From 5b7ce994b8698dca62c23e653b7a1cfeebf959e4 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 23 Mar 2017 00:20:32 -0400 Subject: Refactor code that creates PKIArchiveOptions objects * Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a --- .../com/netscape/certsrv/dbs/keydb/IKeyRecord.java | 3 +- .../netscape/certsrv/security/IEncryptionUnit.java | 2 + .../netscape/certsrv/security/IStorageKeyUnit.java | 2 + .../certsrv/security/ITransportKeyUnit.java | 2 + .../netscape/certsrv/security/WrappingParams.java | 193 ----- .../com/netscape/certsrv/util/CryptoProvider.java | 3 - .../netscape/certsrv/util/NSSCryptoProvider.java | 8 - .../src/com/netscape/cmstools/CRMFPopClient.java | 102 +-- .../cmstools/authority/AuthorityKeyExportCLI.java | 26 +- .../cmstools/client/ClientCertRequestCLI.java | 3 +- .../src/com/netscape/cms/servlet/test/DRMTest.java | 779 --------------------- .../servlet/test/GeneratePKIArchiveOptions.java | 29 +- base/kra/src/com/netscape/kra/EncryptionUnit.java | 3 +- .../src/com/netscape/kra/NetkeyKeygenService.java | 2 +- .../com/netscape/kra/SecurityDataProcessor.java | 2 +- base/kra/src/com/netscape/kra/StorageKeyUnit.java | 2 +- .../com/netscape/kra/TokenKeyRecoveryService.java | 2 +- .../kra/src/com/netscape/kra/TransportKeyUnit.java | 3 +- .../cms/servlet/csadmin/ConfigurationUtils.java | 3 +- .../src/com/netscape/cmscore/dbs/KeyRecord.java | 3 +- .../com/netscape/cmsutil/crypto/CryptoUtil.java | 183 +++-- .../src/netscape/security/util/WrappingParams.java | 193 +++++ 22 files changed, 427 insertions(+), 1121 deletions(-) delete mode 100644 base/common/src/com/netscape/certsrv/security/WrappingParams.java delete mode 100644 base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java create mode 100644 base/util/src/netscape/security/util/WrappingParams.java (limited to 'base') diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java index 163d4dd5d..aa4eb30f4 100644 --- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java @@ -22,7 +22,8 @@ import java.util.Date; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; -import com.netscape.certsrv.security.WrappingParams; + +import netscape.security.util.WrappingParams; /** * An interface contains constants for key record. diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java index 004fd8aa0..add15cb81 100644 --- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java @@ -25,6 +25,8 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.base.EBaseException; +import netscape.security.util.WrappingParams; + /** * An interface represents a encryption unit. * diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java index 6f6e31201..321c7297f 100644 --- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java @@ -26,6 +26,8 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.base.EBaseException; +import netscape.security.util.WrappingParams; + /** * An interface represents a storage key unit. This storage * unit contains a storage key pair that is used for diff --git a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java index c90a12ba1..a951f1850 100644 --- a/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java +++ b/base/common/src/com/netscape/certsrv/security/ITransportKeyUnit.java @@ -26,6 +26,8 @@ import org.mozilla.jss.crypto.SymmetricKey.Type; import com.netscape.certsrv.base.EBaseException; +import netscape.security.util.WrappingParams; + /** * An interface represents the transport key pair. * This key pair is used to protected EE's private diff --git a/base/common/src/com/netscape/certsrv/security/WrappingParams.java b/base/common/src/com/netscape/certsrv/security/WrappingParams.java deleted file mode 100644 index e1bc83500..000000000 --- a/base/common/src/com/netscape/certsrv/security/WrappingParams.java +++ /dev/null @@ -1,193 +0,0 @@ -package com.netscape.certsrv.security; - -import java.security.NoSuchAlgorithmException; - -import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; -import org.mozilla.jss.crypto.EncryptionAlgorithm; -import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.SymmetricKey.Type; - -public class WrappingParams { - // session key attributes - SymmetricKey.Type skType; - KeyGenAlgorithm skKeyGenAlgorithm; - int skLength; - - // wrapping algorithm for session key - KeyWrapAlgorithm skWrapAlgorithm; - - // Encryption algorithm for payload - EncryptionAlgorithm payloadEncryptionAlgorithm; - - //wrapping algorithm for payload - KeyWrapAlgorithm payloadWrapAlgorithm; - - // payload encryption IV - IVParameterSpec payloadEncryptionIV; - - // payload wrapping IV - IVParameterSpec payloadWrappingIV; - - public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, - KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm, - KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) { - super(); - this.skType = skType; - this.skKeyGenAlgorithm = skKeyGenAlgorithm; - this.skLength = skLength; - this.skWrapAlgorithm = skWrapAlgorithm; - this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; - this.payloadWrapAlgorithm = payloadWrapAlgorithm; - this.payloadEncryptionIV = payloadEncryptIV; - this.payloadWrappingIV = payloadWrapIV; - } - - public WrappingParams() {} - - public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV) - throws NumberFormatException, NoSuchAlgorithmException { - EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); - - KeyWrapAlgorithm wrap = null; - if (wrapName != null) { - wrap = KeyWrapAlgorithm.fromString(wrapName); - this.payloadWrapAlgorithm = wrap; - } - - switch (encrypt.getAlg().toString()) { - case "AES": - // TODO(alee) - Terrible hack till we figure out why GCM is not working - // or a way to detect the padding. - // We are going to assume AES-128-PAD - encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; - - this.skType = SymmetricKey.AES; - this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; - if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; - break; - case "DESede": - this.skType = SymmetricKey.DES3; - this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; - this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - break; - case "DES": - this.skType = SymmetricKey.DES; - this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; - this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES_CBC_PAD; - break; - default: - throw new NoSuchAlgorithmException("Invalid algorithm"); - } - - this.skLength = encrypt.getKeyStrength(); - if (priKeyAlgo.equals("EC")) { - this.skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB; - } else { - this.skWrapAlgorithm = KeyWrapAlgorithm.RSA; - } - - this.payloadEncryptionAlgorithm = encrypt; - this.payloadEncryptionIV = encryptIV; - this.payloadWrappingIV = wrapIV; - } - - public SymmetricKey.Type getSkType() { - return skType; - } - - public void setSkType(SymmetricKey.Type skType) { - this.skType = skType; - } - - public void setSkType(String skTypeName) throws NoSuchAlgorithmException { - this.skType = SymmetricKey.Type.fromName(skTypeName); - } - - public KeyGenAlgorithm getSkKeyGenAlgorithm() { - return skKeyGenAlgorithm; - } - - public void setSkKeyGenAlgorithm(KeyGenAlgorithm skKeyGenAlgorithm) { - this.skKeyGenAlgorithm = skKeyGenAlgorithm; - } - - public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException { - // JSS mapping is not working. Lets just do something brain-dead to - // handle the cases we expect. - if (algName.equalsIgnoreCase("AES")) { - this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; - } else if (algName.equalsIgnoreCase("DES")) { - this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; - } else if (algName.equalsIgnoreCase("DESede")) { - this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; - } else if (algName.equalsIgnoreCase("DES3")) { - this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; - } - } - - public int getSkLength() { - return skLength; - } - - public void setSkLength(int skLength) { - this.skLength = skLength; - } - - public KeyWrapAlgorithm getSkWrapAlgorithm() { - return skWrapAlgorithm; - } - - public void setSkWrapAlgorithm(KeyWrapAlgorithm skWrapAlgorithm) { - this.skWrapAlgorithm = skWrapAlgorithm; - } - - public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException { - this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name); - } - - public EncryptionAlgorithm getPayloadEncryptionAlgorithm() { - return payloadEncryptionAlgorithm; - } - - public void setPayloadEncryptionAlgorithm(EncryptionAlgorithm payloadEncryptionAlgorithm) { - this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; - } - - public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength) - throws NoSuchAlgorithmException { - this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength); - } - - public KeyWrapAlgorithm getPayloadWrapAlgorithm() { - return payloadWrapAlgorithm; - } - - public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) { - this.payloadWrapAlgorithm = payloadWrapAlgorithm; - } - - public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException { - this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name); - } - - public IVParameterSpec getPayloadEncryptionIV() { - return payloadEncryptionIV; - } - - public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) { - this.payloadEncryptionIV = payloadEncryptionIV; - } - - public IVParameterSpec getPayloadWrappingIV() { - return payloadWrappingIV; - } - - public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) { - this.payloadWrappingIV = payloadWrappingIV; - } -} diff --git a/base/common/src/com/netscape/certsrv/util/CryptoProvider.java b/base/common/src/com/netscape/certsrv/util/CryptoProvider.java index 0ec520580..6746db960 100644 --- a/base/common/src/com/netscape/certsrv/util/CryptoProvider.java +++ b/base/common/src/com/netscape/certsrv/util/CryptoProvider.java @@ -44,7 +44,4 @@ public abstract class CryptoProvider { public abstract byte[] unwrapWithPassphrase(byte[] wrappedRecoveredKey, String recoveryPassphrase) throws Exception; - public abstract byte[] createPKIArchiveOptions(String transportCert, SymmetricKey secret, String passphrase, - String keyAlgorithm, int symKeySize, byte[] nonceData) throws Exception; - } diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java index 423ad68e6..ec9a13407 100644 --- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java +++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java @@ -224,14 +224,6 @@ public class NSSCryptoProvider extends CryptoProvider { return alg; } - @Override - public byte[] createPKIArchiveOptions(String transportCert, SymmetricKey secret, String passphrase, - String keyAlgorithm, int symKeySize, byte[] nonceData) throws Exception { - - return CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, secret, passphrase, - getKeyGenAlgorithm(keyAlgorithm), symKeySize, new IVParameterSpec(nonceData)); - } - @Override public byte[] wrapWithSessionKey(SymmetricKey secret, SymmetricKey sessionKey, byte[] iv) throws Exception { diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 0a05a395a..670185666 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -53,12 +53,11 @@ import org.mozilla.jss.asn1.TeletexString; import org.mozilla.jss.asn1.UTF8String; import org.mozilla.jss.asn1.UniversalString; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.KeyGenerator; -import org.mozilla.jss.crypto.KeyPairAlgorithm; -import org.mozilla.jss.crypto.KeyPairGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; +import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.SignatureAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; @@ -66,8 +65,6 @@ import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.pkix.crmf.CertReqMsg; import org.mozilla.jss.pkix.crmf.CertRequest; import org.mozilla.jss.pkix.crmf.CertTemplate; -import org.mozilla.jss.pkix.crmf.EncryptedKey; -import org.mozilla.jss.pkix.crmf.EncryptedValue; import org.mozilla.jss.pkix.crmf.PKIArchiveOptions; import org.mozilla.jss.pkix.crmf.POPOSigningKey; import org.mozilla.jss.pkix.crmf.ProofOfPossession; @@ -82,6 +79,7 @@ import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.HMACDigest; import com.netscape.cmsutil.util.Utils; +import netscape.security.util.WrappingParams; import netscape.security.x509.X500Name; /** @@ -427,8 +425,7 @@ public class CRMFPopClient { if (verbose) System.out.println("Generating key pair"); KeyPair keyPair; if (algorithm.equals("rsa")) { - keyPair = client.generateRSAKeyPair(token, keySize); - + keyPair = CryptoUtil.generateRSAKeyPair(token, keySize); } else if (algorithm.equals("ec")) { keyPair = client.generateECCKeyPair(token, curve, sslECDH, temporary, sensitive, extractable); @@ -510,12 +507,6 @@ public class CRMFPopClient { return verbose; } - public KeyPair generateRSAKeyPair(CryptoToken token, int length) throws Exception { - KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA); - kg.initialize(length); - return kg.genKeyPair(); - } - public KeyPair generateECCKeyPair( CryptoToken token, String curve, @@ -547,25 +538,6 @@ public class CRMFPopClient { extractable); } - public byte[] wrapPrivateKey(CryptoToken token, SymmetricKey sessionKey, byte[] iv, KeyPair keyPair) throws Exception { - - // wrap private key using session - return CryptoUtil.wrapUsingSymmetricKey( - token, - sessionKey, - (org.mozilla.jss.crypto.PrivateKey) keyPair.getPrivate(), - new IVParameterSpec(iv), - KeyWrapAlgorithm.DES3_CBC_PAD); - } - - public byte[] wrapSessionKey(CryptoToken token, X509Certificate transportCert, SymmetricKey sessionKey) throws Exception { - - // wrap session key using KRA transport cert - // currently, a transport cert has to be an RSA cert, - // regardless of the key you are wrapping - return CryptoUtil.wrapUsingPublicKey(token, transportCert.getPublicKey(), sessionKey, KeyWrapAlgorithm.RSA); - } - public CertRequest createCertRequest( CryptoToken token, X509Certificate transportCert, @@ -573,7 +545,33 @@ public class CRMFPopClient { KeyPair keyPair, Name subject) throws Exception { - PKIArchiveOptions opts = createPKIArchiveOptions(token, transportCert, algorithm, keyPair); + byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + IVParameterSpec ivps = new IVParameterSpec(iv); + + AlgorithmIdentifier aid; + if (algorithm.equals("rsa")) { + aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv)); + + } else if (algorithm.equals("ec")) { + aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv)); + + } else { + throw new Exception("Unknown algorithm: " + algorithm); + } + + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps); + + // TODO(alee) check the cast on the third argument + PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( + token, + transportCert.getPublicKey(), + (PrivateKey) keyPair.getPrivate(), + params, + aid); + CertTemplate certTemplate = createCertTemplate(subject, keyPair.getPublic()); SEQUENCE seq = new SEQUENCE(); @@ -611,44 +609,6 @@ public class CRMFPopClient { return new OCTET_STRING(finalDigest); } - public PKIArchiveOptions createPKIArchiveOptions( - CryptoToken token, - X509Certificate transportCert, - String algorithm, - KeyPair keyPair) throws Exception { - - KeyGenerator keyGen = token.getKeyGenerator(KeyGenAlgorithm.DES3); - SymmetricKey sessionKey = keyGen.generate(); - - byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - - byte[] wrappedPrivateKey = wrapPrivateKey(token, sessionKey, iv, keyPair); - byte[] wrappedSessionKey = wrapSessionKey(token, transportCert, sessionKey); - - AlgorithmIdentifier algorithmID; - if (algorithm.equals("rsa")) { - algorithmID = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv)); - - } else if (algorithm.equals("ec")) { - algorithmID = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv)); - - } else { - throw new Exception("Unknown algorithm: " + algorithm); - } - - EncryptedValue encValue = new EncryptedValue( - null, - algorithmID, - new BIT_STRING(wrappedSessionKey, 0), - null, - null, - new BIT_STRING(wrappedPrivateKey, 0)); - - EncryptedKey key = new EncryptedKey(encValue); - - return new PKIArchiveOptions(key); - } - public CertTemplate createCertTemplate(Name subject, PublicKey publicKey) throws Exception { CertTemplate template = new CertTemplate(); diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java index 2fafe5204..d2ec62f03 100644 --- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java @@ -7,15 +7,23 @@ import java.security.PublicKey; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Option; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; import com.netscape.cmstools.cli.CLI; import com.netscape.cmsutil.crypto.CryptoUtil; +import netscape.security.util.WrappingParams; + public class AuthorityKeyExportCLI extends CLI { public AuthorityCLI authorityCLI; @@ -78,9 +86,21 @@ public class AuthorityKeyExportCLI extends CLI { byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; IVParameterSpec ivps = new IVParameterSpec(iv); - byte[] data = CryptoUtil.createPKIArchiveOptions( - token, wrappingKey, toBeWrapped, - KeyGenAlgorithm.DES3, 0, ivps); + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps); + + AlgorithmIdentifier aid = new AlgorithmIdentifier( + new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), + new OCTET_STRING(ivps.getIV())); + + byte[] data = CryptoUtil.createEncodedPKIArchiveOptions( + token, + wrappingKey, + toBeWrapped, + params, + aid); Files.newOutputStream(Paths.get(filename)).write(data); } diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java index 37d0e81ae..8c3a55115 100644 --- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -47,6 +47,7 @@ import com.netscape.cmstools.CRMFPopClient; import com.netscape.cmstools.cert.CertCLI; import com.netscape.cmstools.cli.CLI; import com.netscape.cmstools.cli.MainCLI; +import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; @@ -396,7 +397,7 @@ public class ClientCertRequestCLI extends CLI { KeyPair keyPair; if (algorithm.equals("rsa")) { - keyPair = client.generateRSAKeyPair(token, length); + keyPair = CryptoUtil.generateRSAKeyPair(token, length); } else if (algorithm.equals("ec")) { keyPair = client.generateECCKeyPair(token, curve, sslECDH, temporary, sensitive, extractable); diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java b/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java deleted file mode 100644 index 720bba2b9..000000000 --- a/base/kra/functional/src/com/netscape/cms/servlet/test/DRMTest.java +++ /dev/null @@ -1,779 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2012 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.servlet.test; - -import java.io.IOException; -import java.security.InvalidKeyException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.Signature; -import java.security.SignatureException; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.X509EncodedKeySpec; -import java.util.ArrayList; -import java.util.Calendar; -import java.util.Iterator; -import java.util.List; -import java.util.Random; - -import org.apache.commons.cli.CommandLine; -import org.apache.commons.cli.CommandLineParser; -import org.apache.commons.cli.HelpFormatter; -import org.apache.commons.cli.Options; -import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.PosixParser; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.crypto.AlreadyInitializedException; -import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.KeyGenAlgorithm; -import org.mozilla.jss.crypto.SymmetricKey; - -import com.netscape.certsrv.base.ResourceNotFoundException; -import com.netscape.certsrv.cert.CertData; -import com.netscape.certsrv.client.ClientConfig; -import com.netscape.certsrv.client.PKIClient; -import com.netscape.certsrv.dbs.keydb.KeyId; -import com.netscape.certsrv.key.AsymKeyGenerationRequest; -import com.netscape.certsrv.key.Key; -import com.netscape.certsrv.key.KeyClient; -import com.netscape.certsrv.key.KeyInfo; -import com.netscape.certsrv.key.KeyRequestInfo; -import com.netscape.certsrv.key.KeyRequestInfoCollection; -import com.netscape.certsrv.key.KeyRequestResource; -import com.netscape.certsrv.key.KeyRequestResponse; -import com.netscape.certsrv.key.KeyResource; -import com.netscape.certsrv.key.SymKeyGenerationRequest; -import com.netscape.certsrv.kra.KRAClient; -import com.netscape.certsrv.request.IRequest; -import com.netscape.certsrv.request.RequestId; -import com.netscape.certsrv.request.RequestNotFoundException; -import com.netscape.certsrv.system.SystemCertClient; -import com.netscape.certsrv.util.NSSCryptoProvider; -import com.netscape.cmsutil.crypto.CryptoUtil; -import com.netscape.cmsutil.util.Utils; - -public class DRMTest { - - public static void usage(Options options) { - HelpFormatter formatter = new HelpFormatter(); - formatter.printHelp("DRMTest", options); - System.exit(1); - } - - public static void main(String args[]) throws InvalidKeyException, NoSuchAlgorithmException, - InvalidKeySpecException, SignatureException, IOException { - String host = null; - String port = null; - String token_pwd = null; - String db_dir = "./"; - String protocol = "http"; - String clientCertNickname = "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"; - - // parse command line arguments - Options options = new Options(); - options.addOption("h", true, "Hostname of the DRM"); - options.addOption("p", true, "Port of the DRM"); - options.addOption("w", true, "Token password"); - options.addOption("d", true, "Directory for tokendb"); - options.addOption("s", true, "Attempt Optional Secure SSL connection"); - options.addOption("c", true, "Optional SSL Client cert Nickname"); - - try { - CommandLineParser parser = new PosixParser(); - CommandLine cmd = parser.parse(options, args); - - if (cmd.hasOption("h")) { - host = cmd.getOptionValue("h"); - } else { - System.err.println("Error: no hostname provided."); - usage(options); - } - - if (cmd.hasOption("p")) { - port = cmd.getOptionValue("p"); - } else { - System.err.println("Error: no port provided"); - usage(options); - } - - if (cmd.hasOption("w")) { - token_pwd = cmd.getOptionValue("w"); - } else { - System.err.println("Error: no token password provided"); - usage(options); - } - - if (cmd.hasOption("d")) { - db_dir = cmd.getOptionValue("d"); - } - - if (cmd.hasOption("s")) { - if (cmd.getOptionValue("s") != null && cmd.getOptionValue("s").equals("true")) { - protocol = "https"; - } - } - - if (cmd.hasOption("c")) { - String nick = cmd.getOptionValue("c"); - - if (nick != null && protocol.equals("https")) { - clientCertNickname = nick; - } - } - - } catch (ParseException e) { - System.err.println("Error in parsing command line options: " + e.getMessage()); - usage(options); - } - - // used for crypto operations - byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - - try { - iv = genIV(8); - } catch (Exception e) { - log("Can't generate initialization vector use default: " + e.toString()); - } - - // used for wrapping to send data to DRM - String transportCert = null; - - // Data to be archived - SymmetricKey vek = null; - String passphrase = null; - - // Session keys and passphrases for recovery - SymmetricKey sessionKey = null; - byte[] wrappedRecoveryKey = null; - String recoveryPassphrase = null; - byte[] wrappedRecoveryPassphrase = null; - - // retrieved data (should match archived data) - byte[] encryptedData = null; - String recoveredKey = null; - - // various ids used in recovery/archival operations - KeyId keyId = null; - String clientKeyId = null; - RequestId recoveryRequestId = null; - - // Variables for data structures from calls - KeyRequestResponse requestResponse = null; - Key keyData = null; - KeyInfo keyInfo = null; - - // Initialize token - try { - CryptoManager.initialize(db_dir); - } catch (AlreadyInitializedException e) { - // it is ok if it is already initialized - } catch (Exception e) { - log("INITIALIZATION ERROR: " + e.toString()); - System.exit(1); - } - - // Set base URI and get client - - KRAClient client; - SystemCertClient systemCertClient; - KeyClient keyClient; - NSSCryptoProvider nssCrypto; - try { - ClientConfig config = new ClientConfig(); - config.setServerURI(protocol + "://" + host + ":" + port + "/kra"); - config.setCertNickname(clientCertNickname); - config.setCertDatabase(db_dir); - config.setCertPassword(token_pwd); - nssCrypto = new NSSCryptoProvider(config); - - client = new KRAClient(new PKIClient(config, nssCrypto)); - systemCertClient = (SystemCertClient) client.getClient("systemcert"); - keyClient = (KeyClient) client.getClient("key"); - - } catch (Exception