From 90f5798079ffe46502552daaddd1b6366eafac62 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Sat, 16 Apr 2016 11:48:52 -0400 Subject: Added realm for archival and key generation through REST This will allow users to specify the realm when generating or archiving a request. No interface change is needed (yet) because the extra parameter is passed through the request. Part of Ticket #2041 --- .../certsrv/key/AsymKeyGenerationRequest.java | 2 + .../netscape/certsrv/key/KeyArchivalRequest.java | 19 +++++ .../src/com/netscape/certsrv/key/KeyClient.java | 90 +++++++++++++++++++--- .../netscape/certsrv/key/KeyGenerationRequest.java | 14 ++++ .../certsrv/key/SymKeyGenerationRequest.java | 2 + 5 files changed, 116 insertions(+), 11 deletions(-) (limited to 'base/common/src/com/netscape/certsrv') diff --git a/base/common/src/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/com/netscape/certsrv/key/AsymKeyGenerationRequest.java index 867c06acf..df3d7acc8 100644 --- a/base/common/src/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +++ b/base/common/src/com/netscape/certsrv/key/AsymKeyGenerationRequest.java @@ -56,6 +56,7 @@ public class AsymKeyGenerationRequest extends KeyGenerationRequest { attributes.put(KEY_ALGORITHM, form.getFirst(KEY_ALGORITHM)); attributes.put(KEY_USAGE, form.getFirst(KEY_USAGE)); attributes.put(TRANS_WRAPPED_SESSION_KEY, form.getFirst(TRANS_WRAPPED_SESSION_KEY)); + attributes.put(REALM, form.getFirst(REALM)); String usageString = attributes.get(KEY_USAGE); if (!StringUtils.isBlank(usageString)) { @@ -109,6 +110,7 @@ public class AsymKeyGenerationRequest extends KeyGenerationRequest { usages.add(AsymKeyGenerationRequest.ENCRYPT); usages.add(AsymKeyGenerationRequest.DECRYPT); request.setUsages(usages); + request.setRealm("ipa-vault"); System.out.println(request.toString()); } diff --git a/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java index 03bbfb53a..d2a7749b3 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java +++ b/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java @@ -52,6 +52,9 @@ public class KeyArchivalRequest extends ResourceMessage { private static final String KEY_ALGORITHM = "keyAlgorithm"; private static final String KEY_SIZE = "keySize"; + // parameters to set realm + private static final String REALM = "realm"; + public KeyArchivalRequest() { // required for JAXB (defaults) setClassName(getClass().getName()); @@ -65,6 +68,7 @@ public class KeyArchivalRequest extends ResourceMessage { attributes.put(KEY_SIZE, form.getFirst(KEY_SIZE)); attributes.put(PKI_ARCHIVE_OPTIONS, form.getFirst(PKI_ARCHIVE_OPTIONS)); attributes.put(TRANS_WRAPPED_SESSION_KEY, form.getFirst(TRANS_WRAPPED_SESSION_KEY)); + attributes.put(REALM, form.getFirst(REALM)); setClassName(getClass().getName()); } @@ -199,6 +203,20 @@ public class KeyArchivalRequest extends ResourceMessage { attributes.put(KEY_SIZE, Integer.toString(keySize)); } + /** + * @return the authentication realm + */ + public String getRealm() { + return attributes.get(REALM); + } + + /** + * @param realm - the authentication realm + */ + public void setRealm(String realm) { + attributes.put(REALM, realm); + } + public String toString() { try { return ResourceMessage.marshal(this, KeyArchivalRequest.class); @@ -222,6 +240,7 @@ public class KeyArchivalRequest extends ResourceMessage { before.setDataType(KeyRequestResource.SYMMETRIC_KEY_TYPE); before.setWrappedPrivateData("XXXXABCDEFXXX"); before.setKeyAlgorithm(KeyRequestResource.AES_ALGORITHM); + before.setRealm("ipa-vault"); before.setKeySize(128); String string = before.toString(); diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java index ade3765a9..04eb6539f 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyClient.java +++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java @@ -517,12 +517,13 @@ public class KeyClient extends Client { * * @param clientKeyId -- Client Key Identfier * @param passphrase -- Secret passphrase to be archived + * @param realm -- authorization realm * @return A KeyRequestResponse object with information about the request. * @throws Exception - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, * IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, * BadPaddingException, IllegalBlockSizeException */ - public KeyRequestResponse archivePassphrase(String clientKeyId, String passphrase) throws Exception { + public KeyRequestResponse archivePassphrase(String clientKeyId, String passphrase, String realm) throws Exception { // Default algorithm OID for DES_EDE3_CBC String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString(); @@ -533,7 +534,13 @@ public class KeyClient extends Client { sessionKey, KeyRequestResource.DES3_ALGORITHM); return archiveEncryptedData(clientKeyId, KeyRequestResource.PASS_PHRASE_TYPE, null, 