summaryrefslogtreecommitdiffstats
path: root/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
diff options
context:
space:
mode:
Diffstat (limited to 'pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java')
-rw-r--r--pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java540
1 files changed, 264 insertions, 276 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index c69ab8c1..09dc4d95 100644
--- a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -17,7 +17,6 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.kra;
-
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FilterOutputStream;
@@ -66,18 +65,18 @@ import com.netscape.cmscore.util.Debug;
/**
* A class representing keygen/archival request procesor for requests
- * from netkey RAs.
+ * from netkey RAs.
* the user private key of the encryption cert is wrapped with a
- * session symmetric key. The session symmetric key is wrapped with the
+ * session symmetric key. The session symmetric key is wrapped with the
* storage key and stored in the internal database for long term
* storage.
* The user private key of the encryption cert is to be wrapped with the
* DES key which came in in the request wrapped with the KRA
- * transport cert. The wrapped user private key is then sent back to
+ * transport cert. The wrapped user private key is then sent back to
* the caller (netkey RA) ...netkey RA should already has kek-wrapped
* des key from the TKS. They are to be sent together back to
* the token.
- *
+ *
* @author Christina Fu (cfu)
* @version $Revision$, $Date$
*/
@@ -85,31 +84,24 @@ import com.netscape.cmscore.util.Debug;
public class NetkeyKeygenService implements IService {
public final static String ATTR_KEY_RECORD = "keyRecord";
public final static String ATTR_PROOF_OF_ARCHIVAL =
- "proofOfArchival";
+ "proofOfArchival";
// private
- private final static String
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
- private final static String
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+ private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+ private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
// these need to be defined in LogMessages_en.properties later when we do this
- private final static String
- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST =
- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
- private final static String
- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
- private final static String
- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
- "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
- private final static String
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
- private final static String
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
- "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
+ private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST =
+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
+ private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
+ private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
+ private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+ private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+ "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
private IKeyRecoveryAuthority mKRA = null;
private ITransportKeyUnit mTransportUnit = null;
private IStorageKeyUnit mStorageUnit = null;
@@ -140,17 +132,17 @@ public class NetkeyKeygenService implements IService {
return archOpts;
}
- public KeyPair generateKeyPair(
- KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg)
- throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
+ public KeyPair generateKeyPair(
+ KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg)
+ throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
InvalidParameterException, PQGParamGenException {
CryptoToken token = mKRA.getKeygenToken();
-
- CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: "+token.getName());
+
+ CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName());
/*
- make it temporary so can work with HSM
+ make it temporary so can work with HSM
netHSM works with
temporary == true
sensitive == <do not specify>
@@ -167,19 +159,19 @@ public class NetkeyKeygenService implements IService {
boolean sp = false;
boolean ep = false;
if (kgConfig != null) {
- try {
- tp = kgConfig.getBoolean("temporaryPairs", false);
- sp = kgConfig.getBoolean("sensitivePairs", false);
- ep = kgConfig.getBoolean("extractablePairs", false);
- // by default, let nethsm work
- if ((tp == false) && (sp == false) && (ep == false)) {
+ try {
+ tp = kgConfig.getBoolean("temporaryPairs", false);