e) { - e.printStackTrace(); - return; - } - - // Test 1: Get transport certificate from DRM - transportCert = systemCertClient.getTransportCert().getEncoded(); - transportCert = transportCert.substring(CertData.HEADER.length(), - transportCert.indexOf(CertData.FOOTER)); - keyClient.setTransportCert(transportCert); - - log("Transport Cert retrieved from DRM: " + transportCert); - - // Test 2: Get list of completed key archival requests - log("\n\nList of completed archival requests"); - KeyRequestInfoCollection list = keyClient.listRequests("complete", "securityDataEnrollment"); - if (list.getTotal() == 0) { - log("No requests found"); - } else { - Iterator iter = list.getEntries().iterator(); - while (iter.hasNext()) { - KeyRequestInfo info = iter.next(); - printRequestInfo(info); - } - } - - // Test 3: Get list of key recovery requests - log("\n\nList of completed recovery requests"); - KeyRequestInfoCollection list2 = keyClient.listRequests("complete", "securityDataRecovery"); - if (list2.getTotal() == 0) { - log("No requests found"); - } else { - Iterator iter2 = list2.getEntries().iterator(); - while (iter2.hasNext()) { - KeyRequestInfo info = iter2.next(); - printRequestInfo(info); - } - } - - // Test 4: Generate and archive a symmetric key - log("Archiving symmetric key"); - clientKeyId = "UUID: 123-45-6789 VEK " + Calendar.getInstance().getTime().toString(); - try { - vek = nssCrypto.generateSessionKey(); - byte[] encoded = nssCrypto.createPKIArchiveOptions(transportCert, vek, null, - KeyRequestResource.DES3_ALGORITHM, 0, iv); - - KeyRequestResponse info = keyClient.archivePKIOptions(clientKeyId, KeyRequestResource.SYMMETRIC_KEY_TYPE, - KeyRequestResource.DES3_ALGORITHM, 0, encoded); - log("Archival Results:"); - printRequestInfo(info.getRequestInfo()); - keyId = info.getKeyId(); - } catch (Exception e) { - log("Exception in archiving symmetric key:" + e.getMessage()); - e.printStackTrace(); - } - - //Test 5: Get keyId for active key with client ID - - log("Getting key ID for symmetric key"); - keyInfo = keyClient.getActiveKeyInfo(clientKeyId); - printKeyInfo(keyInfo); - KeyId keyId2 = keyInfo.getKeyId(); - if (keyId2 == null) { - log("No archived key found"); - } else { - log("Archived Key found: " + keyId); - } - - if (!keyId.equals(keyId2)) { - log("Error: key ids from search and archival do not match"); - } else { - log("Success: keyids from search and archival match."); - } - - // Test 6: Submit a recovery request for the symmetric key using a session key - log("Submitting a recovery request for the symmetric key using session key"); - try { - sessionKey = nssCrypto.generateSessionKey(); - wrappedRecoveryKey = CryptoUtil.wrapSymmetricKey(nssCrypto.getManager(), nssCrypto.getToken(), - transportCert, sessionKey); - keyData = keyClient.retrieveKey(keyId, wrappedRecoveryKey); - } catch (Exception e) { - log("Exception in recovering symmetric key using session key: " + e.getMessage()); - } - - encryptedData = keyData.getEncryptedData(); - - try { - recoveredKey = Utils.base64encode(nssCrypto.unwrapWithSessionKey( - encryptedData, sessionKey, - KeyRequestResource.DES3_ALGORITHM, keyData.getNonceData())); - } catch (Exception e) { - log("Exception in unwrapping key: " + e.toString()); - e.printStackTrace(); - } - - if (!recoveredKey.equals(Utils.base64encode(vek.getEncoded()))) { - log("Error: recovered and archived keys do not match!"); - } else { - log("Success: recoverd and archived keys match!"); - } - - // Test 7: Submit a recovery request for the symmetric key using a passphrase - log("Submitting a recovery request for the symmetric key using a passphrase"); - recoveryPassphrase = "Gimme me keys please"; - - try { - sessionKey = nssCrypto.generateSessionKey(); - wrappedRecoveryPassphrase = nssCrypto.wrapWithSessionKey(recoveryPassphrase, iv, sessionKey, - KeyRequestResource.DES3_ALGORITHM); - wrappedRecoveryKey = nssCrypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); - - keyData = keyClient.retrieveKeyUsingWrappedPassphrase(keyId, wrappedRecoveryKey, wrappedRecoveryPassphrase, - iv); - } catch (Exception e) { - log("Exception in recovering symmetric key using passphrase" + e.toString()); - e.printStackTrace(); - } - - encryptedData = keyData.getEncryptedData(); - - try { - recoveredKey = Utils.base64encode(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase)); - } catch (Exception e) { - log("Error: unable to unwrap key using passphrase"); - e.printStackTrace(); - } - - if (recoveredKey == null || !recoveredKey.equals(Utils.base64encode(vek.getEncoded()))) { - log("Error: recovered and archived keys do not match!"); - } else { - log("Success: recovered and archived keys do match!"); - } - - passphrase = "secret12345"; - // Test 8: Generate and archive a passphrase - clientKeyId = "UUID: 123-45-6789 RKEK " + Calendar.getInstance().getTime().toString(); - try { - requestResponse = keyClient.archivePassphrase(clientKeyId, passphrase); - - log("Archival Results:"); - printRequestInfo(requestResponse.getRequestInfo()); - keyId = requestResponse.getKeyId(); - } catch (Exception e) { - log("Exception in archiving symmetric key:" + e.toString()); - e.printStackTrace(); - } - - //Test 9: Get keyId for active passphrase with client ID - log("Getting key ID for passphrase"); - keyInfo = keyClient.getActiveKeyInfo(clientKeyId); - printKeyInfo(keyInfo); - keyId2 = keyInfo.getKeyId(); - if (keyId2 == null) { - log("No archived key found"); - } else { - log("Archived Key found: " + keyId); - } - - if (!keyId.equals(keyId2)) { - log("Error: key ids from search and archival do not match"); - } else { - log("Success: key ids from search and archival do match!"); - } - - // Test 10: Submit a recovery request for the passphrase using a session key - log("Submitting a recovery request for the passphrase using session key"); - sessionKey = null; - wrappedRecoveryKey = null; - try { - keyData = keyClient.retrieveKeyByPassphrase(keyId, recoveryPassphrase); - } catch (Exception e) { - log("Exception in recovering passphrase using session key: " + e.getMessage()); - } - encryptedData = keyData.getEncryptedData(); - try { - recoveredKey = new String(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase), "UTF-8"); - } catch (Exception e) { - log("Exception in unwrapping key: " + e.toString()); - e.printStackTrace(); - } - - if (recoveredKey == null || !recoveredKey.equals(passphrase)) { - log("Error: recovered and archived passphrases do not match!"); - } else { - log("Success: recovered and archived passphrases do match!"); - } - - // Test 11: Submit a recovery request for the passphrase using a passphrase - try { - sessionKey = nssCrypto.generateSessionKey(); - wrappedRecoveryKey = nssCrypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); - wrappedRecoveryPassphrase = nssCrypto.wrapWithSessionKey(recoveryPassphrase, iv, sessionKey, - KeyRequestResource.DES3_ALGORITHM); - keyData = keyClient.retrieveKeyUsingWrappedPassphrase(keyId, wrappedRecoveryKey, wrappedRecoveryPassphrase, - iv); - } catch (Exception e1) { - e1.printStackTrace(); - System.out.println("Test 17: " + e1.getMessage()); - System.exit(-1); - } - encryptedData = keyData.getEncryptedData(); - try { - recoveredKey = new String(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase), "UTF-8"); - } catch (Exception e) { - log("Error: cannot unwrap key using passphrase"); - e.printStackTrace(); - } - - if (recoveredKey == null || !recoveredKey.equals(passphrase)) { - log("Error: recovered and archived passphrases do not match!"); - } else { - log("Success: recovered and archived passphrases do match!"); - } - - // Test 12: Get key - log("Getting passphrase: " + keyId); - try { - keyData = keyClient.retrieveKeyByPassphrase(keyId, recoveryPassphrase); - } catch (Exception e1) { - e1.printStackTrace(); - } - encryptedData = keyData.getEncryptedData(); - try { - recoveredKey = new String(nssCrypto.unwrapWithPassphrase(encryptedData, recoveryPassphrase), "UTF-8"); - } catch (Exception e) { - log("Error: Can't unwrap recovered key using passphrase"); - e.printStackTrace(); - } - - if (recoveredKey == null || !recoveredKey.equals(passphrase)) { - log("Error: recovered and