diff options
Diffstat (limited to 'pki/base/ca/src/com/netscape/ca/SigningUnit.java')
-rw-r--r-- | pki/base/ca/src/com/netscape/ca/SigningUnit.java | 188 |
1 files changed, 107 insertions, 81 deletions
diff --git a/pki/base/ca/src/com/netscape/ca/SigningUnit.java b/pki/base/ca/src/com/netscape/ca/SigningUnit.java index 6b0dfc64..a0918af8 100644 --- a/pki/base/ca/src/com/netscape/ca/SigningUnit.java +++ b/pki/base/ca/src/com/netscape/ca/SigningUnit.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.ca; - import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -50,10 +49,9 @@ import com.netscape.certsrv.security.ISigningUnit; import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmsutil.util.Cert; - /** * CA signing unit based on JSS. - * + * * $Revision$ $Date$ */ @@ -81,8 +79,8 @@ public final class SigningUnit implements ISigningUnit { private ISubsystem mOwner = null; - private String mDefSigningAlgname = null; - private SignatureAlgorithm mDefSigningAlgorithm = null; + private String mDefSigningAlgname = null; + private SignatureAlgorithm mDefSigningAlgorithm = null; public SigningUnit() { } @@ -114,7 +112,7 @@ public final class SigningUnit implements ISigningUnit { public PrivateKey getPrivateKey() { return mPrivk; } - + public void updateConfig(String nickname, String tokenname) { mConfig.putString(PROP_CERT_NICKNAME, nickname); mConfig.putString(PROP_TOKEN_NAME, tokenname); @@ -133,8 +131,8 @@ public final class SigningUnit implements ISigningUnit { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { - mOwner = owner; + throws EBaseException { + mOwner = owner; mConfig = config; String tokenname = null; @@ -144,24 +142,25 @@ public final class SigningUnit implements ISigningUnit { mNickname = getNickName(); tokenname = config.getString(PROP_TOKEN_NAME); - if (tokenname.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) || - tokenname.equalsIgnoreCase("Internal Key Storage Token")) { + if (tokenname.equalsIgnoreCase(Constants.PR_INTERNAL_TOKEN) + || tokenname.equalsIgnoreCase("Internal Key Storage Token")) { mToken = mManager.getInternalKeyStorageToken(); - setNewNickName(mNickname); + setNewNickName(mNickname); } else { mToken = mManager.getTokenByName(tokenname); - mNickname = tokenname + ":" + mNickname; - setNewNickName(mNickname); - } + mNickname = tokenname + ":" + mNickname; + setNewNickName(mNickname); + } CMS.debug(config.getName() + " Signing Unit nickname " + mNickname); CMS.debug("Got token " + tokenname + " by name"); - PasswordCallback cb = JssSubsystem.getInstance().getPWCB(); + PasswordCallback cb = JssSubsystem.getInstance().getPWCB(); mToken.login(cb); // ONE_TIME by default. mCert = mManager.findCertByNickname(mNickname); - CMS.debug("Found cert by nickname: '"+mNickname+"' with serial number: "+mCert.getSerialNumber()); + CMS.debug("Found cert by nickname: '" + mNickname + + "' with serial number: " + mCert.getSerialNumber()); mCertImpl = new X509CertImpl(mCert.getEncoded()); CMS.debug("converted to x509CertImpl"); @@ -174,38 +173,52 @@ public final class SigningUnit implements ISigningUnit { // get def alg and check if def sign alg is valid for token. mDefSigningAlgname = config.getString(PROP_DEFAULT_SIGNALG); - mDefSigningAlgorithm = - checkSigningAlgorithmFromName(mDefSigningAlgname); - CMS.debug( - "got signing algorithm " + mDefSigningAlgorithm); + mDefSigningAlgorithm = checkSigningAlgorithmFromName(mDefSigningAlgname); + CMS.debug("got signing algorithm " + mDefSigningAlgorithm); mInited = true; } catch (java.security.cert.CertificateException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", e.getMessage())); - throw new ECAException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_CA_CERT", + e.getMessage())); + throw new ECAException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", e.toString())); } catch (CryptoManager.NotInitializedException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_INIT", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CRYPTO_NOT_INITIALIZED")); } catch (IncorrectPasswordException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_WRONG_PWD", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_INVALID_PASSWORD")); } catch (NoSuchTokenException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", tokenname)); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_TOKEN_NOT_FOUND", tokenname, + e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_NOT_FOUND", + tokenname)); } catch (ObjectNotFoundException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_SIGNING_CERT_NOT_FOUND", + e.toString())); + throw new ECAException( + CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND")); } catch (TokenException e) { - CMS.debug("SigningUnit init: debug "+ e.toString()); - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + CMS.debug("SigningUnit init: debug " + e.toString()); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_TOKEN_ERROR")); - } catch (Exception e){ - CMS.debug("SigningUnit init: debug "+ e.toString()); - } + } catch (Exception e) { + CMS.debug("SigningUnit init: debug " + e.toString()); + } } /** @@ -218,41 +231,47 @@ public final class SigningUnit implements ISigningUnit { * @exception EBaseException if signing algorithm is not supported. */ public SignatureAlgorithm checkSigningAlgorithmFromName(String algname) - throws EBaseException { + throws EBaseException { try { SignatureAlgorithm sigalg = null; sigalg = mapAlgorithmToJss(algname); if (sigalg == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } Signature signer = mToken.getSignatureContext(sigalg); signer.initSign(mPrivk); return sigalg; } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } catch (TokenException e) { // from get signature context or from initSign - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } catch (InvalidKeyException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, + e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED_FOR_KEY", algname)); } } /** * @param algname is expected to be one of JCA's algorithm names. */ - public byte[] sign(byte[] data, String algname) - throws EBaseException { + public byte[] sign(byte[] data, String algname) throws EBaseException { if (!mInited) { throw new EBaseException("CASigningUnit not initialized!"); } @@ -264,11 +283,11 @@ public final class SigningUnit implements ISigningUnit { if (algname != null) { signAlg = checkSigningAlgorithmFromName(algname); } - - // XXX use a pool of signers based on alg ? + + // XXX use a pool of signers based on alg ? // XXX Map algor. name to id. hack: use hardcoded define for now. - CMS.debug( - "Getting algorithm context for " + algname + " " + signAlg); + CMS.debug("Getting algorithm context for " + algname + " " + + signAlg); Signature signer = mToken.getSignatureContext(signAlg); signer.initSign(mPrivk); @@ -277,26 +296,29 @@ public final class SigningUnit implements ISigningUnit { CMS.debug("Signing Certificate"); return signer.sign(); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } catch (TokenException e) { // from get signature context or from initSign - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (InvalidKeyException e) { // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (SignatureException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } } - + public boolean verify(byte[] data, byte[] signature, String algname) - throws EBaseException { + throws EBaseException { if (!mInited) { throw new EBaseException("CASigningUnit not initialized!"); } @@ -304,9 +326,10 @@ public final class SigningUnit implements ISigningUnit { SignatureAlgorithm signAlg = mapAlgorithmToJss(algname); if (signAlg == null) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); - throw new ECAException( - CMS.getUserMessage("CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); + log(ILogger.LL_FAILURE, CMS.getLogMessage( + "CMSCORE_CA_SIGNING_ALG_NOT_SUPPORTED", algname, "")); + throw new ECAException(CMS.getUserMessage( + "CMS_CA_SIGNING_ALGOR_NOT_SUPPORTED", algname)); } // XXX make this configurable. hack: use hardcoded for now. Signature signer = mToken.getSignatureContext(signAlg); @@ -315,20 +338,24 @@ public final class SigningUnit implements ISigningUnit { signer.update(data); return signer.verify(signature); } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (TokenException e) { // from get signature context or from initSign - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (InvalidKeyException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } catch (SignatureException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("OPERATION_ERROR", e.toString())); // XXX fix this exception later. throw new EBaseException(e.toString()); } @@ -337,8 +364,8 @@ public final class SigningUnit implements ISigningUnit { private void log(int level, String msg) { if (mLogger == null) return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, - level, "CASigningUnit: " + msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_CA, level, + "CASigningUnit: " + msg); } /** @@ -356,15 +383,14 @@ public final class SigningUnit implements ISigningUnit { } public void setDefaultAlgorithm(String algorithm) throws EBaseException { - mConfig.putString(PROP_DEFAULT_SIGNALG, algorithm); + mConfig.putString(PROP_DEFAULT_SIGNALG, algorithm); mDefSigningAlgname = algorithm; - log(ILogger.LL_INFO, - "Default signing algorithm is set to " + algorithm); + log(ILogger.LL_INFO, "Default signing algorithm is set to " + algorithm); } /** * get all possible algorithms for the CA signing key type. - */ + */ public String[] getAllAlgorithms() throws EBaseException { byte[] keybytes = mPubk.getEncoded(); X509Key key = new X509Key(); @@ -375,7 +401,8 @@ public final class SigningUnit implements ISigningUnit { String msg = "Invalid encoding in CA signing key."; log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", msg)); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", msg)); + throw new EBaseException(CMS.getUserMessage( + "CMS_BASE_INTERNAL_ERROR", msg)); } if (key.getAlgorithmId().getOID().equals(AlgorithmId.DSA_oid)) { @@ -389,4 +416,3 @@ public final class SigningUnit implements ISigningUnit { return Cert.mapAlgorithmToJss(algname); } } - |