+ sp = kgConfig.getBoolean("sensitivePairs", false);
+ ep = kgConfig.getBoolean("extractablePairs", false);
+ // by default, let nethsm work
+ if ((tp == false) && (sp == false) && (ep == false)) {
+ tp = true;
+ }
+ } catch (Exception e) {
+ CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
+ // by default, let nethsm work
tp = true;
}
- } catch (Exception e) {
- CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
- // by default, let nethsm work
- tp = true;
- }
} else {
// by default, let nethsm work
CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true");
@@ -187,18 +179,18 @@ public class NetkeyKeygenService implements IService {
}
/* only specified to "true" will it be set */
if (tp == true) {
- CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
- kpGen.temporaryPairs(true);
+ CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
+ kpGen.temporaryPairs(true);
}
if (sp == true) {
- CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
+ CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
kpGen.sensitivePairs(true);
}
if (ep == true) {
- CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
+ CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
kpGen.extractablePairs(true);
}
-
+
if (kpAlg == KeyPairAlgorithm.DSA) {
if (pqg == null) {
kpGen.initialize(keySize);
@@ -210,14 +202,14 @@ public class NetkeyKeygenService implements IService {
}
if (pqg == null) {
- KeyPair kp = null;
- synchronized (new Object()) {
+ KeyPair kp = null;
+ synchronized (new Object()) {
CMS.debug("NetkeyKeygenService: key pair generation begins");
- kp = kpGen.genKeyPair();
+ kp = kpGen.genKeyPair();
CMS.debug("NetkeyKeygenService: key pair generation done");
- mKRA.addEntropy(true);
- }
- return kp;
+ mKRA.addEntropy(true);
+ }
+ return kp;
} else {
// DSA
KeyPair kp = null;
@@ -233,10 +225,8 @@ public class NetkeyKeygenService implements IService {
}
}
-
-
- public KeyPair generateKeyPair( String alg,
- int keySize, PQGParams pqg) throws EBaseException {
+ public KeyPair generateKeyPair(String alg,
+ int keySize, PQGParams pqg) throws EBaseException {
KeyPairAlgorithm kpAlg = null;
@@ -246,7 +236,7 @@ public class NetkeyKeygenService implements IService {
kpAlg = KeyPairAlgorithm.DSA;
try {
- KeyPair kp = generateKeyPair( kpAlg, keySize, pqg);
+ KeyPair kp = generateKeyPair(kpAlg, keySize, pqg);
return kp;
} catch (InvalidParameterException e) {
@@ -270,9 +260,9 @@ public class NetkeyKeygenService implements IService {
ByteArrayOutputStream output = new ByteArrayOutputStream();
Base64OutputStream b64 = new Base64OutputStream(new
PrintStream(new
- FilterOutputStream(output)
+ FilterOutputStream(output)
)
- );
+ );
b64.write(bytes);
b64.flush();
@@ -284,33 +274,31 @@ public class NetkeyKeygenService implements IService {
// this encrypts bytes with a symmetric key
public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token,
- IVParameterSpec IV)
- {
- try {
- Cipher cipher = token.getCipherContext(
+ IVParameterSpec IV) {
+ try {
+ Cipher cipher = token.getCipherContext(
EncryptionAlgorithm.DES3_CBC_PAD);
-
- cipher.initEncrypt(symKey, IV);
- byte pri[] = cipher.doFinal(toBeEncrypted);
- return pri;
- } catch (Exception e) {
- CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: "+e.toString());
+
+ cipher.initEncrypt(symKey, IV);
+ byte pri[] = cipher.doFinal(toBeEncrypted);
+ return pri;
+ } catch (Exception e) {
+ CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: " + e.toString());
return null;
}
}
-
/**
* Services an archival request from netkey.
* <P>
- *
+ *
* @param request enrollment request
* @return serving successful or not
* @exception EBaseException failed to serve
*/
- public boolean serviceRequest(IRequest request)
- throws EBaseException {
+ public boolean serviceRequest(IRequest request)
+ throws EBaseException {
String auditMessage = null;
String auditSubjectID = null;
String auditRequesterID = "TPSagent";
@@ -318,78 +306,78 @@ public class NetkeyKeygenService implements IService {
String auditPublicKey = ILogger.UNIDENTIFIED;
byte[] wrapped_des_key;
- byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1};
- String iv_s ="";
+ byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+ String iv_s = "";
try {
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.nextBytes(iv);
} catch (Exception e) {
- CMS.debug("NetkeyKeygenService.serviceRequest: "+ e.toString());
+ CMS.debug("NetkeyKeygenService.serviceRequest: " + e.toString());
}
- IVParameterSpec algParam = new IVParameterSpec(iv);
+ IVParameterSpec algParam = new IVParameterSpec(iv);
wrapped_des_key = null;
- boolean archive = true;