0, algorithmOID, - nonceData, encryptedData, transWrappedSessionKey); + nonceData, encryptedData, transWrappedSessionKey, realm); + } + + /* Old signature for backwards compatibility */ + @Deprecated + public KeyRequestResponse archivePassphrase(String clientKeyId, String passphrase) throws Exception { + return archivePassphrase(clientKeyId, passphrase, null); } /** @@ -546,13 +553,14 @@ public class KeyClient extends Client { * @param clientKeyId -- Client Key Identifier * @param keyAlgorithm -- Algorithm used by the symmetric key * @param keySize -- Strength of the symmetric key (secret) + * @param realm -- authorization realm * @return A KeyRequestResponse object with information about the request. * @throws Exception - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, * IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, * BadPaddingException, IllegalBlockSizeException */ public KeyRequestResponse archiveSymmetricKey(String clientKeyId, SymmetricKey secret, String keyAlgorithm, - int keySize) throws Exception { + int keySize, String realm) throws Exception { // Default algorithm OID for DES_EDE3_CBC String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString(); @@ -562,7 +570,14 @@ public class KeyClient extends Client { byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); return archiveEncryptedData(clientKeyId, KeyRequestResource.SYMMETRIC_KEY_TYPE, keyAlgorithm, keySize, - algorithmOID, nonceData, encryptedData, transWrappedSessionKey); + algorithmOID, nonceData, encryptedData, transWrappedSessionKey, realm); + } + + /* old method signature for backwards compatibility */ + @Deprecated + public KeyRequestResponse archiveSymmetricKey(String clientKeyId, SymmetricKey secret, String keyAlgorithm, + int keySize) throws Exception { + return archiveSymmetricKey(clientKeyId, secret, keyAlgorithm,keySize, null); } /** @@ -581,11 +596,12 @@ public class KeyClient extends Client { * @param encryptedData -- which is the secret wrapped by a session * key (168 bit 3DES symmetric key) * @param transWrappedSessionKey -- session key wrapped by the transport cert. + * @param realm -- authorization realm * @return A KeyRequestResponse object with information about the request. */ public KeyRequestResponse archiveEncryptedData(String clientKeyId, String dataType, String keyAlgorithm, - int keySize, - String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey) { + int keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, + byte[] transWrappedSessionKey, String realm) { if (clientKeyId == null || dataType == null) { throw new IllegalArgumentException("Client key id and data type must be specified."); @@ -612,9 +628,22 @@ public class KeyClient extends Client { data.setWrappedPrivateData(req1); data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); + if (realm != null) { + data.setRealm(realm); + } + return submitRequest(data); } + /* old signature for backwards compatibility */ + @Deprecated + public KeyRequestResponse archiveEncryptedData(String clientKeyId, String dataType, String keyAlgorithm, + int keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, + byte[] transWrappedSessionKey) { + return archiveEncryptedData(clientKeyId, dataType, keyAlgorithm, keySize, algorithmOID, nonceData, + encryptedData, transWrappedSessionKey, null); + } + /** * Archive a secret (symmetric key or passphrase) on the DRM using a PKIArchiveOptions data format. * @@ -624,11 +653,12 @@ public class KeyClient extends Client { * @param keySize -- Strength of the symmetric key * @param pkiArchiveOptions -- is the data to be archived wrapped in a * PKIArchiveOptions structure + * @param realm -- authorization realm * @return A KeyRequestResponse object with information about the request. * @throws Exception */ public KeyRequestResponse archivePKIOptions(String clientKeyId, String dataType, String keyAlgorithm, int keySize, - byte[] pkiArchiveOptions) { + byte[] pkiArchiveOptions, String realm) { if (clientKeyId == null || dataType == null) { throw new IllegalArgumentException("Client key id and data type must be specified."); @@ -653,9 +683,20 @@ public class KeyClient extends Client { String options = Utils.base64encode(pkiArchiveOptions); data.setPKIArchiveOptions(options); + if (realm != null) { + data.setRealm(realm); + } + return submitRequest(data); } + /* old method signature for backwards compatibility */ + @Deprecated + public KeyRequestResponse archivePKIOptions(String clientKeyId, String dataType, String keyAlgorithm, int keySize, + byte[] pkiArchiveOptions) { + return archivePKIOptions(clientKeyId, dataType, keyAlgorithm, keySize, pkiArchiveOptions, null); + } + /** * Generate and archive a symmetric key in the DRM. * @@ -663,11 +704,14 @@ public