archived passphrases do not match!"); - } else { - log("Success: recovered and archived passphrases do match!"); - } - - // Test 13: Get non-existent request - RequestId requestId = new RequestId("0xabcdef"); - log("Getting non-existent request: " + requestId.toHexString()); - try { - keyClient.getRequestInfo(requestId); - log("Error: getting non-existent request does not throw an exception"); - } catch (RequestNotFoundException e) { - log("Success: getting non-existent request throws an exception: " + e.getMessage() + " (" - + e.getRequestId().toHexString() + ")"); - } - - // Test 14: Request x509 key recovery - // This test requires to retrieve keyId and matching certificate - // from installed instances of CA and DRM - String keyID = "1"; - String b64Certificate = "MIIC+TCCAeGgAwIBAgIBDDANBgkqhkiG9w0BAQsFADBOMSswKQYDVQQKDCJ1c2Vy" + - "c3lzLnJlZGhhdC5jb20gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWdu" + - "aW5nIENlcnRpZmljYXRlMB4XDTEzMTAyNTE5MzQwM1oXDTE0MDQyMzE5MzQwM1ow" + - "EzERMA8GCgmSJomT8ixkAQEMAXgwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB" + - "ALhLfGmKvxFsKXPh49q1QsluXU3WlyS1XnpDLgOAhgTNgO4sG6CpPdv6hZYIvQBb" + - "ZQ5bhuML+NXK+Q+EIiNk1cUTxgL3a30sPzy6QaFWxwM8i4uXm4nCBYv7T+n4V6/O" + - "xHIM2Ch/dviAb3vz+M9trErv9t+d2H8jNXT3sHuDb/kvAgMBAAGjgaAwgZ0wHwYD" + - "VR0jBBgwFoAUh1cxWFRY+nMsx4odQQI1GqyFxP8wSwYIKwYBBQUHAQEEPzA9MDsG" + - "CCsGAQUFBzABhi9odHRwOi8vZG9ndGFnMjAudXNlcnN5cy5yZWRoYXQuY29tOjgw" + - "ODAvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0lBBYwFAYIKwYBBQUHAwIG" + - "CCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQCvmbUzQOouE2LgQQcKfmgwwJMJ" + - "9tMrPwDUtyFdaIFoPL4uZaujSscaN4IWK2r5vIMJ65jwYCI7sI9En2ZfO28J9dQj" + - "lpqu6TaJ+xtaMk7OvXpVB7lJk73HAttMGjETlkoq/6EjxcugmJsDqVD0b2tO7Vd0" + - "hroBe2uPDHM2ASewZF415lUcRh0URtmxSazTInbyxpmy1wgSJQ0C6fMCeT+hUFlA" + - "0P4k1TIprapGVq7FpKcqlhK2gTBfTSnoO7gmXG/9MxJiYpb/Aph8ptXq6quHz1Mj" + - "greWr3xTsy6gF2yphUEkGHh4v22XvK+FLx9Jb6zloMWA2GG9gpUpvMnl1fH4"; - - log("Requesting X509 key recovery."); - recoveryRequestId = keyClient.recoverKey(new KeyId(keyID), null, null, null, b64Certificate).getRequestInfo() - .getRequestId(); - log("Requesting X509 key recovery request: " + recoveryRequestId); - - // Test 55: Approve x509 key recovery - log("Approving X509 key recovery request: " + recoveryRequestId); - keyClient.approveRequest(recoveryRequestId); - - // Test 16: Recover x509 key - log("Recovering X509 key based on request: " + recoveryRequestId); - try { - // KeyData recoveredX509Key = client.recoverKey(recoveryRequestId, "netscape"); - // log("Success: X509Key recovered: "+ recoveredX509Key.getP12Data()); - } catch (RequestNotFoundException e) { - log("Error: recovering X509Key"); - } - - // Test 1: Get transport certificate from DRM - transportCert = systemCertClient.getTransportCert().getEncoded(); - transportCert = transportCert.substring(CertData.HEADER.length(), - transportCert.indexOf(CertData.FOOTER)); - - log("Transport Cert retrieved from DRM: " + transportCert); - - // Test 17: Get list of completed key archival requests - log("\n\nList of completed archival requests"); - list = keyClient.listRequests("complete", IRequest.SYMKEY_GENERATION_REQUEST); - if (list.getTotal() == 0) { - log("No requests found"); - } else { - Iterator iter = list.getEntries().iterator(); - while (iter.hasNext()) { - KeyRequestInfo info = iter.next(); - printRequestInfo(info); - } - } - - // test 18: Generate symmetric key - clientKeyId = "Symmetric Key #1234f " + Calendar.getInstance().getTime().toString(); - List usages = new ArrayList(); - usages.add(SymKeyGenerationRequest.DECRYPT_USAGE); - usages.add(SymKeyGenerationRequest.ENCRYPT_USAGE); - KeyRequestResponse genKeyResponse = keyClient.generateSymmetricKey(clientKeyId, - KeyRequestResource.AES_ALGORITHM, - 128, usages, null); - printRequestInfo(genKeyResponse.getRequestInfo()); - keyId = genKeyResponse.getKeyId(); - - // test 19: Get keyId for active key with client ID - log("Getting key ID for symmetric key"); - keyInfo = keyClient.getActiveKeyInfo(clientKeyId); - printKeyInfo(keyInfo); - keyId2 = keyInfo.getKeyId(); - if (keyId2 == null) { - log("No archived key found"); - } else { - log("Archived Key found: " + keyId); - } - - if (!keyId.equals(keyId2)) { - log("Error: key ids from search and archival do not match"); - } else { - log("Success: keyids from search and archival match."); - } - - // Test 20: Submit a recovery request for the symmetric key using a session key - log("Submitting a recovery request for the symmetric key using session key"); - try { - sessionKey = nssCrypto.generateSessionKey(); - wrappedRecoveryKey = nssCrypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); - keyData = keyClient.retrieveKey(keyId, wrappedRecoveryKey); - } catch (Exception e) { - log("Exception in recovering symmetric key using session key: " + e.getMessage()); - } - - encryptedData = keyData.getEncryptedData(); - - try { - recoveredKey = new String(nssCrypto.unwrapWithSessionKey( - encryptedData, sessionKey, KeyRequestResource.DES3_ALGORITHM, - keyData.getNonceData())); - } catch (Exception e) { - log("Exception in unwrapping key: " + e.toString()); - e.printStackTrace(); - } - - // test 21: Generate symmetric key - invalid algorithm - try { - genKeyResponse = keyClient.generateSymmetricKey("Symmetric Key #1235", "AFS", 128, usages, null); - } catch (Exception e) { - log("Exception: " + e); - } - - // test 22: Generate symmetric key - invalid key size - try { - genKeyResponse = keyClient.generateSymmetricKey("Symmetric Key #1236", "AES", 0, usages, null); - } catch (Exception e) { - log("Exception: " + e); - } - - // test 23: Generate symmetric key - usages not defined - try { - genKeyResponse = keyClient.generateSymmetricKey("Symmetric Key #1236", "DES", 56, null, null); - } catch (Exception e) { - log("Exception: " + e); - } - - // Test 24: Generate and archive a symmetric key of type AES - log("Archiving symmetric key"); - clientKeyId = "UUID: 123-45-6789 VEK " + Calendar.getInstance().getTime().toString(); - try { - vek = nssCrypto.generateSymmetricKey(KeyRequestResource.AES_ALGORITHM, 128); - - byte[] encoded = CryptoUtil.createPKIArchiveOptions(nssCrypto.getManager(), nssCrypto.getToken(), - transportCert, vek, null, - KeyGenAlgorithm.DES3, 0, new IVParameterSpec(iv)); - - KeyRequestResponse response = keyClient.archivePKIOptions(clientKeyId, - KeyRequestResource.SYMMETRIC_KEY_TYPE, KeyRequestResource.AES_ALGORITHM, 128, encoded); - log("Archival Results:"); - printRequestInfo(response.getRequestInfo()); - keyId = response.getKeyId(); - } catch (Exception e) { - log("Exception in archiving symmetric key:" + e.getMessage()); - e.printStackTrace(); - } - - //Test 25: Get keyId for active key with client ID - log("Getting key ID for symmetric key"); - keyInfo = keyClient.getActiveKeyInfo(clientKeyId); - printKeyInfo(keyInfo); - keyId2 = keyInfo.getKeyId(); - if (keyId2 == null) { - log("No archived key found"); - } else { - log("Archived Key found: " + keyId); - } - - if (!keyId.equals(keyId2)) { - log("Error: key ids from search and archival do not match"); - } else { - log("Success: keyids from search and archival match."); - } - - // Test 26: Submit a recovery request for the symmetric key - log("Submitting a recovery request for the symmetric key without using session key"); - try { - keyData = keyClient.retrieveKey(keyId); - } catch (Exception e) { - log("Exception in recovering symmetric key using session key: " + e.getMessage()); - } - - // Since no session key is provided externally, the retrieveKey method - // generates a session key, wraps it with transport cert and completes the request. - // The encrypted data is then unwrapped using the temporary session key and set to - // the attribute privateData. - recoveredKey = Utils.base64encode(keyData.getData()); - - if (!recoveredKey.equals(Utils.base64encode(vek.getEncoded()))) { - log("Error: recovered and archived keys do not match!"); - } else { - log("Success: recoverd and archived keys match!"); - } - - // Test 27: Get key info - log("getting key info for existing key"); - printKeyInfo(keyClient.getKeyInfo(keyId)); - - //Test 28: Modify