From 7a0252247e860806d6456e997149602c9750206a Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Tue, 15 Jan 2013 23:59:24 -0800 Subject: https://fedorahosted.org/pki/ticket/362 RFE: CMC ECC --- .../com/netscape/cms/authentication/CMCAuth.java | 63 ++++++++++++++++++++-- .../netscape/cms/profile/common/EnrollProfile.java | 37 ++++++++++++- .../cms/profile/input/CMCCertReqInput.java | 1 + 3 files changed, 95 insertions(+), 6 deletions(-) (limited to 'base/common') diff --git a/base/common/src/com/netscape/cms/authentication/CMCAuth.java b/base/common/src/com/netscape/cms/authentication/CMCAuth.java index 2844601f4..6ce4c26dd 100644 --- a/base/common/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/common/src/com/netscape/cms/authentication/CMCAuth.java @@ -41,8 +41,11 @@ import netscape.security.x509.X500Name; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509CertInfo; import netscape.security.x509.X509Key; +import netscape.security.util.DerValue; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.INTEGER; import org.mozilla.jss.asn1.InvalidBERException; @@ -53,6 +56,7 @@ import org.mozilla.jss.asn1.SET; import org.mozilla.jss.crypto.DigestAlgorithm; import org.mozilla.jss.pkcs10.CertificationRequest; import org.mozilla.jss.pkcs11.PK11PubKey; +import org.mozilla.jss.pkcs11.PK11ECPublicKey; import org.mozilla.jss.pkix.cert.Certificate; import org.mozilla.jss.pkix.cert.CertificateInfo; import org.mozilla.jss.pkix.cmc.PKIData; @@ -351,6 +355,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String uid = "defUser"; if (checkSignerInfo) { IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + if (agentToken == null) { + CMS.debug("CMCAuth: authenticate() agentToken null"); + throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); + } userid = agentToken.getInString("userid"); uid = agentToken.getInString("cn"); } else { @@ -481,7 +489,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, TaggedRequest.Type type = taggedRequest.getType(); if (type.equals(TaggedRequest.PKCS10)) { - CMS.debug("CMCAuth: in PKCS10"); + CMS.debug("CMCAuth: type is PKCS10"); TaggedCertificationRequest tcr = taggedRequest.getTcr(); int p10Id = tcr.getBodyPartID().intValue(); @@ -496,9 +504,31 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, new ByteArrayOutputStream(); p10.encode(ostream); + boolean sigver = true; + boolean tokenSwitched = false; + CryptoManager cm = null; + CryptoToken signToken = null; + CryptoToken savedToken = null; + sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); try { + cm = CryptoManager.getInstance(); + if (sigver == true) { + String tokenName = + CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + savedToken = cm.getThreadToken(); + if (tokenName.equals("internal")) { + signToken = cm.getInternalCryptoToken(); + } else { + signToken = cm.getTokenByName(tokenName); + } + if (!savedToken.getName().equals(signToken.getName())) { + cm.setThreadToken(signToken); + tokenSwitched = true; + } + } + PKCS10 pkcs10 = - new PKCS10(ostream.toByteArray()); + new PKCS10(ostream.toByteArray(), sigver); // xxx do we need to do anything else? X509CertInfo certInfo = @@ -544,10 +574,14 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, e.printStackTrace(); throw new EBaseException(e.toString()); - } + } finally { + if ((sigver == true) && (tokenSwitched == true)){ + cm.setThreadToken(savedToken); + } + } } else if (type.equals(TaggedRequest.CRMF)) { - CMS.debug("CMCAuth: in CRMF"); + CMS.debug("CMCAuth: type is CRMF"); try { CertReqMsg crm = taggedRequest.getCrm(); @@ -859,8 +893,26 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CMS.debug("CMCAuth: verifying signature"); si.verify(digest, id); } else { + CMS.debug("CMCAuth: found signing cert... verifying"); PublicKey signKey = cert.getPublicKey(); - PK11PubKey pubK = PK11PubKey.fromSPKI(((X509Key) signKey).getKey()); + PrivateKey.Type keyType = null; + String alg = signKey.getAlgorithm(); + + PK11PubKey pubK = null; + if (alg.equals("RSA")) { + CMS.debug("CMCAuth: signing key alg=RSA"); + keyType = PrivateKey.RSA; + pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey()); + } else if (alg.equals("EC")) { + CMS.debug("CMCAuth: signing key alg=EC"); + keyType = PrivateKey.EC; + byte publicKeyData[] = ((X509Key) signKey).getEncoded(); + pubK = (PK11PubKey) PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); + } else if (alg.equals("DSA")) { + CMS.debug("CMCAuth: signing key alg=DSA"); + keyType = PrivateKey.DSA; + pubK = PK11PubKey.fromSPKI(/*keyType,*/ ((X509Key) signKey).getKey()); + } CMS.debug("CMCAuth: verifying signature with public key"); si.verify(digest, id, pubK); @@ -905,6 +957,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, } catch (IOException e) { CMS.debug("CMCAuth: " + e.toString()); } catch (Exception e) { + CMS.debug("CMCAuth: " + e.toString()); throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return null; diff --git a/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java index 6fbdddb69..5b3457961 100644 --- a/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/common/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -661,23 +661,57 @@ public abstract class EnrollProfile extends BasicProfile IRequest req) throws EProfileException { TaggedRequest.Type type = tagreq.getType(); + if (type == null) { + CMS.debug("EnrollProfile: fillTaggedRequest: TaggedRequest type == null"); + throw new EProfileException( + CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")+ + "TaggedRequest type null"); + } if (type.equals(TaggedRequest.PKCS10)) { + CMS.debug("EnrollProfile: fillTaggedRequest: TaggedRequest type == pkcs10"); + boolean sigver = true; + boolean tokenSwitched = false; + CryptoManager cm = null; + CryptoToken signToken = null; + CryptoToken savedToken = null; try { + sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true); + cm = CryptoManager.getInstance(); + if (sigver == true) { + String tokenName = + CMS.getConfigStore().getString("ca.requestVerify.token", "internal"); + savedToken = cm.getThreadToken(); + if (tokenName.equals("internal")) { + signToken = cm.getInternalCryptoToken(); + } else { + signToken = cm.getTokenByName(tokenName); + } + if (!savedToken.getName().equals(signToken.getName())) { + cm.setThreadToken(signToken); + tokenSwitched = true; + } + } + TaggedCertificationRequest tcr = tagreq.getTcr(); CertificationRequest p10 = tcr.getCertificationRequest(); ByteArrayOutputStream ostream = new ByteArrayOutputStream(); p10.encode(ostream); - PKCS10 pkcs10 = new PKCS10(ostream.toByteArray()); + PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver); req.setExtData("bodyPartId", tcr.getBodyPartID()); fillPKCS10(locale, pkcs10, info, req); } catch (Exception e) { CMS.debug("EnrollProfile: fillTaggedRequest " + e.toString()); + } finally { + if ((sigver == true) && (tokenSwitched == true)){ + cm.setThreadToken(savedToken); + } } } else if (type.equals(TaggedRequest.CRMF)) { + CMS.debug("EnrollProfile: fillTaggedRequest: TaggedRequest type == crmf"); CertReqMsg crm = tagreq.getCrm(); SessionContext context = SessionContext.getContext(); Integer nums = (Integer) (context.get("numOfControls")); @@ -699,6 +733,7 @@ public abstract class EnrollProfile extends BasicProfile fillCertReqMsg(locale, crm, info, req); } else { + CMS.debug("EnrollProfile: fillTaggedRequest: unsupported type (not CRMF or PKCS10)"); throw new EProfileException( CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")); } diff --git a/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java b/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java index 8ce1be3ee..a62d6e9f7 100644 --- a/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java +++ b/base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java @@ -97,6 +97,7 @@ public class CMCCertReqInput extends EnrollInput implements IProfileInput { TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request); if (msgs == null) { + CMS.debug("CMCCertReqInput: populate - parseCMC returns null TaggedRequest msgs"); return; } // This profile only handle the first request in CRMF -- cgit