diff options
Diffstat (limited to 'pki/base/kra/src')
11 files changed, 1471 insertions, 1541 deletions
diff --git a/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java b/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java index cbd3b7a3..e9a3301e 100644 --- a/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/pki/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.CharConversionException; import java.io.IOException; import java.security.InvalidAlgorithmParameterException; @@ -48,11 +47,10 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.IEncryptionUnit; import com.netscape.cmscore.util.Debug; - /** * A class represents the transport key pair. This key pair * is used to protected EE's private key in transit. - * + * * @author thomask * @version $Revision$, $Date$ */ @@ -61,7 +59,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { /* Establish one constant IV for base class, to be used for internal operations. Constant IV acceptable for symmetric keys. */ - private byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + private byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; protected IVParameterSpec IV = null; public EncryptionUnit() { @@ -82,16 +80,16 @@ public abstract class EncryptionUnit implements IEncryptionUnit { * Protects the private key so that it can be stored in * internal database. */ - public byte[] encryptInternalPrivate(byte priKey[]) - throws EBaseException { + public byte[] encryptInternalPrivate(byte priKey[]) + throws EBaseException { try { CMS.debug("EncryptionUnit.encryptInternalPrivate"); CryptoToken token = getToken(); CryptoToken internalToken = getInternalToken(); // (1) generate session key - org.mozilla.jss.crypto.KeyGenerator kg = - internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + org.mozilla.jss.crypto.KeyGenerator kg = + internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); SymmetricKey sk = kg.generate(); // (2) wrap private key with session key @@ -113,14 +111,14 @@ public abstract class EncryptionUnit implements IEncryptionUnit { // encryptedSession OCTET STRING, // encryptedPrivate OCTET STRING // } - + DerOutputStream tmp = new DerOutputStream(); DerOutputStream out = new DerOutputStream(); tmp.putOctetString(session); tmp.putOctetString(pri); out.write(DerValue.tag_Sequence, tmp); - + return out.toByteArray(); } catch (TokenException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_INTERNAL", e.toString())); @@ -171,16 +169,16 @@ public abstract class EncryptionUnit implements IEncryptionUnit { CryptoToken token = getToken(); // (1) generate session key - org.mozilla.jss.crypto.KeyGenerator kg = - token.getKeyGenerator(KeyGenAlgorithm.DES3); - // internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + org.mozilla.jss.crypto.KeyGenerator kg = + token.getKeyGenerator(KeyGenAlgorithm.DES3); + // internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); SymmetricKey.Usage usages[] = new SymmetricKey.Usage[2]; usages[0] = SymmetricKey.Usage.WRAP; usages[1] = SymmetricKey.Usage.UNWRAP; kg.setKeyUsages(usages); kg.temporaryKeys(true); SymmetricKey sk = kg.generate(); - CMS.debug("EncryptionUnit:wrap() session key generated on slot: "+token.getName()); + CMS.debug("EncryptionUnit:wrap() session key generated on slot: " + token.getName()); // (2) wrap private key with session key // KeyWrapper wrapper = internalToken.getKeyWrapper( @@ -189,7 +187,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { wrapper.initWrap(sk, IV); byte pri[] = wrapper.wrap(priKey); - CMS.debug("EncryptionUnit:wrap() privKey wrapped"); + CMS.debug("EncryptionUnit:wrap() privKey wrapped"); // (3) wrap session with transport public KeyWrapper rsaWrap = token.getKeyWrapper( @@ -197,21 +195,21 @@ public abstract class EncryptionUnit implements IEncryptionUnit { rsaWrap.initWrap(getPublicKey(), null); byte session[] = rsaWrap.wrap(sk); - CMS.debug("EncryptionUnit:wrap() sessin key wrapped"); + CMS.debug("EncryptionUnit:wrap() sessin key wrapped"); // use MY own structure for now: // SEQUENCE { // encryptedSession OCTET STRING, // encryptedPrivate OCTET STRING // } - + DerOutputStream tmp = new DerOutputStream(); DerOutputStream out = new