summaryrefslogtreecommitdiffstats
path: root/pki/base/kra/src/com/netscape/kra/EnrollmentService.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/EnrollmentService.java')
-rw-r--r--pki/base/kra/src/com/netscape/kra/EnrollmentService.java614
1 files changed, 305 insertions, 309 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java
index 397793bf..84307d0b 100644
--- a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.kra;
-
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
@@ -76,21 +75,17 @@ import com.netscape.cmscore.crmf.CRMFParser;
import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer;
import com.netscape.cmscore.dbs.KeyRecord;
-
/**
- * A class represents archival request processor. It
- * passes the request to the policy processor, and
- * process the request according to the policy decision.
+ * A class represents archival request processor. It passes the request to the
+ * policy processor, and process the request according to the policy decision.
* <P>
- * If policy returns ACCEPTED, the request will be
- * processed immediately.
+ * If policy returns ACCEPTED, the request will be processed immediately.
* <P>
- * Upon processing, the incoming user key is unwrapped
- * with the transport key of KRA, and then wrapped
- * with the storage key. The encrypted key is stored
- * in the internal database for long term storage.
+ * Upon processing, the incoming user key is unwrapped with the transport key of
+ * KRA, and then wrapped with the storage key. The encrypted key is stored in
+ * the internal database for long term storage.
* <P>
- *
+ *
* @author thomask (original)
* @author cfu (non-RSA keys; private keys secure handling);
* @version $Revision$, $Date$
@@ -100,27 +95,20 @@ public class EnrollmentService implements IService {
// constants
public static final String CRMF_REQUEST = "CRMFRequest";
public final static String ATTR_KEY_RECORD = "keyRecord";
- public final static String ATTR_PROOF_OF_ARCHIVAL =
- "proofOfArchival";
+ public final static String ATTR_PROOF_OF_ARCHIVAL = "proofOfArchival";
- // private
+ // private
private IKeyRecoveryAuthority mKRA = null;
private ITransportKeyUnit mTransportUnit = null;
private IStorageKeyUnit mStorageUnit = null;
private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
-
private final static byte EOL[] = { Character.LINE_SEPARATOR };
- private final static String
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
- private final static String
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST =
- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
- private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+ private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+ private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+ private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
+ private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+
/**
* Constructs request processor.
* <P>
@@ -138,28 +126,27 @@ public class EnrollmentService implements IService {
PKIArchiveOptions archOpts = null;
try {
- archOpts = (PKIArchiveOptions)
- (new PKIArchiveOptions.Template()).decode(bis);
+ archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template())
+ .decode(bis);
} catch (Exception e) {
CMS.debug("EnrollProfile: getPKIArchiveOptions " + e.toString());
}
return archOpts;
}
-
+
/**
* Services an enrollment/archival request.
* <P>
- *
+ *
* @param request enrollment request
* @return serving successful or not
* @exception EBaseException failed to serve
*/
- public boolean serviceRequest(IRequest request)
- throws EBaseException {
+ public boolean serviceRequest(IRequest request) throws EBaseException {
- IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats");
+ IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
if (statsSub != null) {
- statsSub.startTiming("archival", true /* main action */);
+ statsSub.startTiming("archival", true /* main action */);
}
String auditMessage = null;
@@ -177,7 +164,8 @@ public class EnrollmentService implements IService {
SessionContext sContext = SessionContext.getContext();
String agentId = (String) sContext.get(SessionContext.USER_ID);
- AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN);
+ AuthToken authToken = (AuthToken) sContext
+ .get(SessionContext.AUTH_TOKEN);
mKRA.log(ILogger.LL_INFO, "KRA services enrollment request");
// unwrap user key with transport
@@ -188,15 +176,14 @@ public class EnrollmentService implements IService {
if (profileId == null || profileId.equals("")) {
try {
- aOpts = CRMFParser.getPKIArchiveOptions(
