString(signature); + out.write(DerValue.tag_Sequence, tmp); + return; + } catch (NoSuchAlgorithmException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (NoSuchProviderException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (InvalidKeyException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (SignatureException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_ENCODE_FAILED_1", e.toString())); + } + } + + /** + * Decodes the input stream. + *

+ */ + public void decode(InputStream in) throws EBaseException { + try { + // POA is a SIGNED ASN.1 macro, a three element sequence: + // - Data to be signed (ToBeSigned) -- the "raw" data + // - Signature algorithm (SigAlgId) + // - The Signature bits + + DerValue val = new DerValue(in); + + DerValue seq[] = new DerValue[3]; + + seq[0] = val.data.getDerValue(); + if (seq[0].tag == DerValue.tag_Sequence) { + // with signature + seq[1] = val.data.getDerValue(); + seq[2] = val.data.getDerValue(); + if (seq[1].data.available() != 0) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", + "no algorithm found")); + } + + if (seq[2].data.available() != 0) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", + "no signature found")); + } + + @SuppressWarnings("unused") + AlgorithmId algid = AlgorithmId.parse(seq[1]); // consume algid + + @SuppressWarnings("unused") + byte signature[] = seq[2].getBitString(); // consume signature + + decodePOA(val, null); + } else { + // without signature + decodePOA(val, seq[0]); + } + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString())); + } + } + + /** + * Decodes proof of escrow. + *

+ */ + private void decodePOA(DerValue val, DerValue preprocessed) + throws EBaseException { + try { + DerValue tmp = null; + + if (preprocessed == null) { + if (val.tag != DerValue.tag_Sequence) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", + "not start with sequence")); + } + tmp = val.data.getDerValue(); + } else { + tmp = preprocessed; + } + + // version + if (tmp.isContextSpecific((byte) 0)) { + if (tmp.isConstructed() && tmp.isContextSpecific()) { + DerValue version = tmp.data.getDerValue(); + BigInt ver = version.getInteger(); + + mVersion = ver.toBigInteger(); + tmp = val.data.getDerValue(); + } + } else { + mVersion = DEFAULT_VERSION; + } + + // serial number + DerValue serialno = tmp; + + mSerialNo = serialno.getInteger().toBigInteger(); + + // subject + DerValue subject = val.data.getDerValue(); + + // mSubject = new X500Name(subject); // doesnt work + mSubject = new String(subject.toByteArray()); + + // issuer + DerValue issuer = val.data.getDerValue(); + + mIssuer = new String(issuer.toByteArray()); + + // date of archival + mDateOfArchival = val.data.getUTCTime(); + } catch (IOException e) { + throw new EKRAException(CMS.getUserMessage("CMS_KRA_POA_DECODE_FAILED_1", e.toString())); + } + } + + /** + * Retrieves the string reprensetation of this + * proof of archival. + */ + public String toString() { + return "Version: " + mVersion.toString() + "\n" + + "SerialNo: " + mSerialNo.toString() + "\n" + + "Subject: " + mSubject + "\n" + + "Issuer: " + mIssuer + "\n" + + "DateOfArchival: " + mDateOfArchival.toString(); + } + +} -- cgit