DerOutputStream(); tmp.putOctetString(session); tmp.putOctetString(pri); out.write(DerValue.tag_Sequence, tmp); - + return out.toByteArray(); } catch (TokenException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_WRAP", e.toString())); @@ -245,18 +243,17 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } /** - * External unwrapping. Unwraps the data using + * External unwrapping. Unwraps the data using * the transport private key. */ - public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage) - { + public SymmetricKey unwrap_sym(byte encSymmKey[], SymmetricKey.Usage usage) { try { CryptoToken token = getToken(); // (1) unwrap the session PrivateKey priKey = getPrivateKey(); String priKeyAlgo = priKey.getAlgorithm(); - CMS.debug("EncryptionUnit::unwrap_sym() private key algo: " + priKeyAlgo); + CMS.debug("EncryptionUnit::unwrap_sym() private key algo: " + priKeyAlgo); KeyWrapper keyWrapper = null; if (priKeyAlgo.equals("EC")) { keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); @@ -268,8 +265,8 @@ public abstract class EncryptionUnit implements IEncryptionUnit { SymmetricKey sk = keyWrapper.unwrapSymmetric(encSymmKey, SymmetricKey.DES3, usage, 0); - CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: " - +token.getName()); + CMS.debug("EncryptionUnit::unwrap_sym() unwrapped on slot: " + + token.getName()); return sk; } catch (Exception e) { CMS.debug("EncryptionUnit::unwrap_sym() error:" + @@ -278,23 +275,21 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } } - public SymmetricKey unwrap_sym(byte encSymmKey[]) - { + public SymmetricKey unwrap_sym(byte encSymmKey[]) { return unwrap_sym(encSymmKey, SymmetricKey.Usage.WRAP); } - - public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]) - { + + public SymmetricKey unwrap_encrypt_sym(byte encSymmKey[]) { return unwrap_sym(encSymmKey, SymmetricKey.Usage.ENCRYPT); } /** * Decrypts the user private key. */ - public byte[] decryptExternalPrivate(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[]) - throws EBaseException { + public byte[] decryptExternalPrivate(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], + byte encValue[]) + throws EBaseException { try { CMS.debug("EncryptionUnit.decryptExternalPrivate"); @@ -312,7 +307,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { // (2) unwrap the pri Cipher cipher = token.getCipherContext( EncryptionAlgorithm.DES3_CBC_PAD // XXX - ); + ); cipher.initDecrypt(sk, new IVParameterSpec( symmAlgParams)); @@ -349,13 +344,13 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } /** - * External unwrapping. Unwraps the data using + * External unwrapping. Unwraps the data using * the transport private key. */ - public PrivateKey unwrap(byte encSymmKey[], - String symmAlgOID, byte symmAlgParams[], - byte encValue[], PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrap(byte encSymmKey[], + String symmAlgOID, byte symmAlgParams[], + byte encValue[], PublicKey pubKey) + throws EBaseException { try { CryptoToken token = getToken(); @@ -371,12 +366,12 @@ public abstract class EncryptionUnit implements IEncryptionUnit { // (2) unwrap the pri KeyWrapper wrapper = token.getKeyWrapper( KeyWrapAlgorithm.DES3_CBC_PAD // XXX - ); + ); wrapper.initUnwrap(sk, new IVParameterSpec( symmAlgParams)); - PrivateKey.Type keytype = null; + PrivateKey.Type keytype = null; String alg = pubKey.getAlgorithm(); if (alg.equals("DSA")) { keytype = PrivateKey.DSA; @@ -386,7 +381,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { keytype = PrivateKey.RSA; } PrivateKey pk = wrapper.unwrapTemporaryPrivate(encValue, - keytype , pubKey); + keytype, pubKey); return pk; } catch (TokenException e) { @@ -406,13 +401,13 @@ public abstract class EncryptionUnit implements IEncryptionUnit { Debug.trace("EncryptionUnit::unwrap " + e.toString()); return null; } catch (Exception e) { - CMS.debug("EncryptionUnit.unwrap : Exception:"+e.toString()); + CMS.debug("EncryptionUnit.unwrap : Exception:" + e.toString()); return null; } } - public byte[] decryptInternalPrivate(byte wrappedKeyData[]) - throws EBaseException { + public byte[] decryptInternalPrivate(byte wrappedKeyData[]) + throws EBaseException { try { CMS.debug("EncryptionUnit.decryptInternalPrivate"); DerValue val = new DerValue(wrappedKeyData); @@ -426,7 +421,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { CryptoToken token = getToken(); // (1) unwrap the session - CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:"+ token.getName()); + CMS.debug("decryptInternalPrivate(): getting key wrapper on slot:" + token.getName()); KeyWrapper rsaWrap = token.getKeyWrapper( KeyWrapAlgorithm.RSA); @@ -478,16 +473,16 @@ public abstract class EncryptionUnit implements IEncryptionUnit { /** * Internal unwrapping. */ - public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrap_temp(byte wrappedKeyData[], PublicKey pubKey) + throws EBaseException { return _unwrap(wrappedKeyData, pubKey, true); } /** * Internal unwrapping. */ - public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) - throws EBaseException { + public PrivateKey unwrap(byte wrappedKeyData[], PublicKey pubKey) + throws EBaseException { return _unwrap(wrappedKeyData, pubKey, false); } @@ -495,8 +490,8 @@ public abstract class EncryptionUnit implements IEncryptionUnit { * Internal unwrapping. */ private PrivateKey _unwrap(byte wrappedKeyData[], PublicKey - pubKey, boolean temporary) - throws EBaseException { + pubKey, boolean temporary) + throws EBaseException { try { DerValue val = new DerValue(wrappedKeyData); // val.tag == DerValue.tag_Sequence @@ -523,11 +518,11 @@ public abstract class EncryptionUnit implements IEncryptionUnit { PrivateKey pk = null; if (temporary) { - pk = wrapper.unwrapTemporaryPrivate(pri, - PrivateKey.RSA, pubKey); + pk = wrapper.unwrapTemporaryPrivate(pri, + PrivateKey.RSA, pubKey); } else { - pk = wrapper.unwrapPrivate(pri, - PrivateKey.RSA, pubKey); + pk = wrapper.unwrapPrivate(pri, + PrivateKey.RSA, pubKey); } return pk; } catch (TokenException e) { @@ -553,7 +548,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return null; } catch (Exception e) { Debug.printStackTrace(e); - return null; + return null; } } @@ -564,4 +559,3 @@ public abstract class EncryptionUnit implements IEncryptionUnit { EBaseException { } } - diff --git a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java index 6415e190..85cd516b 100644 --- a/pki/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/pki/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; @@ -76,21 +75,16 @@ import com.netscape.cmscore.crmf.CRMFParser; import com.netscape.cmscore.crmf.PKIArchiveOptionsContainer; import com.netscape.cmscore.dbs.KeyRecord; - /** - * A class represents archival request processor. It - * passes the request to the policy processor, and + * A class represents archival request processor. It + * passes the request to the policy processor, and * process the request according to the policy decision. * <P> - * If policy returns ACCEPTED, the request will be - * processed immediately. + * If policy returns ACCEPTED, the request will be processed immediately. * <P> - * Upon processing, the incoming user key is unwrapped - * with the transport key of KRA, and then wrapped - * with the storage key. The encrypted key is stored - * in the internal database for long term storage. + * Upon processing, the incoming user key is unwrapped with the transport key of KRA, and then wrapped with the storage key. The encrypted key is stored in the internal database for long term storage. * <P> - * + * * @author thomask (original) * @author cfu (non-RSA keys; private keys secure handling); * @version $Revision$, $Date$ @@ -100,8 +94,8 @@ public class EnrollmentService implements IService { // constants public static final String CRMF_REQUEST = "CRMFRequest"; public final static String ATTR_KEY_RECORD = "keyRecord"; - public final static String ATTR_PROOF_OF_ARCHIVAL = - "proofOfArchival"; + public final static String ATTR_PROOF_OF_ARCHIVAL = + "proofOfArchival"; // private private IKeyRecoveryAuthority mKRA = null; @@ -109,18 +103,16 @@ public class EnrollmentService implements IService { private IStorageKeyUnit mStorageUnit = null; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); - private final static byte EOL[] = { Character.LINE_SEPARATOR }; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + /** * Constructs request processor. * <P> @@ -145,21 +137,21 @@ public class EnrollmentService implements IService { } return archOpts; } - + /** * Services an