- request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST));
+ aOpts = CRMFParser
+ .getPKIArchiveOptions(request.getExtDataInString(
+ IRequest.HTTP_PARAMS, CRMF_REQUEST));
} catch (IOException e) {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
@@ -205,44 +192,39 @@ public class EnrollmentService implements IService {
}
} else {
// profile-based request
- PKIArchiveOptions options = (PKIArchiveOptions)
- toPKIArchiveOptions(
- request.getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS));
+ PKIArchiveOptions options = (PKIArchiveOptions) toPKIArchiveOptions(request
+ .getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS));
aOpts = new PKIArchiveOptionsContainer[1];
- aOpts[0] = new PKIArchiveOptionsContainer(options,
- 0/* not matter */);
+ aOpts[0] = new PKIArchiveOptionsContainer(options, 0/* not matter */);
request.setExtData("dbStatus", "NOT_UPDATED");
- }
+ }
for (int i = 0; i < aOpts.length; i++) {
ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO);
if (statsSub != null) {
- statsSub.startTiming("decrypt_user_key");
+ statsSub.startTiming("decrypt_user_key");
}
mKRA.log(ILogger.LL_INFO, "KRA decrypts external private");
if (CMS.debugOn())
- CMS.debug("EnrollmentService::about to decryptExternalPrivate");
+ CMS.debug("EnrollmentService::about to decryptExternalPrivate");
unwrapped = mTransportUnit.decryptExternalPrivate(
- opts.getEncSymmKey(),
- opts.getSymmAlgOID(),
- opts.getSymmAlgParams(),
- opts.getEncValue());
+ opts.getEncSymmKey(), opts.getSymmAlgOID(),
+ opts.getSymmAlgParams(), opts.getEncValue());
if (statsSub != null) {
- statsSub.endTiming("decrypt_user_key");
+ statsSub.endTiming("decrypt_user_key");
}
if (CMS.debugOn())
- CMS.debug("EnrollmentService::finished decryptExternalPrivate");
+ CMS.debug("EnrollmentService::finished decryptExternalPrivate");
if (unwrapped == null) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
@@ -255,15 +237,12 @@ public class EnrollmentService implements IService {
byte publicKeyData[] = publicKey.getEncoded();
if (publicKeyData == null) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
-
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
@@ -271,21 +250,21 @@ public class EnrollmentService implements IService {
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
}
- /* Bugscape #54948 - verify public and private key before archiving key */
+ /*
+ * Bugscape #54948 - verify public and private key before archiving
+ * key
+ */
if (statsSub != null) {
- statsSub.startTiming("verify_key");
+ statsSub.startTiming("verify_key");
}
if (verifyKeyPair(publicKeyData, unwrapped) == false) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
-
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
@@ -293,53 +272,52 @@ public class EnrollmentService implements IService {
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
}
if (statsSub != null) {
- statsSub.endTiming("verify_key");
+ statsSub.endTiming("verify_key");
}
/**
- mTransportKeyUnit.verify(pKey, unwrapped);
+ * mTransportKeyUnit.verify(pKey, unwrapped);
**/
// retrieve owner name
String owner = getOwnerName(request, aOpts[i].mReqPos);
if (owner == null) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"));
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
//
// privateKeyData ::= SEQUENCE {
- // sessionKey OCTET_STRING,
- // encKey OCTET_STRING,
- // }
+ // sessionKey OCTET_STRING,
+ // encKey OCTET_STRING,
+ // }
//
mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
if (statsSub != null) {
- statsSub.startTiming("encrypt_user_key");
+ statsSub.startTiming("encrypt_user_key");
}
- byte privateKeyData[] = mStorageUnit.encryptInternalPrivate(
- unwrapped);
+ byte privateKeyData[] = mStorageUnit
+ .encryptInternalPrivate(unwrapped);
if (statsSub != null) {
- statsSub.endTiming("encrypt_user_key");
+ statsSub.endTiming("encrypt_user_key");
}
if (privateKeyData == null) {
- mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
@@ -348,9 +326,9 @@ public class EnrollmentService implements IService {
}
// create key record
- KeyRecord rec = new KeyRecord(null, publicKeyData,
- privateKeyData, owner,
- publicKey.getAlgorithmId().getOID().toString(), agentId);
+ KeyRecord rec = new KeyRecord(null, publicKeyData, privateKeyData,
+ owner, publicKey.getAlgorithmId().getOID().toString(),
+ agentId);
// we deal with RSA key only
try {
@@ -361,49 +339,44 @@ public class EnrollmentService implements IService {
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
-
// if record alreay has a serial number, yell out.