- PK11SymKey sk= null;
- byte[] publicKeyData = null;;
- String PubKey = "";
+ boolean archive = true;
+ PK11SymKey sk = null;
+ byte[] publicKeyData = null;
+ ;
+ String PubKey = "";
String id = request.getRequestId().toString();
if (id != null) {
auditArchiveID = id.trim();
}
- String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG);
- if (rArchive.equals("true")) {
- archive = true;
- CMS.debug("NetkeyKeygenService: serviceRequest " +"archival requested for serverSideKeyGen");
- } else {
- archive = false;
- CMS.debug("NetkeyKeygenService: serviceRequest " +"archival not requested for serverSideKeyGen");
+ String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG);
+ if (rArchive.equals("true")) {
+ archive = true;
+ CMS.debug("NetkeyKeygenService: serviceRequest " + "archival requested for serverSideKeyGen");
+ } else {
+ archive = false;
+ CMS.debug("NetkeyKeygenService: serviceRequest " + "archival not requested for serverSideKeyGen");
}
String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID);
String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID);
- String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE);
- int keysize = Integer.parseInt(rKeysize);
- auditSubjectID=rCUID+":"+rUserid;
+ String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE);
+ int keysize = Integer.parseInt(rKeysize);
+ auditSubjectID = rCUID + ":" + rUserid;
SessionContext sContext = SessionContext.getContext();
- String agentId="";
+ String agentId = "";
if (sContext != null) {
agentId =
- (String) sContext.get(SessionContext.USER_ID);
+ (String) sContext.get(SessionContext.USER_ID);
}
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST,
- agentId,
- ILogger.SUCCESS,
- auditSubjectID);
+ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST,
+ agentId,
+ ILogger.SUCCESS,
+ auditSubjectID);
audit(auditMessage);
-
String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY);
- // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString);
+ // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString);
wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString);
CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded");
- // get the token for generating user keys
- CryptoToken keygenToken = mKRA.getKeygenToken();
- if (keygenToken == null) {
- CMS.debug("NetkeyKeygenService: failed getting keygenToken");
- request.setExtData(IRequest.RESULT, Integer.valueOf(10));
- return false;
- } else
- CMS.debug("NetkeyKeygenService: got keygenToken");
+ // get the token for generating user keys
+ CryptoToken keygenToken = mKRA.getKeygenToken();
+ if (keygenToken == null) {
+ CMS.debug("NetkeyKeygenService: failed getting keygenToken");
+ request.setExtData(IRequest.RESULT, Integer.valueOf(10));
+ return false;
+ } else
+ CMS.debug("NetkeyKeygenService: got keygenToken");
if ((wrapped_des_key != null) &&
- (wrapped_des_key.length > 0)) {
+ (wrapped_des_key.length > 0)) {
// unwrap the DES key
- sk= (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key);
+ sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key);
/* XXX could be done in HSM*/
KeyPair keypair = null;
@@ -400,37 +388,37 @@ public class NetkeyKeygenService implements IService {
keysize /*Integer.parseInt(len)*/, null /*pqgParams*/);
if (keypair == null) {
- CMS.debug("NetkeyKeygenService: failed generating key pair for "+rCUID+":"+rUserid);
+ CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid);
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
+ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
agentId,
ILogger.FAILURE,
- auditSubjectID);
+ auditSubjectID);
audit(auditMessage);
return false;
}
- CMS.debug("NetkeyKeygenService: finished generate key pair for " +rCUID+":"+rUserid);
+ CMS.debug("NetkeyKeygenService: finished generate key pair for " + rCUID + ":" + rUserid);
try {
- publicKeyData = keypair.getPublic().getEncoded();
- if (publicKeyData == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("NetkeyKeygenService: failed getting publickey encoded");
- return false;
- } else {
- //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length);
- PubKey = base64Encode(publicKeyData);
-
- //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length());
- request.setExtData("public_key", PubKey);
- }
+ publicKeyData = keypair.getPublic().getEncoded();
+ if (publicKeyData == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("NetkeyKeygenService: failed getting publickey encoded");
+ return false;
+ } else {
+ //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length);
+ PubKey = base64Encode(publicKeyData);
+
