From b9dc595806abb17f34a679976122e526bdc29de8 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 18 Apr 2017 16:46:12 -0400 Subject: Modify cert clients to check server for wrapping params CRMFPopClient and the pki cert client both can send a CRMF request to a CA directly. Logic is added to check the CA for the required KRA wrapping params and use those in place of any that have been provided by the environment or command line. Also, additional data for the supported KRA keyset has been added to the CAInfoService. This will need to be managed by the admin. The default is "1" which corresponds to AES. Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4 --- .../src/com/netscape/cmstools/CRMFPopClient.java | 71 ++++++++++++++++++++-- .../cmstools/client/ClientCertRequestCLI.java | 32 ++++++---- 2 files changed, 84 insertions(+), 19 deletions(-) (limited to 'base/java-tools') diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 5d9f7f135..01685035e 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -40,6 +40,8 @@ import org.apache.http.HttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient; import org.apache.http.util.EntityUtils; +import org.dogtagpki.common.CAInfo; +import org.dogtagpki.common.CAInfoClient; import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; import org.mozilla.jss.asn1.ASN1Util; @@ -75,6 +77,9 @@ import org.mozilla.jss.pkix.primitive.Name; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; import org.mozilla.jss.util.Password; +import com.netscape.certsrv.base.PKIException; +import com.netscape.certsrv.client.ClientConfig; +import com.netscape.certsrv.client.PKIClient; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.HMACDigest; @@ -187,6 +192,10 @@ public class CRMFPopClient { option.setArgName("keyWrap"); options.addOption(option); + option = new Option("w", true, "Wrapping Keyset"); + option.setArgName("keySet"); + options.addOption(option); + options.addOption("v", "verbose", false, "Run in verbose mode."); options.addOption(null, "help", false, "Show help message."); @@ -218,6 +227,7 @@ public class CRMFPopClient { System.out.println(" -g Use KeyWrapping to wrap private key (default: true)"); System.out.println(" - true: use a key wrapping algorithm"); System.out.println(" - false: use an encryption algorithm"); + System.out.println(" -w Key set ID to use when wrapping the private key"); System.out.println(" -b PEM transport certificate (default: transport.txt)"); System.out.println(" -v, --verbose Run in verbose mode."); System.out.println(" --help Show help message."); @@ -310,6 +320,7 @@ public class CRMFPopClient { int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + // get the key wrapping mechanism boolean keyWrap = true; if (cmd.hasOption("g")) { keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g")); @@ -319,6 +330,10 @@ public class CRMFPopClient { keyWrap = Boolean.parseBoolean(useKeyWrap); } } + String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : + KRAInfoResource.ENCRYPT_MECHANISM; + + String wrappingKeySet = cmd.getOptionValue("w"); String output = cmd.getOptionValue("o"); @@ -326,6 +341,16 @@ public class CRMFPopClient { String username = cmd.getOptionValue("u"); String requestor = cmd.getOptionValue("r"); + if (hostPort != null) { + if (cmd.hasOption("g") || cmd.hasOption("w")) { + printError("Wrapping Key Set (-g) and keywrap (-w) options should " + + "not be specified when hostport is specified. " + + "CRMFPopClient will contact the server to " + + "determine the correct values for these parameters"); + System.exit(1); + } + } + if (subjectDN == null) { printError("Missing subject DN"); System.exit(1); @@ -458,11 +483,41 @@ public class CRMFPopClient { String kid = CryptoUtil.byte2string(id); System.out.println("Keypair private key id: " + kid); - String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM : - KRAInfoResource.ENCRYPT_MECHANISM; + if (hostPort != null) { + // check the CA for the required keyset and archival mechanism + // if found, override whatever has been set by the command line + // options or environment for archivalMechanism and wrappingKeySet + + ClientConfig config = new ClientConfig(); + String host = hostPort.substring(0, hostPort.indexOf(':')); + int port = Integer.parseInt(hostPort.substring(hostPort.indexOf(':')+1)); + config.setServerURL("http", host, port); + + PKIClient