if (rec.getSerialNumber() != null) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER",
- rec.getSerialNumber().toString()));
-
+ mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage(
+ "CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec
+ .getSerialNumber().toString()));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
IKeyRepository storage = mKRA.getKeyRepository();
BigInteger serialNo = storage.getNextSerialNumber();
if (serialNo == null) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
+ mKRA.log(ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
auditMessage = CMS.getLogMessage(
LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.FAILURE,
- auditRequesterID,
+ auditSubjectID, ILogger.FAILURE, auditRequesterID,
auditArchiveID);
audit(auditMessage);
- throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
+ throw new EKRAException(
+ CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
if (i == 0) {
rec.set(KeyRecord.ATTR_ID, serialNo);
@@ -415,67 +388,57 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_INFO, "KRA adding key record " + serialNo);
if (statsSub != null) {
- statsSub.startTiming("store_key");
+ statsSub.startTiming("store_key");
}
storage.addKeyRecord(rec);
if (statsSub != null) {
- statsSub.endTiming("store_key");
+ statsSub.endTiming("store_key");
}
-
+
if (CMS.debugOn())
- CMS.debug("EnrollmentService: key record 0x" + serialNo.toString(16)
- + " (" + owner + ") archived");
+ CMS.debug("EnrollmentService: key record 0x"
+ + serialNo.toString(16) + " (" + owner + ") archived");
- mKRA.log(ILogger.LL_INFO, "key record 0x" +
- serialNo.toString(16)
- + " (" + owner + ") archived");
+ mKRA.log(ILogger.LL_INFO, "key record 0x" + serialNo.toString(16)
+ + " (" + owner + ") archived");
// for audit log
String authMgr = AuditFormat.NOAUTH;
-
+
if (authToken != null) {
- authMgr =
- authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ authMgr = authToken
+ .getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME);
}
- CMS.getLogger().log(ILogger.EV_AUDIT,
- ILogger.S_KRA,
- AuditFormat.LEVEL,
- AuditFormat.FORMAT,
- new Object[] {
- IRequest.KEYARCHIVAL_REQUEST,
- request.getRequestId(),
- AuditFormat.FROMAGENT + " agentID: " + agentId,
- authMgr,
- "completed",
- owner,
- "serial number: 0x" + serialNo.toString(16)}
- );
-
-
+ CMS.getLogger().log(
+ ILogger.EV_AUDIT,
+ ILogger.S_KRA,
+ AuditFormat.LEVEL,
+ AuditFormat.FORMAT,
+ new Object[] { IRequest.KEYARCHIVAL_REQUEST,
+ request.getRequestId(),
+ AuditFormat.FROMAGENT + " agentID: " + agentId,
+ authMgr, "completed", owner,
+ "serial number: 0x" + serialNo.toString(16) });
+
// store a message in the signed audit log file
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- auditSubjectID,
- ILogger.SUCCESS,
- auditRequesterID,
- auditArchiveID);
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ auditSubjectID, ILogger.SUCCESS, auditRequesterID,
+ auditArchiveID);
audit(auditMessage);
// store a message in the signed audit log file
auditPublicKey = auditPublicKey(rec);
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
- auditSubjectID,
- ILogger.SUCCESS,
- auditPublicKey);
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+ auditSubjectID, ILogger.SUCCESS, auditPublicKey);
audit(auditMessage);
// Xxx - should sign this proof of archival
- ProofOfArchival mProof = new ProofOfArchival(serialNo,
- owner, mKRA.getX500Name().toString(),
- rec.getCreateTime());
+ ProofOfArchival mProof = new ProofOfArchival(serialNo, owner, mKRA
+ .getX500Name().toString(), rec.getCreateTime());
DerOutputStream mProofOut = new DerOutputStream();
mProof.encode(mProofOut);
@@ -486,16 +449,16 @@ public class EnrollmentService implements IService {
request.setExtData(ATTR_PROOF_OF_ARCHIVAL + i,
mProofOut.toByteArray());
}
-
+
} // for
/*
- request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME);
- request.delete(IEnrollProfile.REQUEST_EXTENSIONS);
- request.delete(IEnrollProfile.REQUEST_VALIDITY);