class KeyClient extends Client { * @param keyAlgorithm -- Algorithm to be used to generate the key * @param keySize -- Strength of the keys * @param usages -- Usages of the generated key. + * @param transWrappedSessionKey - client generated session key wrapped by + * KRA transport key + * @param realm -- authorization realm * @return a KeyRequestResponse which contains a KeyRequestInfo * object that describes the URL for the request and generated key. */ public KeyRequestResponse generateSymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, - List usages, String transWrappedSessionKey) { + List usages, String transWrappedSessionKey, String realm) { if (clientKeyId == null) { throw new IllegalArgumentException("Client Key Identifier must be specified."); } @@ -687,21 +731,34 @@ public class KeyClient extends Client { data.setUsages(usages); data.setTransWrappedSessionKey(transWrappedSessionKey); + if (realm != null) { + data.setRealm(realm); + } + return submitRequest(data); } + /* old method signature for backwards compatibility */ + @Deprecated + public KeyRequestResponse generateSymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, + List usages, String transWrappedSessionKey) { + return generateSymmetricKey(clientKeyId, keyAlgorithm, keySize, usages, transWrappedSessionKey, null); + } + /** * Generate and archive an asymmetric keys in the DRM * * @param clientKeyId -- Client Key Identifier * @param keyAlgorithm -- Algorithm to be used to generate the asymmetric keys * @param keySize -- Strength of the keys - * @param usages - * @param transWrappedSessionKey + * @param usages -- key usages + * @param transWrappedSessionKey -- client generated session key wrapped by the + * KRA transport key + * @param realm -- authorization realm * @return */ public KeyRequestResponse generateAsymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, - List usages, byte[] transWrappedSessionKey) { + List usages, byte[] transWrappedSessionKey, String realm) { if (clientKeyId == null) { throw new IllegalArgumentException("Client Key Identifier must be specified."); @@ -747,6 +804,17 @@ public class KeyClient extends Client { data.setUsages(usages); data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); + if (realm != null) { + data.setRealm(realm); + } + return submitRequest(data); } + + /* old method signature for backwards compatibility */ + @Deprecated + public KeyRequestResponse generateAsymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, + List usages, byte[] transWrappedSessionKey) { + return generateAsymmetricKey(clientKeyId, keyAlgorithm, keySize, usages, transWrappedSessionKey, null); + } } diff --git a/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java b/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java index ed36b6d9d..37fc1c2b2 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java +++ b/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java @@ -38,6 +38,7 @@ public class KeyGenerationRequest extends ResourceMessage{ protected static final String KEY_ALGORITHM = "keyAlgorithm"; protected static final String KEY_USAGE = "keyUsage"; protected static final String TRANS_WRAPPED_SESSION_KEY = "transWrappedSessionKey"; + protected static final String REALM = "realm"; public List getUsages() { @@ -122,4 +123,17 @@ public class KeyGenerationRequest extends ResourceMessage{ attributes.put(TRANS_WRAPPED_SESSION_KEY, transWrappedSessionKey); } + /** + * @return the realm + */ + public String getRealm() { + return attributes.get(REALM); + } + + /** + * @param realm - authorization realm to set + */ + public void setRealm(String realm) { + attributes.put(REALM, realm); + } } diff --git a/base/common/src/com/netscape/certsrv/key/SymKeyGenerationRequest.java b/base/common/src/com/netscape/certsrv/key/SymKeyGenerationRequest.java index 7f65d0e59..a85d102a8 100644 --- a/base/common/src/com/netscape/certsrv/key/SymKeyGenerationRequest.java +++ b/base/common/src/com/netscape/certsrv/key/SymKeyGenerationRequest.java @@ -40,6 +40,7 @@ public class SymKeyGenerationRequest extends KeyGenerationRequest { attributes.put(KEY_ALGORITHM, form.getFirst(KEY_ALGORITHM)); attributes.put(KEY_USAGE, form.getFirst(KEY_USAGE)); attributes.put(TRANS_WRAPPED_SESSION_KEY, form.getFirst(TRANS_WRAPPED_SESSION_KEY)); + attributes.put(REALM, form.getFirst(REALM)); String usageString = attributes.get(KEY_USAGE); if (!StringUtils.isBlank(usageString)) { @@ -97,6 +98,7 @@ public class SymKeyGenerationRequest extends KeyGenerationRequest { before.addUsage(SymKeyGenerationRequest.DECRYPT_USAGE); before.addUsage(SymKeyGenerationRequest.ENCRYPT_USAGE); before.addUsage(SymKeyGenerationRequest.SIGN_USAGE); + before.setRealm("ipa"); String string = before.toString(); System.out.println(string); -- cgit