+ //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length());
+ request.setExtData("public_key", PubKey);
+ }
auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
+ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
agentId,
ILogger.SUCCESS,
auditSubjectID,
@@ -440,7 +428,7 @@ public class NetkeyKeygenService implements IService {
//...extract the private key handle (not privatekeydata)
java.security.PrivateKey privKey =
- keypair.getPrivate();
+ keypair.getPrivate();
if (privKey == null) {
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
@@ -450,159 +438,159 @@ public class NetkeyKeygenService implements IService {
CMS.debug("NetkeyKeygenService: got private key");
}
- if (sk == null) {
- CMS.debug("NetkeyKeygenService: no DES key");
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- return false;
- } else {
- CMS.debug("NetkeyKeygenService: received DES key");
- }
-
- // 3 wrapping should be done in HSM
- // wrap private key with DES
- KeyWrapper symWrap =
- keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
- CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName());
- CMS.debug("NetkeyKeygenService: got key wrapper");
-
- CMS.debug("NetkeyKeygenService: key transport key is on slot: "+sk.getOwningToken().getName());
- symWrap.initWrap((SymmetricKey)sk, algParam);
- byte wrapped[] = symWrap.wrap((PrivateKey)privKey);
- /*
- CMS.debug("NetkeyKeygenService: wrap called");
- CMS.debug(wrapped);
- */
- /* This is for using with my decryption tool and ASN1
- decoder to see if the private key is indeed PKCS#8 format
- { // cfu debug
- String oFilePath = "/tmp/wrappedPrivKey.bin";
- File file = new File(oFilePath);
- FileOutputStream ostream = new FileOutputStream(oFilePath);
- ostream.write(wrapped);
- ostream.close();
- }
- */
- String wrappedPrivKeyString = /*base64Encode(wrapped);*/
- com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped);
- if (wrappedPrivKeyString == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("NetkeyKeygenService: failed generating wrapped private key");
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
- agentId,
- ILogger.FAILURE,
- auditSubjectID,
- PubKey);
-
- audit(auditMessage);
- return false;
- } else {
- request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
- agentId,
- ILogger.SUCCESS,
- auditSubjectID,
- PubKey);
-
- audit(auditMessage);
- }
-
- iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
- request.setExtData("iv_s", iv_s);
-
- /*
- * archival - option flag "archive" controllable by the caller - TPS
- */
- if (archive) {
- //
- // privateKeyData ::= SEQUENCE {
- // sessionKey OCTET_STRING,
- // encKey OCTET_STRING,
- // }
- //
- // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
-
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
- agentId,
- ILogger.SUCCESS,
- auditSubjectID,
- auditArchiveID);
-
- audit(auditMessage);
- CMS.debug("KRA encrypts private key to put on internal ldap db");
- byte privateKeyData[] =
- mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey);
-
- if (privateKeyData == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
- CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed");
- return false;
- } else
- CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful");
-
- // create key record
- KeyRecord rec = new KeyRecord(null, publicKeyData,
- privateKeyData, rCUID+":"+rUserid,
- keypair.getPublic().getAlgorithm(),
- agentId);
-
- CMS.debug("NetkeyKeygenService: got key record");
-
- // we deal with RSA key only
- try {
- RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
-
- rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
- } catch (InvalidKeyException e) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(11));
- CMS.debug("NetkeyKeygenService: failed:InvalidKeyException");
- return false;
- }
- //??
- IKeyRepository storage = mKRA.getKeyRepository();
- BigInteger serialNo = storage.getNextSerialNumber();
-
- if (serialNo == null) {
- request.setExtData(IRequest.RESULT, Integer.valueOf(11));
- CMS.debug("NetkeyKeygenService: serialNo null");
- return false;
- }
- CMS.debug("NetkeyKeygenService: before addKeyRecord");
- rec.set(KeyRecord.ATTR_ID, serialNo);
- request.setExtData(ATTR_KEY_RECORD, serialNo);
- storage.addKeyRecord(rec);
- CMS.debug("NetkeyKeygenService: key archived for "+rCUID+":"+rUserid);
-
- auditMessage = CMS.getLogMessage(
- LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
- agentId,
- ILogger.SUCCESS,
- PubKey);
-
- audit(auditMessage);
-
- } //if archive
+ if (sk == null) {
+ CMS.debug("NetkeyKeygenService: no DES key");
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ return false;