- request.delete(IEnrollProfile.REQUEST_KEY);
- request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM);
- request.delete(IEnrollProfile.REQUEST_LOCALE);
+ * request.delete(IEnrollProfile.REQUEST_SUBJECT_NAME);
+ * request.delete(IEnrollProfile.REQUEST_EXTENSIONS);
+ * request.delete(IEnrollProfile.REQUEST_VALIDITY);
+ * request.delete(IEnrollProfile.REQUEST_KEY);
+ * request.delete(IEnrollProfile.REQUEST_SIGNING_ALGORITHM);
+ * request.delete(IEnrollProfile.REQUEST_LOCALE);
*/
request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
@@ -505,92 +468,94 @@ public class EnrollmentService implements IService {
mKRA.getRequestQueue().updateRequest(request);
if (statsSub != null) {
- statsSub.endTiming("archival");
+ statsSub.endTiming("archival");
}
-
+
return true;
}
- public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[])
- {
- try {
- DerValue publicKeyVal = new DerValue(publicKeyData);
- DerInputStream publicKeyIn = publicKeyVal.data;
- publicKeyIn.getSequence(0);
- DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString());
- DerInputStream publicKeyDerIn = publicKeyDer.data;
- BigInt publicKeyModulus = publicKeyDerIn.getInteger();
- BigInt publicKeyExponent = publicKeyDerIn.getInteger();
-
- DerValue privateKeyVal = new DerValue(privateKeyData);
- if (privateKeyVal.tag != DerValue.tag_Sequence)
- return false;
- DerInputStream privateKeyIn = privateKeyVal.data;
- privateKeyIn.getInteger();
- privateKeyIn.getSequence(0);
- DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString());
- DerInputStream privateKeyDerIn = privateKeyDer.data;
- BigInt privateKeyVersion = privateKeyDerIn.getInteger();
- BigInt privateKeyModulus = privateKeyDerIn.getInteger();
- BigInt privateKeyExponent = privateKeyDerIn.getInteger();
-
- if (!publicKeyModulus.equals(privateKeyModulus)) {
- CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus);
- return false;
- }
-
- if (!publicKeyExponent.equals(privateKeyExponent)) {
- CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent);
- return false;
- }
-
- return true;
- } catch (Exception e) {
- CMS.debug("verifyKeyPair error " + e);
- return false;
- }
+ public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) {
+ try {
+ DerValue publicKeyVal = new DerValue(publicKeyData);
+ DerInputStream publicKeyIn = publicKeyVal.data;
+ publicKeyIn.getSequence(0);
+ DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString());
+ DerInputStream publicKeyDerIn = publicKeyDer.data;
+ BigInt publicKeyModulus = publicKeyDerIn.getInteger();
+ BigInt publicKeyExponent = publicKeyDerIn.getInteger();
+
+ DerValue privateKeyVal = new DerValue(privateKeyData);
+ if (privateKeyVal.tag != DerValue.tag_Sequence)
+ return false;
+ DerInputStream privateKeyIn = privateKeyVal.data;
+ privateKeyIn.getInteger();
+ privateKeyIn.getSequence(0);
+ DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString());
+ DerInputStream privateKeyDerIn = privateKeyDer.data;
+ BigInt privateKeyVersion = privateKeyDerIn.getInteger();
+ BigInt privateKeyModulus = privateKeyDerIn.getInteger();
+ BigInt privateKeyExponent = privateKeyDerIn.getInteger();
+
+ if (!publicKeyModulus.equals(privateKeyModulus)) {
+ CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus="
+ + publicKeyModulus + " privateKeyModulus="
+ + privateKeyModulus);
+ return false;
+ }
+
+ if (!publicKeyExponent.equals(privateKeyExponent)) {
+ CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent="
+ + publicKeyExponent + " privateKeyExponent="
+ + privateKeyExponent);
+ return false;
+ }
+
+ return true;
+ } catch (Exception e) {
+ CMS.debug("verifyKeyPair error " + e);
+ return false;
+ }
}
- private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID =
- new OBJECT_IDENTIFIER(new long[] {1, 3, 6, 1, 5, 5, 7, 5, 1, 4}
- );
+ private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = new OBJECT_IDENTIFIER(
+ new long[] { 1, 3, 6, 1, 5, 5, 7, 5, 1, 4 });
/**
* Retrieves PKIArchiveOptions from CRMF request.