status - log("modify the key status"); - keyClient.modifyKeyStatus(keyId, KeyResource.KEY_STATUS_INACTIVE); - keyInfo = keyClient.getKeyInfo(keyId); - printKeyInfo(keyInfo); - - //Test 29: Confirm no more active keys with this ID - log("look for active keys with this id"); - clientKeyId = keyInfo.getClientKeyID(); - try { - keyInfo = keyClient.getActiveKeyInfo(clientKeyId); - printKeyInfo(keyInfo); - } catch (ResourceNotFoundException e) { - log("Success: ResourceNotFound exception thrown: " + e); - } - - // Test asymmetric key generation. - - String[] algs = { "RSA", "DSA" }; - for (int i = 0; i < algs.length; i++) { - // Test 30: Generate Asymmetric keys - RSA key - System.out.println("\nTesting asymmetric key generation for algorithm " + algs[i]); - clientKeyId = "AsymKey #" + Calendar.getInstance().getTimeInMillis(); - usages.clear(); - usages.add(AsymKeyGenerationRequest.SIGN); - usages.add(AsymKeyGenerationRequest.VERIFY); - KeyRequestResponse response = keyClient.generateAsymmetricKey(clientKeyId, algs[i], 1024, usages, null); - printRequestInfo(response.getRequestInfo()); - System.out.println(); - - // Test 31: Get information of the newly generated asymmetric keys - System.out.println("Fetch information of the newly generated asymmetric keys."); - System.out.println(); - KeyInfo info = keyClient.getKeyInfo(response.getKeyId()); - printKeyInfo(info); - System.out.println(); - - // Test 32: Retrieve private key data - System.out.println("Retrieving and verifying the generated private key."); - try { - keyData = keyClient.retrieveKey(response.getKeyId()); - } catch (Exception e) { - log("Exception retrieving the private key data."); - e.printStackTrace(); - } - - // Test 33: Verify the generated key pair. - if (isKeyPairValid(algs[i], keyData.getData(), info.getPublicKey())) { - log("The key pair generated using " + algs[i] + " algorithm is valid."); - } else { - log("The key pair generated using " + algs[i] + " algorithm is invalid."); - } - System.out.println(); - } - - // Test 34: - } - - /** - * Verify the generated asymmetric key pair. - * - * @param keyAlgorithm - Algorithm used to generate keys. - * @param privateKey - binary data of the private key. - * @param publicKey - binary data of he public key. - * @return - * @throws NoSuchAlgorithmException - * @throws InvalidKeySpecException - * @throws InvalidKeyException - * @throws SignatureException - * @throws IOException - */ - public static boolean isKeyPairValid(String keyAlgorithm, byte[] privateKey, byte[] publicKey) - throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException, - IOException { - String algorithm = keyAlgorithm.toUpperCase(); - String signingAlgorithm = "SHA1with" + algorithm; - KeyFactory factory = KeyFactory.getInstance(algorithm); - PrivateKey priKey = factory.generatePrivate(new PKCS8EncodedKeySpec(privateKey)); - PublicKey pubKey = factory.generatePublic(new X509EncodedKeySpec(publicKey)); - Signature sig = Signature.getInstance(signingAlgorithm); - sig.initSign(priKey); - String s = "Data to test asymmetric keys."; - sig.update(s.getBytes()); - - // Sign the data with the private key. - byte[] realSig = sig.sign(); - - Signature sig2 = Signature.getInstance(signingAlgorithm); - sig2.initVerify(pubKey); - - sig2.update(s.getBytes()); - // Verify the signature with the public key. - return sig2.verify(realSig); - } - - private static void printKeyInfo(KeyInfo keyInfo) { - log("Printing keyInfo:"); - log("Client Key ID: " + keyInfo.getClientKeyID()); - log("Key URL: " + keyInfo.getKeyURL()); - log("Algorithm: " + keyInfo.getAlgorithm()); - log("Strength: " + keyInfo.getSize()); - log("Status: " + keyInfo.getStatus()); - if (keyInfo.getPublicKey() != null) { - log("Public Key: "); - String publicKey = Utils.base64encode(keyInfo.getPublicKey()); - log(publicKey); - } - } - - private static void log(String string) { - System.out.println(string); - } - - private static void printRequestInfo(KeyRequestInfo info) { - log("KeyRequestURL: " + info.getRequestURL()); - log("Key URL: " + info.getKeyURL()); - log("Status: " + info.getRequestStatus()); - log("Type: " + info.getRequestType()); - } - - //Use this when we actually create random initialization vectors - private static byte[] genIV(int blockSize) throws Exception { - // generate an IV - byte[] iv = new byte[blockSize]; - - Random rnd = new Random(); - rnd.nextBytes(iv); - - return iv; - } -} \ No newline at end of file diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java index 6c835b439..64546867b 100644 --- a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java +++ b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java @@ -18,16 +18,24 @@ import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; import org.apache.commons.cli.PosixParser; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.crypto.AlreadyInitializedException; import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; import org.mozilla.jss.util.Password; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; +import netscape.security.util.WrappingParams; + public class GeneratePKIArchiveOptions { public static void usage(Options options) { @@ -154,7 +162,6 @@ public class GeneratePKIArchiveOptions { // used for wrapping to send data to DRM byte[] tcert = read(transport_file); - String transportCert = Utils.base64encode(tcert); // Initialize token try { @@ -181,8 +188,11 @@ public class GeneratePKIArchiveOptions { } } catch (Exception e) { log("Exception in logging into token:" + e.toString()); + System.exit(1); } + X509Certificate transportCert = manager.importCACertPackage(tcert); + // Data to be archived SymmetricKey vek = null; if (!passphraseMode) { @@ -193,12 +203,21 @@ public class GeneratePKIArchiveOptions { byte[] encoded = null; + WrappingParams params = new WrappingParams( + SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168, + KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD, + KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps); + + AlgorithmIdentifier aid = new AlgorithmIdentifier( + new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), + new OCTET_STRING(ivps.getIV())); + if (passphraseMode) { - encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, null, passphrase, - KeyGenAlgorithm.DES3, 0, ivps); + encoded = CryptoUtil.createEncodedPKIArchiveOptions( + token, transportCert.getPublicKey(), passphrase, params, aid); } else { - encoded = CryptoUtil.createPKIArchiveOptions(manager, token, transportCert, vek, null, - KeyGenAlgorithm.DES3, 0, ivps); + encoded = CryptoUtil.createEncodedPKIArchiveOptions( + token, transportCert.getPublicKey(), vek, params, aid); } // write encoded to file diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 04f63a977..02a4ca143 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -30,9 +30,10 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.security.IEncryptionUnit; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmsutil.crypto.CryptoUtil; +import netscape.security.util.WrappingParams; + /** * A class represents the transport key pair. This key pair * is used to protected EE's private key in transit. diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 4dec837a0..d680445a2 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -60,13 +60,13 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cms.servlet.key.KeyRecordParser; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.crypto.CryptoUtil; import netscape.security.provider.RSAPublicKey; +import netscape.security.util.WrappingParams; /** * A class representing keygen/archival request procesor for requests diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 1125ee19f..55111c9b8 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -44,12 +44,12 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; import netscape.security.util.DerValue; +import netscape.security.util.WrappingParams; import netscape.security.x509.X509Key; public class SecurityDataProcessor { diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java index 0402ab70f..295e4c7d1 100644 --- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -63,7 +63,6 @@ import