enrollment/archival request. * <P> - * + * * @param request enrollment request * @return serving successful or not * @exception EBaseException failed to serve */ - public boolean serviceRequest(IRequest request) - throws EBaseException { + public boolean serviceRequest(IRequest request) + throws EBaseException { - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("archival", true /* main action */); + statsSub.startTiming("archival", true /* main action */); } String auditMessage = null; @@ -206,35 +198,35 @@ public class EnrollmentService implements IService { } else { // profile-based request PKIArchiveOptions options = (PKIArchiveOptions) - toPKIArchiveOptions( + toPKIArchiveOptions( request.getExtDataInByteArray(IEnrollProfile.REQUEST_ARCHIVE_OPTIONS)); aOpts = new PKIArchiveOptionsContainer[1]; - aOpts[0] = new PKIArchiveOptionsContainer(options, + aOpts[0] = new PKIArchiveOptionsContainer(options, 0/* not matter */); request.setExtData("dbStatus", "NOT_UPDATED"); - } + } for (int i = 0; i < aOpts.length; i++) { ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); if (statsSub != null) { - statsSub.startTiming("decrypt_user_key"); + statsSub.startTiming("decrypt_user_key"); } mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); if (CMS.debugOn()) - CMS.debug("EnrollmentService::about to decryptExternalPrivate"); + CMS.debug("EnrollmentService::about to decryptExternalPrivate"); unwrapped = mTransportUnit.decryptExternalPrivate( - opts.getEncSymmKey(), - opts.getSymmAlgOID(), - opts.getSymmAlgParams(), + opts.getEncSymmKey(), + opts.getSymmAlgOID(), + opts.getSymmAlgParams(), opts.getEncValue()); if (statsSub != null) { - statsSub.endTiming("decrypt_user_key"); + statsSub.endTiming("decrypt_user_key"); } if (CMS.debugOn()) - CMS.debug("EnrollmentService::finished decryptExternalPrivate"); + CMS.debug("EnrollmentService::finished decryptExternalPrivate"); if (unwrapped == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); @@ -255,9 +247,8 @@ public class EnrollmentService implements IService { byte publicKeyData[] = publicKey.getEncoded(); if (publicKeyData == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -274,12 +265,11 @@ public class EnrollmentService implements IService { /* Bugscape #54948 - verify public and private key before archiving key */ if (statsSub != null) { - statsSub.startTiming("verify_key"); + statsSub.startTiming("verify_key"); } if (verifyKeyPair(publicKeyData, unwrapped) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -293,11 +283,11 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } if (statsSub != null) { - statsSub.endTiming("verify_key"); + statsSub.endTiming("verify_key"); } /** - mTransportKeyUnit.verify(pKey, unwrapped); + * mTransportKeyUnit.verify(pKey, unwrapped); **/ // retrieve owner name String owner = getOwnerName(request, aOpts[i].mReqPos); @@ -324,12 +314,12 @@ public class EnrollmentService implements IService { // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); if (statsSub != null) { - statsSub.startTiming("encrypt_user_key"); + statsSub.startTiming("encrypt_user_key"); } byte privateKeyData[] = mStorageUnit.encryptInternalPrivate( unwrapped); if (statsSub != null) { - statsSub.endTiming("encrypt_user_key"); + statsSub.endTiming("encrypt_user_key"); } if (privateKeyData == null) { @@ -348,8 +338,8 @@ public class EnrollmentService implements IService { } // create key record - KeyRecord rec = new KeyRecord(null, publicKeyData, - privateKeyData, owner, + KeyRecord rec = new KeyRecord(null, publicKeyData, + privateKeyData, owner, publicKey.getAlgorithmId().getOID().toString(), agentId); // we deal with RSA key only @@ -370,13 +360,11 @@ public class EnrollmentService implements IService { throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } - // if record alreay has a serial number, yell out. if (rec.getSerialNumber() != null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", - rec.getSerialNumber().toString())); - + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", + rec.getSerialNumber().toString())); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -392,8 +380,8 @@ public class EnrollmentService implements IService { BigInteger serialNo = storage.getNextSerialNumber(); if (serialNo == null) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -415,43 +403,42 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_INFO, "KRA adding key record " + serialNo); if (statsSub != null) { - statsSub.startTiming("store_key"); + statsSub.startTiming("store_key"); } storage.addKeyRecord(rec); if (statsSub != null) { - statsSub.endTiming("store_key"); + statsSub.endTiming("store_key"); } - + if (CMS.debugOn()) CMS.debug("EnrollmentService: key record 0x" + serialNo.toString(16) - + " (" + owner + ") archived"); + + " (" + owner + ") archived"); - mKRA.log(ILogger.LL_INFO, "key record 0x" + - serialNo.toString(16) - + " (" + owner + ") archived"); + mKRA.log(ILogger.LL_INFO, "key record 0x" + + serialNo.toString(16) + + " (" + owner + ") archived"); // for audit log String authMgr = AuditFormat.NOAUTH; - + if (authToken != null) { authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_KRA, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - IRequest.KEYARCHIVAL_REQUEST, - request.getRequestId(), - AuditFormat.FROMAGENT + " agentID: " + agentId, - authMgr, - "completed", - owner, - "serial number: 0x" + serialNo.toString(16)} - ); + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + IRequest.KEYARCHIVAL_REQUEST, + request.getRequestId(), + AuditFormat.FROMAGENT + " agentID: " + agentId, + authMgr, + "completed", + owner, + "serial number: 0x" + serialNo.toString(16) } + ); - // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, @@ -486,7 +473,7 @@ public class EnrollmentService implements IService { request.setExtData(ATTR_PROOF_OF_ARCHIVAL + i, mProofOut.toByteArray()); } - + } // for /* @@ -505,65 +492,64 @@ public class EnrollmentService implements IService { mKRA.getRequestQueue().updateRequest(request); if (statsSub != null) { - statsSub.endTiming("archival"); + statsSub.endTiming("archival"); } - + return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } private static final OBJECT_IDENTIFIER PKIARCHIVEOPTIONS_OID = - new OBJECT_IDENTIFIER(new long[] {1, 3, 6, 1, 5, 5, 7, 5, 1, 4} - ); + new OBJECT_IDENTIFIER(new long[] { 1, 3, 6, 1, 5, 5, 7, 5, 1, 4 } + ); /** * Retrieves PKIArchiveOptions from CRMF request. - * + * * @param crmfBlob CRMF request * @return PKIArchiveOptions * @exception EBaseException failed to extrace option */ - public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(String crmfBlob) - throws EBaseException { + public static PKIArchiveOptionsContainer[] getPKIArchiveOptions(String crmfBlob) + throws EBaseException { Vector options = new Vector(); if (CMS.debugOn()) @@ -571,15 +557,15 @@ public class EnrollmentService implements IService { byte[] crmfBerBlob = null; crmfBerBlob = com.netscape.osutil.OSUtil.AtoB(crmfBlob); - ByteArrayInputStream crmfBerBlobIn = new - ByteArrayInputStream(crmfBerBlob); + ByteArrayInputStream crmfBerBlobIn = new + ByteArrayInputStream(crmfBerBlob); SEQUENCE crmfmsgs = null; try { - crmfmsgs = (SEQUENCE) new - SEQUENCE.OF_Template(new - CertReqMsg.Template()).decode( - crmfBerBlobIn); + crmfmsgs = (SEQUENCE) new + SEQUENCE.OF_Template(new + CertReqMsg.Template()).decode( + crmfBerBlobIn); } catch (IOException e) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[crmf msgs]" + e.toString())); } catch (InvalidBERException e) { @@ -588,9 +574,9 @@ public class EnrollmentService implements IService { for (int z = 0; z < crmfmsgs.size(); z++) { CertReqMsg certReqMsg = (CertReqMsg) - crmfmsgs.elementAt(z); - CertRequest certReq = certReqMsg.getCertReq(); - + crmfmsgs.elementAt(z); + CertRequest certReq = certReqMsg.getCertReq(); + // try to locate PKIArchiveOption control AVA archAva = null; @@ -627,7 +613,7 @@ public class EnrollmentService implements IService { if (options.size() == 0) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "PKIArchiveOptions found")); } else { - PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options.size()]; + PKIArchiveOptionsContainer p[] = new PKIArchiveOptionsContainer[options.size()]; options.copyInto(p); return p; @@ -636,7 +622,7 @@ public class EnrollmentService implements IService { /** * Retrieves public key from request. - * + * * @param request CRMF request * @return JSS public key * @exception EBaseException