- *
+ *
* @param crmfBlob CRMF request
* @return PKIArchiveOptions
* @exception EBaseException failed to extrace option
*/
- public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(String crmfBlob)
- throws EBaseException {
+ public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(
+ String crmfBlob) throws EBaseException {
Vector options = new Vector();
if (CMS.debugOn())
- CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob=" + crmfBlob);
+ CMS.debug("EnrollmentService::getPKIArchiveOptions> crmfBlob="
+ + crmfBlob);
byte[] crmfBerBlob = null;
crmfBerBlob = com.netscape.osutil.OSUtil.AtoB(crmfBlob);
- ByteArrayInputStream crmfBerBlobIn = new
- ByteArrayInputStream(crmfBerBlob);
+ ByteArrayInputStream crmfBerBlobIn = new ByteArrayInputStream(
+ crmfBerBlob);
SEQUENCE crmfmsgs = null;
try {
- crmfmsgs = (SEQUENCE) new
- SEQUENCE.OF_Template(new
- CertReqMsg.Template()).decode(
- crmfBerBlobIn);
+ crmfmsgs = (SEQUENCE) new SEQUENCE.OF_Template(
+ new CertReqMsg.Template()).decode(crmfBerBlobIn);
} catch (IOException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString()));
} catch (InvalidBERException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString()));
}
for (int z = 0; z < crmfmsgs.size(); z++) {
- CertReqMsg certReqMsg = (CertReqMsg)
- crmfmsgs.elementAt(z);
- CertRequest certReq = certReqMsg.getCertReq();
-
+ CertReqMsg certReqMsg = (CertReqMsg) crmfmsgs.elementAt(z);
+ CertRequest certReq = certReqMsg.getCertReq();
+
// try to locate PKIArchiveOption control
AVA archAva = null;
@@ -605,29 +570,38 @@ public class EnrollmentService implements IService {
}
}
} catch (Exception e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "no PKIArchiveOptions found " + e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE",
+ "no PKIArchiveOptions found " + e.toString()));
}
if (archAva != null) {
ASN1Value archVal = archAva.getValue();
- ByteArrayInputStream bis = new ByteArrayInputStream(ASN1Util.encode(archVal));
+ ByteArrayInputStream bis = new ByteArrayInputStream(
+ ASN1Util.encode(archVal));
PKIArchiveOptions archOpts = null;
try {
- archOpts = (PKIArchiveOptions)
- (new PKIArchiveOptions.Template()).decode(bis);
+ archOpts = (PKIArchiveOptions) (new PKIArchiveOptions.Template())
+ .decode(bis);
} catch (IOException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]"
+ + e.toString()));
} catch (InvalidBERException e) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]"
+ + e.toString()));
}
options.addElement(new PKIArchiveOptionsContainer(archOpts, z));
}
}
if (options.size() == 0) {
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found"));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found"));
} else {
- PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options.size()];
+ PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options
+ .size()];
options.copyInto(p);
return p;
@@ -636,7 +610,7 @@ public class EnrollmentService implements IService {
/**
* Retrieves public key from request.