com.netscape.certsrv.kra.IShare; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.Credential; import com.netscape.certsrv.security.IStorageKeyUnit; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cms.servlet.key.KeyRecordParser; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; @@ -71,6 +70,7 @@ import com.netscape.cmsutil.util.Utils; import netscape.security.util.DerInputStream; import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; +import netscape.security.util.WrappingParams; /** * A class represents a storage key unit. Currently, this diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 8abf92046..b084964f9 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -50,7 +50,6 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; @@ -58,6 +57,7 @@ import com.netscape.cmsutil.util.Cert; import netscape.security.util.BigInt; import netscape.security.util.DerInputStream; import netscape.security.util.DerValue; +import netscape.security.util.WrappingParams; import netscape.security.x509.X509Key; /** diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java index 672cb857a..513c0b252 100644 --- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -34,10 +34,11 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.security.ITransportKeyUnit; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; +import netscape.security.util.WrappingParams; + /** * A class represents the transport key pair. This key pair * is used to protected EE's private key in transit. diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index ed2423ff1..ee1984bc9 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2446,8 +2446,7 @@ public class ConfigurationUtils { } public static void createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) - throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, - CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { + throws Exception { /* generate key pair */ KeyPair pair = null; do { diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java index 6e594f849..97f494211 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java @@ -33,9 +33,10 @@ import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.dbs.IDBObj; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.KeyState; -import com.netscape.certsrv.security.WrappingParams; import com.netscape.cms.servlet.key.KeyRecordParser; +import netscape.security.util.WrappingParams; + /** * A class represents a Key record. It maintains the key * life cycle as well as other information about an diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 593d93f46..e3a378ebc 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -48,8 +48,8 @@ import java.util.Vector; import org.apache.commons.lang.StringUtils; import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.NoSuchTokenException; import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.NoSuchTokenException; import org.mozilla.jss.SecretDecoderRing.KeyManager; import org.mozilla.jss.asn1.ANY; import org.mozilla.jss.asn1.ASN1Util; @@ -105,7 +105,6 @@ import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange; import org.mozilla.jss.util.Base64OutputStream; import org.mozilla.jss.util.Password; -import com.netscape.cmsutil.crypto.CryptoUtil.SSLVersion; import com.netscape.cmsutil.util.Cert; import com.netscape.cmsutil.util.Utils; @@ -119,6 +118,7 @@ import netscape.security.util.DerInputStream; import netscape.security.util.DerOutputStream; import netscape.security.util.DerValue; import netscape.security.util.ObjectIdentifier; +import netscape.security.util.WrappingParams; import netscape.security.x509.AlgorithmId; import netscape.security.x509.CertificateAlgorithmId; import netscape.security.x509.CertificateChain; @@ -530,19 +530,18 @@ public class CryptoUtil { /** * Generates a RSA key pair. + * @throws Exception */ - public static KeyPair generateRSAKeyPair(String token, int keysize) - throws CryptoManager.NotInitializedException, - NoSuchTokenException, - NoSuchAlgorithmException, - TokenException { - CryptoToken t = getKeyStorageToken(token); - KeyPairGenerator g = t.getKeyPairGenerator(KeyPairAlgorithm.RSA); - - g.initialize(keysize); - KeyPair pair = g.genKeyPair(); + public static KeyPair generateRSAKeyPair(String tokenName, int keysize) + throws Exception { + CryptoToken token = getKeyStorageToken(tokenName); + return generateRSAKeyPair(token, keysize); + } - return pair; + public static KeyPair generateRSAKeyPair(CryptoToken token, int keysize) throws Exception { + KeyPairGenerator kg = token.getKeyPairGenerator(KeyPairAlgorithm.RSA); + kg.initialize(keysize); + return kg.genKeyPair(); } public static boolean isECCKey(X509Key key) { @@ -1919,7 +1918,7 @@ public class CryptoUtil { } /** - * Generates a nonve_iv for padding. + * Generates a nonce_iv for padding. * * @return */ @@ -1982,55 +1981,143 @@ public class CryptoUtil { return wrapUsingPublicKey(token, tcert.getPublicKey(), sk, KeyWrapAlgorithm.RSA); } - public static byte[] createPKIArchiveOptions(CryptoManager manager, CryptoToken token, String transportCert, - SymmetricKey vek, String passphrase, KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) - throws Exception { - byte[] key_data = null; - - //generate session key - SymmetricKey sk = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); - - if (passphrase != null) { - key_data = wrapPassphrase(token, passphrase, IV, sk, EncryptionAlgorithm.DES3_CBC_PAD); + /* Used to create PKIArchiveOptions for wrapped private key */ + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + PrivateKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( + token, wrappingKey, null, data, null, params, aid); + } + + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + PrivateKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( + token, wrappingKey, null, data, null, params, aid); + return encodePKIArchiveOptions(opts); + } + + /* Used to create PKIArchiveOptions for wrapped symmetric key */ + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + SymmetricKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( + token, wrappingKey, null, null, data, params, aid); + } + + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + SymmetricKey data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( + token, wrappingKey, null, null, data, params, aid); + return encodePKIArchiveOptions(opts); + } + + /* Used to create PKIArchiveOptions for wrapped passphrase */ + public static PKIArchiveOptions createPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + String data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + return createPKIArchiveOptionsInternal( + token, wrappingKey, data, null, null, params, aid); + } + + public static byte[] createEncodedPKIArchiveOptions( + CryptoToken token, + PublicKey wrappingKey, + String data, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + PKIArchiveOptions opts = createPKIArchiveOptionsInternal( + token, wrappingKey, data, null, null, params, aid); + return encodePKIArchiveOptions(opts); + } + + private static PKIArchiveOptions createPKIArchiveOptionsInternal( + CryptoToken token, + PublicKey wrappingKey, + String passphraseData, + PrivateKey privKeyData, + SymmetricKey symKeyData, + WrappingParams params, + AlgorithmIdentifier aid) throws Exception { + SymmetricKey sessionKey = CryptoUtil.generateKey( + token, + params.getSkKeyGenAlgorithm(), + params.getSkLength(), + null, + false); + + byte[] key_data; + if (passphraseData != null) { + key_data = wrapPassphrase( + token, + passphraseData, + params.getPayloadEncryptionIV(), + sessionKey, + params.getPayloadEncryptionAlgorithm()); + } else if (privKeyData != null) { + key_data = wrapUsingSymmetricKey( + token, + sessionKey, + privKeyData, + params.getPayloadWrappingIV(), + params.getPayloadWrapAlgorithm()); + } else if (symKeyData != null) { + key_data = wrapUsingSymmetricKey( + token, + sessionKey, + symKeyData, + params.getPayloadWrappingIV(), + params.getPayloadWrapAlgorithm()); } else { - // wrap payload using session key - key_data = wrapUsingSymmetricKey(token, sk, vek, IV, KeyWrapAlgorithm.DES3_CBC_PAD); + throw new IOException("No data to package in PKIArchiveOptions!"); } - // wrap session key using