failed to retrieve public key @@ -662,19 +648,19 @@ public class EnrollmentService implements IService { // retrieve x509 Key from request X509CertInfo certInfo[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); CertificateX509Key pX509Key = null; try { pX509Key = (CertificateX509Key) certInfo[i].get(X509CertInfo.KEY); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); } catch (CertificateException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.KEY + "]" + e.toString())); } X509Key pKey = null; @@ -683,8 +669,8 @@ public class EnrollmentService implements IService { pKey = (X509Key) pX509Key.get( CertificateX509Key.KEY); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_PUBLIC_KEY", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + CertificateX509Key.KEY + "]" + e.toString())); } return pKey; @@ -692,13 +678,13 @@ public class EnrollmentService implements IService { /** * Retrieves key's owner name from request. - * + * * @param request CRMF request * @return owner name (subject name) * @exception EBaseException failed to retrieve public key */ - private String getOwnerName(IRequest request, int i) - throws EBaseException { + private String getOwnerName(IRequest request, int i) + throws EBaseException { String profileId = request.getExtDataInString("profileId"); @@ -711,19 +697,19 @@ public class EnrollmentService implements IService { } X509CertInfo certInfo[] = - request.getExtDataInCertInfoArray(IRequest.CERT_INFO); + request.getExtDataInCertInfoArray(IRequest.CERT_INFO); CertificateSubjectName pSub = null; try { pSub = (CertificateSubjectName) certInfo[0].get(X509CertInfo.SUBJECT); } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); } catch (CertificateException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_GET_OWNER_NAME", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[" + X509CertInfo.SUBJECT + "]" + e.toString())); } String owner = pSub.toString(); @@ -733,11 +719,11 @@ public class EnrollmentService implements IService { /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "KeyRecord" for a signed audit log message. * <P> - * + * * @param rec a Key Record * @return key string containing the certificate's public key */ @@ -770,29 +756,30 @@ public class EnrollmentService implements IService { // extract all line separators from the "base64Data" StringTokenizer st = new StringTokenizer(base64Data, "\r\n"); while (st.hasMoreTokens()) { - key += st.nextToken(); + key += st.nextToken(); } } key = key.trim(); - if (key.equals("")) { - return ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } else { - return key; - } + if (key.equals("")) { + return ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } else { + return key; + } } + /** * Signed Audit Log Subject ID - * + * * This method is called to obtain the "SubjectID" for * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ - private String auditSubjectID() { + private String auditSubjectID() { // if no signed audit object exists, bail if (mSignedAuditLogger == null) { return null; @@ -818,13 +805,14 @@ public class EnrollmentService implements IService { return subjectID; } + /** * Signed Audit Log Requester ID - * + * * This method is called to obtain the "RequesterID" for * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message RequesterID */ private String auditRequesterID() { @@ -856,10 +844,10 @@ public class EnrollmentService implements IService { /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -871,14 +859,13 @@ public class EnrollmentService implements IService { } mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } } - /** * Parsed and Flattened structure of PKIArchiveOptions. */ @@ -887,6 +874,7 @@ class ArchiveOptions { private byte mSymmAlgParams[] = null; private byte mEncSymmKey[] = null; private byte mEncValue[] = null; + public ArchiveOptions(PKIArchiveOptions opts) throws EBaseException { try { EncryptedKey key = opts.getEncryptedKey(); @@ -901,7 +889,7 @@ class ArchiveOptions { enveloped_val = key.getEnvelopedData(); byte[] env_b = enveloped_val.getEncoded(); EnvelopedData.Template env_template = new EnvelopedData.Template(); - EnvelopedData env_data = + EnvelopedData env_data = (EnvelopedData) env_template.decode(new