- *
+ *
* @param request CRMF request
* @return JSS public key
* @exception EBaseException failed to retrieve public key
@@ -645,7 +619,8 @@ public class EnrollmentService implements IService {
String profileId = request.getExtDataInString("profileId");
if (profileId != null && !profileId.equals("")) {
- byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY);
+ byte[] certKeyData = request
+ .getExtDataInByteArray(IEnrollProfile.REQUEST_KEY);
if (certKeyData != null) {
try {
CertificateX509Key x509key = new CertificateX509Key(
@@ -653,78 +628,95 @@ public class EnrollmentService implements IService {
return (X509Key) x509key.get(CertificateX509Key.KEY);
} catch (Exception e1) {
- CMS.debug("EnrollService: (Archival) getPublicKey " +
- e1.toString());
+ CMS.debug("EnrollService: (Archival) getPublicKey "
+ + e1.toString());
}
}
return null;
}
// retrieve x509 Key from request
- X509CertInfo certInfo[] =
- request.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo certInfo[] = request
+ .getExtDataInCertInfoArray(IRequest.CERT_INFO);
CertificateX509Key pX509Key = null;
try {
- pX509Key = (CertificateX509Key)
- certInfo[i].get(X509CertInfo.KEY);
+ pX509Key = (CertificateX509Key) certInfo[i].get(X509CertInfo.KEY);
} catch (IOException e) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString()));
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString()));
+ mKRA.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY",
+ e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]"
+ + e.toString()));
} catch (CertificateException e) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString()));
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString()));
+ mKRA.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY",
+ e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]"
+ + e.toString()));
}
X509Key pKey = null;
try {
- pKey = (X509Key) pX509Key.get(
- CertificateX509Key.KEY);
+ pKey = (X509Key) pX509Key.get(CertificateX509Key.KEY);
} catch (IOException e) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString()));
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + "]" + e.toString()));
+ mKRA.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY",
+ e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY
+ + "]" + e.toString()));
}
return pKey;
}
/**
* Retrieves key's owner name from request.
- *
+ *
* @param request CRMF request
* @return owner name (subject name)
* @exception EBaseException failed to retrieve public key
*/
- private String getOwnerName(IRequest request, int i)
- throws EBaseException {
+ private String getOwnerName(IRequest request, int i) throws EBaseException {
String profileId = request.getExtDataInString("profileId");
if (profileId != null && !profileId.equals("")) {
- CertificateSubjectName sub = request.getExtDataInCertSubjectName(
- IEnrollProfile.REQUEST_SUBJECT_NAME);
+ CertificateSubjectName sub = request
+ .getExtDataInCertSubjectName(IEnrollProfile.REQUEST_SUBJECT_NAME);
if (sub != null) {
return sub.toString();
}
}
- X509CertInfo certInfo[] =
- request.getExtDataInCertInfoArray(IRequest.CERT_INFO);
+ X509CertInfo certInfo[] = request
+ .getExtDataInCertInfoArray(IRequest.CERT_INFO);
CertificateSubjectName pSub = null;
try {
- pSub = (CertificateSubjectName)
- certInfo[0].get(X509CertInfo.SUBJECT);
+ pSub = (CertificateSubjectName) certInfo[0]
+ .get(X509CertInfo.SUBJECT);
} catch (IOException e) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString()));
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString()));
+ mKRA.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME",
+ e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT
+ + "]" + e.toString()));
} catch (CertificateException e) {
- mKRA.log(ILogger.LL_FAILURE,
- CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString()));
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString()));
+ mKRA.log(
+ ILogger.LL_FAILURE,
+ CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME",
+ e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT
+ + "]" + e.toString()));
}
String owner = pSub.toString();
@@ -733,11 +725,11 @@ public class EnrollmentService implements IService {
/**
* Signed Audit Log Public Key
- *
+ *
* This method is called to obtain the public key from the passed in
* "KeyRecord" for a signed audit log message.