+ } else {
+ CMS.debug("NetkeyKeygenService: received DES key");
+ }
- request.setExtData(IRequest.RESULT, Integer.valueOf(1));
- } catch (Exception e) {
- CMS.debug("NetKeyKeygenService: " + e.toString());
- Debug.printStackTrace(e);
+ // 3 wrapping should be done in HSM
+ // wrap private key with DES
+ KeyWrapper symWrap =
+ keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+ CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName());
+ CMS.debug("NetkeyKeygenService: got key wrapper");
+
+ CMS.debug("NetkeyKeygenService: key transport key is on slot: " + sk.getOwningToken().getName());
+ symWrap.initWrap((SymmetricKey) sk, algParam);
+ byte wrapped[] = symWrap.wrap((PrivateKey) privKey);
+ /*
+ CMS.debug("NetkeyKeygenService: wrap called");
+ CMS.debug(wrapped);
+ */
+ /* This is for using with my decryption tool and ASN1
+ decoder to see if the private key is indeed PKCS#8 format
+ { // cfu debug
+ String oFilePath = "/tmp/wrappedPrivKey.bin";
+ File file = new File(oFilePath);
+ FileOutputStream ostream = new FileOutputStream(oFilePath);
+ ostream.write(wrapped);
+ ostream.close();
+ }
+ */
+ String wrappedPrivKeyString = /*base64Encode(wrapped);*/
+ com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped);
+ if (wrappedPrivKeyString == null) {
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("NetkeyKeygenService: failed generating wrapped private key");
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+ agentId,
+ ILogger.FAILURE,
+ auditSubjectID,
+ PubKey);
+
+ audit(auditMessage);
+ return false;
+ } else {
+ request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+ agentId,
+ ILogger.SUCCESS,
+ auditSubjectID,
+ PubKey);
+
+ audit(auditMessage);
}
- } else
+
+ iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
+ request.setExtData("iv_s", iv_s);
+
+ /*
+ * archival - option flag "archive" controllable by the caller - TPS
+ */
+ if (archive) {
+ //
+ // privateKeyData ::= SEQUENCE {
+ // sessionKey OCTET_STRING,
+ // encKey OCTET_STRING,
+ // }
+ //
+ // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+ agentId,
+ ILogger.SUCCESS,
+ auditSubjectID,
+ auditArchiveID);
+
+ audit(auditMessage);
+ CMS.debug("KRA encrypts private key to put on internal ldap db");
+ byte privateKeyData[] =
+ mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey);
+
+ if (privateKeyData == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed");
+ return false;
+ } else
+ CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful");
+
+ // create key record
+ KeyRecord rec = new KeyRecord(null, publicKeyData,
+ privateKeyData, rCUID + ":" + rUserid,
+ keypair.getPublic().getAlgorithm(),
+ agentId);
+
+ CMS.debug("NetkeyKeygenService: got key record");
+
+ // we deal with RSA key only
+ try {
+ RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
+
+ rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
+ } catch (InvalidKeyException e) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(11));
+ CMS.debug("NetkeyKeygenService: failed:InvalidKeyException");
+ return false;
+ }
+ //??
+ IKeyRepository storage = mKRA.getKeyRepository();
+ BigInteger serialNo = storage.getNextSerialNumber();
+
+ if (serialNo == null) {
+ request.setExtData(IRequest.RESULT, Integer.valueOf(11));
+ CMS.debug("NetkeyKeygenService: serialNo null");
+ return false;
+ }
+ CMS.debug("NetkeyKeygenService: before addKeyRecord");
+ rec.set(KeyRecord.ATTR_ID, serialNo);
+ request.setExtData(ATTR_KEY_RECORD, serialNo);
+ storage.addKeyRecord(rec);
+ CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid);
+
+ auditMessage = CMS.getLogMessage(
+ LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+ agentId,
+ ILogger.SUCCESS,
+ PubKey);
+
+ audit(auditMessage);
+
+ } //if archive
+
+ request.setExtData(IRequest.RESULT, Integer.valueOf(1));
+ } catch (Exception e) {
+ CMS.debug("NetKeyKeygenService: " + e.toString());
+ Debug.printStackTrace(e);
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
+ }
+ } else
request.setExtData(IRequest.RESULT, Integer.valueOf(2));
-
+
return true;
} //serviceRequest
/**
* Signed Audit Log
- *y
+ * y
* This method is called to store messages to the signed audit log.
* <P>
- *
+ *
* @param msg signed audit log message
*/
private void audit(String msg) {
@@ -614,9 +602,9 @@ public class NetkeyKeygenService implements IService {
}
mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
- null,
- ILogger.S_SIGNED_AUDIT,
- ILogger.LL_SECURITY,
- msg);
+ null,
+ ILogger.S_SIGNED_AUDIT,
+ ILogger.LL_SECURITY,
+ msg);
}
}
generated by cgit (git 2.34.1) at 2024-05-19 11:37:45 +0000