pkiclient = new PKIClient(config); + + // get archival mechanism + CAInfoClient infoClient = new CAInfoClient(pkiclient, "ca"); + try { + CAInfo info = infoClient.getInfo(); + archivalMechanism = info.getArchivalMechanism(); + wrappingKeySet = info.getWrappingKeySet(); + } catch (PKIException e) { + if (e.getCode() == 404) { + // assume this is an older server, + archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + wrappingKeySet = "0"; + } else { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + } catch (Exception e) { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); + } + } + if (verbose) System.out.println("Creating certificate request"); CertRequest certRequest = client.createCertRequest( - token, transportCert, algorithm, keyPair, subject, archivalMechanism); + token, transportCert, algorithm, keyPair, + subject, archivalMechanism, wrappingKeySet); ProofOfPossession pop = null; @@ -572,11 +627,15 @@ public class CRMFPopClient { String algorithm, KeyPair keyPair, Name subject, - String archivalMechanism) throws Exception { + String archivalMechanism, + String wrappingKeySet) throws Exception { EncryptionAlgorithm encryptAlg = null; - String keyset = System.getenv("KEY_WRAP_PARAMETER_SET"); - if (keyset != null && keyset.equalsIgnoreCase("0")) { + if (wrappingKeySet == null) { + wrappingKeySet = System.getenv("KEY_WRAP_PARAMETER_SET"); + } + + if (wrappingKeySet != null && wrappingKeySet.equalsIgnoreCase("0")) { // talking to an old server? encryptAlg = EncryptionAlgorithm.DES3_CBC; } else { diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index 8ca857bcb..696ab8ba3 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -29,6 +29,7 @@ import java.util.Vector; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.apache.commons.io.FileUtils; +import org.dogtagpki.common.CAInfo; import org.dogtagpki.common.CAInfoClient; import org.dogtagpki.common.KRAInfoResource; import org.mozilla.jss.CryptoManager; @@ -39,6 +40,7 @@ import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.ProofOfPossession; import org.mozilla.jss.pkix.primitive.Name; +import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.cert.CertClient; import com.netscape.certsrv.cert.CertEnrollmentRequest; import com.netscape.certsrv.cert.CertRequestInfos; @@ -250,23 +252,26 @@ public class ClientCertRequestCLI extends CLI { // get archival mechanism CAInfoClient infoClient = new CAInfoClient(client, "ca"); String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + String wrappingKeySet = "1"; try { - archivalMechanism = infoClient.getInfo().getArchivalMechanism(); - } catch (Exception e) { - // this could be an older server, check for environment variable. - String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING"); - if (useKeyWrapping != null) { - if (Boolean.parseBoolean(useKeyWrapping)) { - archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; - } else { - archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM; - } + CAInfo info = infoClient.getInfo(); + archivalMechanism = info.getArchivalMechanism(); + wrappingKeySet = info.getWrappingKeySet(); + } catch (PKIException e) { + if (e.getCode() == 404) { + // assume this is an older server, + archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM; + wrappingKeySet = "0"; + } else { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); } + } catch (Exception e) { + throw new Exception("Failed to retrieve archive wrapping information from the CA: " + e, e); } csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding, algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop, - archivalMechanism); + archivalMechanism, wrappingKeySet); } else { throw new Exception("Unknown request type: " + requestType); @@ -408,7 +413,8 @@ public class ClientCertRequestCLI extends CLI { int sensitive, int extractable, boolean withPop, - String archivalMechanism + String archivalMechanism, + String wrappingKeySet ) throws Exception { CryptoManager manager = CryptoManager.getInstance(); @@ -430,7 +436,7 @@ public class ClientCertRequestCLI extends CLI { } CertRequest certRequest = client.createCertRequest( - token, transportCert, algorithm, keyPair, subject, archivalMechanism); + token, transportCert, algorithm, keyPair, subject, archivalMechanism, wrappingKeySet); ProofOfPossession pop = null; if (withPop) { -- cgit