* <P>
- *
+ *
* @param rec a Key Record
* @return key string containing the certificate's public key
*/
@@ -770,29 +762,30 @@ public class EnrollmentService implements IService {
// extract all line separators from the "base64Data"
StringTokenizer st = new StringTokenizer(base64Data, "\r\n");
while (st.hasMoreTokens()) {
- key += st.nextToken();
+ key += st.nextToken();
}
}
key = key.trim();
- if (key.equals("")) {
- return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
- } else {
- return key;
- }
+ if (key.equals("")) {
+ return ILogger.SIGNED_AUDIT_EMPTY_VALUE;
+ } else {
+ return key;
+ }
}
+
/**
* Signed Audit Log Subject ID
- *
- * This method is called to obtain the "SubjectID" for
- * a signed audit log message.
+ *
+ * This method is called to obtain the "SubjectID" for a signed audit log
+ * message.
* <P>
- *
+ *
* @return id string containing the signed audit log message SubjectID
*/
- private String auditSubjectID() {
+ private String auditSubjectID() {
// if no signed audit object exists, bail
if (mSignedAuditLogger == null) {
return null;
@@ -804,8 +797,7 @@ public class EnrollmentService implements IService {
SessionContext auditContext = SessionContext.getExistingContext();
if (auditContext != null) {
- subjectID = (String)
- auditContext.get(SessionContext.USER_ID);
+ subjectID = (String) auditContext.get(SessionContext.USER_ID);
if (subjectID != null) {
subjectID = subjectID.trim();
@@ -818,13 +810,14 @@ public class EnrollmentService implements IService {
return subjectID;
}
+
/**
* Signed Audit Log Requester ID
- *
- * This method is called to obtain the "RequesterID" for
- * a signed audit log message.
+ *
+ * This method is called to obtain the "RequesterID" for a signed audit log
+ * message.
* <P>
- *
+ *
* @return id string containing the signed audit log message RequesterID
*/
private String auditRequesterID() {
@@ -839,8 +832,8 @@ public class EnrollmentService implements IService {
SessionContext auditContext = SessionContext.getExistingContext();
if (auditContext != null) {
- requesterID = (String)
- auditContext.get(SessionContext.REQUESTER_ID);
+ requesterID = (String) auditContext
+ .get(SessionContext.REQUESTER_ID);
if (requesterID != null) {
requesterID = requesterID.trim();
@@ -856,11 +849,11 @@ public class EnrollmentService implements IService {
/**
* Signed Audit Log Recovery ID
- *
- * This method is called to obtain the "RecoveryID" for
- * a signed audit log message.
+ *
+ * This method is called to obtain the "RecoveryID" for a signed audit log
+ * message.
* <P>
- *
+ *
* @return id string containing the signed audit log message RecoveryID
*/
private String auditRecoveryID() {
@@ -875,8 +868,7 @@ public class EnrollmentService implements IService {
SessionContext auditContext = SessionContext.getExistingContext();
if (auditContext != null) {
- recoveryID = (String)
- auditContext.get(SessionContext.RECOVERY_ID);
+ recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID);
if (recoveryID != null) {
recoveryID = recoveryID.trim();
@@ -890,13 +882,12 @@ public class EnrollmentService implements IService {
return recoveryID;
}
-
/**
* Signed Audit Log
- *
+ *
* This method is called to store messages to the signed audit log.
* <P>
- *
+ *
* @param msg signed audit log message
*/
private void audit(String msg) {
@@ -907,15 +898,11 @@ public class EnrollmentService implements IService {
return;
}
- mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
- null,
- ILogger.S_SIGNED_AUDIT,
- ILogger.LL_SECURITY,
- msg);
+ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, null,
+ ILogger.S_SIGNED_AUDIT, ILogger.LL_SECURITY, msg);
}
}
-
/**
* Parsed and Flattened structure of PKIArchiveOptions.