transport key - byte[] session_data = wrapSymmetricKey(manager, token, transportCert, sk); - - return createPKIArchiveOptions(IV, session_data, key_data); - } - - public static byte[] createPKIArchiveOptions( - CryptoToken token, PublicKey wrappingKey, PrivateKey toBeWrapped, - KeyGenAlgorithm keyGenAlg, int symKeySize, IVParameterSpec IV) - throws Exception { - SymmetricKey sessionKey = CryptoUtil.generateKey(token, keyGenAlg, symKeySize, null, false); - byte[] key_data = wrapUsingSymmetricKey(token, sessionKey, toBeWrapped, IV, KeyWrapAlgorithm.DES3_CBC_PAD); + byte[] session_data = wrapUsingPublicKey( + token, + wrappingKey, + sessionKey, + params.getSkWrapAlgorithm()); - byte[] session_data = wrapUsingPublicKey(token, wrappingKey, sessionKey, KeyWrapAlgorithm.RSA); - return createPKIArchiveOptions(IV, session_data, key_data); + return createPKIArchiveOptions(session_data, key_data, aid); } - private static byte[] createPKIArchiveOptions( - IVParameterSpec IV, byte[] session_data, byte[] key_data) - throws IOException, InvalidBERException { + public static PKIArchiveOptions createPKIArchiveOptions( + byte[] session_data, byte[] key_data, AlgorithmIdentifier aid) { // create PKIArchiveOptions structure - AlgorithmIdentifier algS = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), - new OCTET_STRING(IV.getIV())); - EncryptedValue encValue = new EncryptedValue(null, algS, new BIT_STRING(session_data, 0), null, null, + EncryptedValue encValue = new EncryptedValue( + null, + aid, + new BIT_STRING(session_data, 0), + null, + null, new BIT_STRING(key_data, 0)); EncryptedKey key = new EncryptedKey(encValue); - PKIArchiveOptions opt = new PKIArchiveOptions(key); + return new PKIArchiveOptions(key); + } + public static byte[] encodePKIArchiveOptions(PKIArchiveOptions opts) throws Exception { byte[] encoded = null; //Let's make sure we can decode the encoded PKIArchiveOptions.. ByteArrayOutputStream oStream = new ByteArrayOutputStream(); - opt.encode(oStream); + opts.encode(oStream); encoded = oStream.toByteArray(); ByteArrayInputStream inStream = new ByteArrayInputStream(encoded); diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java new file mode 100644 index 000000000..e73832638 --- /dev/null +++ b/base/util/src/netscape/security/util/WrappingParams.java @@ -0,0 +1,193 @@ +package netscape.security.util; + +import java.security.NoSuchAlgorithmException; + +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.crypto.KeyGenAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; +import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.SymmetricKey.Type; + +public class WrappingParams { + // session key attributes + SymmetricKey.Type skType; + KeyGenAlgorithm skKeyGenAlgorithm; + int skLength; + + // wrapping algorithm for session key + KeyWrapAlgorithm skWrapAlgorithm; + + // Encryption algorithm for payload + EncryptionAlgorithm payloadEncryptionAlgorithm; + + //wrapping algorithm for payload + KeyWrapAlgorithm payloadWrapAlgorithm; + + // payload encryption IV + IVParameterSpec payloadEncryptionIV; + + // payload wrapping IV + IVParameterSpec payloadWrappingIV; + + public WrappingParams(Type skType, KeyGenAlgorithm skKeyGenAlgorithm, int skLength, + KeyWrapAlgorithm skWrapAlgorithm, EncryptionAlgorithm payloadEncryptionAlgorithm, + KeyWrapAlgorithm payloadWrapAlgorithm, IVParameterSpec payloadEncryptIV, IVParameterSpec payloadWrapIV) { + super(); + this.skType = skType; + this.skKeyGenAlgorithm = skKeyGenAlgorithm; + this.skLength = skLength; + this.skWrapAlgorithm = skWrapAlgorithm; + this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; + this.payloadWrapAlgorithm = payloadWrapAlgorithm; + this.payloadEncryptionIV = payloadEncryptIV; + this.payloadWrappingIV = payloadWrapIV; + } + + public WrappingParams() {} + + public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV) + throws NumberFormatException, NoSuchAlgorithmException { + EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); + + KeyWrapAlgorithm wrap = null; + if (wrapName != null) { + wrap = KeyWrapAlgorithm.fromString(wrapName); + this.payloadWrapAlgorithm = wrap; + } + + switch (encrypt.getAlg().toString()) { + case "AES": + // TODO(alee) - Terrible hack till we figure out why GCM is not working + // or a way to detect the padding. + // We are going to assume AES-128-PAD + encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; + + this.skType = SymmetricKey.AES; + this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; + if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + break; + case "DESede": + this.skType = SymmetricKey.DES3; + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + break; + case "DES": + this.skType = SymmetricKey.DES; + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; + this.skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.DES_CBC_PAD; + break; + default: + throw new NoSuchAlgorithmException("Invalid algorithm"); + } + + this.skLength = encrypt.getKeyStrength(); + if (priKeyAlgo.equals("EC")) { + this.skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB; + } else { + this.skWrapAlgorithm = KeyWrapAlgorithm.RSA; + } + + this.payloadEncryptionAlgorithm = encrypt; + this.payloadEncryptionIV = encryptIV; + this.payloadWrappingIV = wrapIV; + } + + public SymmetricKey.Type getSkType() { + return skType; + } + + public void setSkType(SymmetricKey.Type skType) { + this.skType = skType; + } + + public void setSkType(String skTypeName) throws NoSuchAlgorithmException { + this.skType = SymmetricKey.Type.fromName(skTypeName); + } + + public KeyGenAlgorithm getSkKeyGenAlgorithm() { + return skKeyGenAlgorithm; + } + + public void setSkKeyGenAlgorithm(KeyGenAlgorithm skKeyGenAlgorithm) { + this.skKeyGenAlgorithm = skKeyGenAlgorithm; + } + + public void setSkKeyGenAlgorithm(String algName) throws NoSuchAlgorithmException { + // JSS mapping is not working. Lets just do something brain-dead to + // handle the cases we expect. + if (algName.equalsIgnoreCase("AES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; + } else if (algName.equalsIgnoreCase("DES")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES; + } else if (algName.equalsIgnoreCase("DESede")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } else if (algName.equalsIgnoreCase("DES3")) { + this.skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + } + } + + public int getSkLength() { + return skLength; + } + + public void setSkLength(int skLength) { + this.skLength = skLength; + } + + public KeyWrapAlgorithm getSkWrapAlgorithm() { + return skWrapAlgorithm; + } + + public void setSkWrapAlgorithm(KeyWrapAlgorithm skWrapAlgorithm) { + this.skWrapAlgorithm = skWrapAlgorithm; + } + + public void setSkWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.skWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + + public EncryptionAlgorithm getPayloadEncryptionAlgorithm() { + return payloadEncryptionAlgorithm; + } + + public void setPayloadEncryptionAlgorithm(EncryptionAlgorithm payloadEncryptionAlgorithm) { + this.payloadEncryptionAlgorithm = payloadEncryptionAlgorithm; + } + + public void setPayloadEncryptionAlgorithm(String algName, String modeName, String paddingName, int keyStrength) + throws NoSuchAlgorithmException { + this.payloadEncryptionAlgorithm = EncryptionAlgorithm.lookup(algName, modeName, paddingName, keyStrength); + } + + public KeyWrapAlgorithm getPayloadWrapAlgorithm() { + return payloadWrapAlgorithm; + } + + public void setPayloadWrapAlgorithm(KeyWrapAlgorithm payloadWrapAlgorithm) { + this.payloadWrapAlgorithm = payloadWrapAlgorithm; + } + + public void setPayloadWrapAlgorithm(String name) throws NoSuchAlgorithmException { + this.payloadWrapAlgorithm = KeyWrapAlgorithm.fromString(name); + } + + public IVParameterSpec getPayloadEncryptionIV() { + return payloadEncryptionIV; + } + + public void setPayloadEncryptionIV(IVParameterSpec payloadEncryptionIV) { + this.payloadEncryptionIV = payloadEncryptionIV; + } + + public IVParameterSpec getPayloadWrappingIV() { + return payloadWrappingIV; + } + + public void setPayloadWrappingIV(IVParameterSpec payloadWrappingIV) { + this.payloadWrappingIV = payloadWrappingIV; + } +} -- cgit