From 6257d326cca9e55f9d6898bb2b227f22485322b7 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 18 Sep 2012 14:47:17 -0700 Subject: https://fedorahosted.org/pki/ticket/304 TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival) --- .../src/com/netscape/certsrv/request/IRequest.java | 2 + .../servlet/connector/GenerateKeyPairServlet.java | 44 +++++++++++++++++++++- 2 files changed, 45 insertions(+), 1 deletion(-) (limited to 'base/common') diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index 3459af602..6438205ab 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -150,6 +150,8 @@ public interface IRequest extends Serializable { public final static String NETKEY_ATTR_ENC_PRIVKEY_FLAG = "encryptPrivKey"; public final static String NETKEY_ATTR_USER_CERT = "cert"; public final static String NETKEY_ATTR_KEY_SIZE = "keysize"; + public final static String NETKEY_ATTR_KEY_TYPE = "keytype"; + public final static String NETKEY_ATTR_KEY_EC_CURVE = "eckeycurve"; //Security Data request attributes public static final String SECURITY_DATA_ENROLLMENT_REQUEST = "securityDataEnrollment"; diff --git a/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java b/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java index 597b50741..d8a125994 100644 --- a/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java +++ b/base/common/src/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java @@ -24,6 +24,7 @@ import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import java.util.Hashtable; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthSubsystem; @@ -31,6 +32,7 @@ import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authority.IAuthority; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.IPrettyPrintFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; @@ -61,6 +63,7 @@ public class GenerateKeyPairServlet extends CMSServlet { IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); protected IAuthSubsystem mAuthSubsystem = null; protected ILogger mLogger = CMS.getLogger(); + private Hashtable supportedECCurves_ht = null; /** * Constructs GenerateKeyPair servlet. @@ -73,6 +76,7 @@ public class GenerateKeyPairServlet extends CMSServlet { public void init(ServletConfig config) throws ServletException { super.init(config); mConfig = config; + IConfigStore sconfig = CMS.getConfigStore(); String authority = config.getInitParameter(PROP_AUTHORITY); if (authority != null) @@ -80,6 +84,21 @@ public class GenerateKeyPairServlet extends CMSServlet { CMS.getSubsystem(authority); mAuthSubsystem = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); + // supported EC cuves by the smart cards + String curveList = null; + try { + curveList = sconfig.getString("kra.keygen.curvelist", + "nistp256,nistp384,nistp521"); + } catch (EBaseException e) { + curveList = "nistp256,nistp384,nistp521"; + } + + supportedECCurves_ht = new Hashtable(); + String[] supportedECCurves = curveList.split(","); + for ( int i = 0; i < supportedECCurves.length; i++) { + supportedECCurves_ht.put(supportedECCurves[i], supportedECCurves[i]); + } + } /** @@ -119,6 +138,8 @@ public class GenerateKeyPairServlet extends CMSServlet { String rdesKeyString = req.getParameter("drm_trans_desKey"); String rArchive = req.getParameter("archive"); String rKeysize = req.getParameter("keysize"); + String rKeytype = req.getParameter("keytype"); + String rKeycurve = req.getParameter("eckeycurve"); if ((rCUID == null) || (rCUID.equals(""))) { CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): missing request parameter: CUID"); @@ -130,10 +151,29 @@ public class GenerateKeyPairServlet extends CMSServlet { missingParam = true; } - if ((rKeysize == null) || (rKeysize.equals(""))) { + // keysize is for non-EC (EC uses keycurve) + if (!rKeytype.equals("EC") && ((rKeysize == null) || (rKeysize.equals("")))) { rKeysize = "1024"; // default to 1024 } + // if not specified, default to RSA + if ((rKeytype == null) || (rKeytype.equals(""))) { + rKeytype = "RSA"; + } + if (rKeytype.equals("EC")) { + if ((rKeycurve == null) || (rKeycurve.equals(""))) { + rKeycurve = "nistp256"; + } + // is the specified curve supported? + boolean isSupportedCurve = supportedECCurves_ht.containsKey(rKeycurve); + if (isSupportedCurve == false) { + CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): unsupported curve:"+ rKeycurve); + missingParam = true; + } else { + CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): curve to be generated:"+ rKeycurve); + } + } + if ((rdesKeyString == null) || (rdesKeyString.equals(""))) { CMS.debug("GenerateKeyPairServlet: processServerSideKeygen(): missing request parameter: DRM-transportKey-wrapped DES key"); @@ -154,6 +194,8 @@ public class GenerateKeyPairServlet extends CMSServlet { thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, rdesKeyString); thisreq.setExtData(IRequest.NETKEY_ATTR_ARCHIVE_FLAG, rArchive); thisreq.setExtData(IRequest.NETKEY_ATTR_KEY_SIZE, rKeysize); + thisreq.setExtData(IRequest.NETKEY_ATTR_KEY_TYPE, rKeytype); + thisreq.setExtData(IRequest.NETKEY_ATTR_KEY_EC_CURVE, rKeycurve); queue.processRequest(thisreq); Integer result = thisreq.getExtDataInInteger(IRequest.RESULT); -- cgit