*/
@@ -924,6 +911,7 @@ class ArchiveOptions {
private byte mSymmAlgParams[] = null;
private byte mEncSymmKey[] = null;
private byte mEncValue[] = null;
+
public ArchiveOptions(PKIArchiveOptions opts) throws EBaseException {
try {
EncryptedKey key = opts.getEncryptedKey();
@@ -938,21 +926,24 @@ class ArchiveOptions {
enveloped_val = key.getEnvelopedData();
byte[] env_b = enveloped_val.getEncoded();
EnvelopedData.Template env_template = new EnvelopedData.Template();
- EnvelopedData env_data =
- (EnvelopedData) env_template.decode(new ByteArrayInputStream(env_b));
+ EnvelopedData env_data = (EnvelopedData) env_template
+ .decode(new ByteArrayInputStream(env_b));
EncryptedContentInfo eCI = env_data.getEncryptedContentInfo();
symmAlg = eCI.getContentEncryptionAlgorithm();
mSymmAlgOID = symmAlg.getOID().toString();
- mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray();
+ mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters())
+ .decodeWith(OCTET_STRING.getTemplate())).toByteArray();
SET recipients = env_data.getRecipientInfos();
if (recipients.size() <= 0) {
- CMS.debug("EnrollService: ArchiveOptions() - missing recipient information ");
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] missing recipient information "));
+ CMS.debug("EnrollService: ArchiveOptions() - missing recipient information ");
+ throw new EBaseException(
+ CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE",
+ "[PKIArchiveOptions] missing recipient information "));
}
- //check recpient - later
- //we only handle one recipient here anyways. so, either the key
- //can be decrypted or it can't. No risk here.
+ // check recpient - later
+ // we only handle one recipient here anyways. so, either the key
+ // can be decrypted or it can't. No risk here.
RecipientInfo ri = (RecipientInfo) recipients.elementAt(0);
OCTET_STRING key_o = ri.getEncryptedKey();
mEncSymmKey = key_o.toByteArray();
@@ -967,7 +958,8 @@ class ArchiveOptions {
val = key.getEncryptedValue();
symmAlg = val.getSymmAlg();
mSymmAlgOID = symmAlg.getOID().toString();
- mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters()).decodeWith(OCTET_STRING.getTemplate())).toByteArray();
+ mSymmAlgParams = ((OCTET_STRING) ((ANY) symmAlg.getParameters())
+ .decodeWith(OCTET_STRING.getTemplate())).toByteArray();
BIT_STRING encSymmKey = val.getEncSymmKey();
mEncSymmKey = encSymmKey.getBits();
@@ -977,20 +969,24 @@ class ArchiveOptions {
CMS.debug("EnrollService: ArchiveOptions() EncryptedKey type= ENCRYPTED_VALUE done");
} else {
CMS.debug("EnrollService: ArchiveOptions() invalid EncryptedKey type");
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] type " + key.getType()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE",
+ "[PKIArchiveOptions] type " + key.getType()));
}
} catch (InvalidBERException e) {
CMS.debug("EnrollService: ArchiveOptions(): " + e.toString());
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString()));
+ throw new EBaseException(CMS.getUserMessage(
+ "CMS_BASE_INVALID_ATTRIBUTE",
+ "[PKIArchiveOptions]" + e.toString()));
} catch (IOException e) {
CMS.debug("EnrollService: ArchiveOptions(): " + e.toString());
- throw new EBaseException("ArchiveOptions() exception caught: "+
- e.toString());
+ throw new EBaseException("ArchiveOptions() exception caught: "
+ + e.toString());
} catch (Exception e) {
CMS.debug("EnrollService: ArchiveOptions(): " + e.toString());
- throw new EBaseException("ArchiveOptions() exception caught: "+
- e.toString());
+ throw new EBaseException("ArchiveOptions() exception caught: "
+ + e.toString());
}
}
generated by cgit (git 2.34.1) at 2024-05-05 10:42:43 +0000