ByteArrayInputStream(env_b)); EncryptedContentInfo eCI = env_data.getEncryptedContentInfo(); symmAlg = eCI.getContentEncryptionAlgorithm(); @@ -910,8 +898,8 @@ class ArchiveOptions { SET recipients = env_data.getRecipientInfos(); if (recipients.size() <= 0) { - CMS.debug("EnrollService: ArchiveOptions() - missing recipient information "); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] missing recipient information ")); + CMS.debug("EnrollService: ArchiveOptions() - missing recipient information "); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions] missing recipient information ")); } //check recpient - later //we only handle one recipient here anyways. so, either the key @@ -948,11 +936,11 @@ class ArchiveOptions { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "[PKIArchiveOptions]" + e.toString())); } catch (IOException e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException("ArchiveOptions() exception caught: "+ + throw new EBaseException("ArchiveOptions() exception caught: " + e.toString()); } catch (Exception e) { CMS.debug("EnrollService: ArchiveOptions(): " + e.toString()); - throw new EBaseException("ArchiveOptions() exception caught: "+ + throw new EBaseException("ArchiveOptions() exception caught: " + e.toString()); } diff --git a/pki/base/kra/src/com/netscape/kra/KRANotify.java b/pki/base/kra/src/com/netscape/kra/KRANotify.java index 33c16456..29eaf477 100644 --- a/pki/base/kra/src/com/netscape/kra/KRANotify.java +++ b/pki/base/kra/src/com/netscape/kra/KRANotify.java @@ -17,16 +17,14 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.request.ARequestNotifier; - /** * A class represents a KRA request queue notify. This * object will be invoked by the request subsystem * when a request is requested for processing. - * + * * @author thomask * @version $Revision$, $Date$ */ diff --git a/pki/base/kra/src/com/netscape/kra/KRAPolicy.java b/pki/base/kra/src/com/netscape/kra/KRAPolicy.java index dee18da4..f7d2ba13 100644 --- a/pki/base/kra/src/com/netscape/kra/KRAPolicy.java +++ b/pki/base/kra/src/com/netscape/kra/KRAPolicy.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; @@ -30,7 +29,6 @@ import com.netscape.certsrv.request.PolicyResult; import com.netscape.cmscore.policy.GenericPolicyProcessor; import com.netscape.cmscore.util.Debug; - /** * KRA Policy. * @@ -46,7 +44,7 @@ public class KRAPolicy implements IPolicy { } public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + throws EBaseException { mKRA = (IKeyRecoveryAuthority) owner; mConfig = config; mPolicies.init(mKRA, mConfig); @@ -77,4 +75,3 @@ public class KRAPolicy implements IPolicy { } } - diff --git a/pki/base/kra/src/com/netscape/kra/KRAService.java b/pki/base/kra/src/com/netscape/kra/KRAService.java index a312a655..916ebe3b 100644 --- a/pki/base/kra/src/com/netscape/kra/KRAService.java +++ b/pki/base/kra/src/com/netscape/kra/KRAService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.util.Hashtable; import com.netscape.certsrv.apps.CMS; @@ -28,7 +27,6 @@ import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.cmscore.util.Debug; - /** * A class represents a KRA request queue service. This * is the service object that is registered with @@ -37,14 +35,14 @@ import com.netscape.cmscore.util.Debug; * services. This service registration allows us to support * new request easier. * <P> - * + * * @author thomask * @version $Revision$, $Date$ */ public class KRAService implements IService { - public final static String ENROLLMENT = - IRequest.ENROLLMENT_REQUEST; + public final static String ENROLLMENT = + IRequest.ENROLLMENT_REQUEST; public final static String RECOVERY = IRequest.KEYRECOVERY_REQUEST; public final static String NETKEY_KEYGEN = IRequest.NETKEY_KEYGEN_REQUEST; public final static String NETKEY_KEYRECOVERY = IRequest.NETKEY_KEYRECOVERY_REQUEST; @@ -60,23 +58,23 @@ public class KRAService implements IService { mKRA = kra; mServices.put(ENROLLMENT, new EnrollmentService(kra)); mServices.put(RECOVERY, new RecoveryService(kra)); - mServices.put(NETKEY_KEYGEN, new NetkeyKeygenService(kra)); - mServices.put(NETKEY_KEYRECOVERY, new TokenKeyRecoveryService(kra)); + mServices.put(NETKEY_KEYGEN, new NetkeyKeygenService(kra)); + mServices.put(NETKEY_KEYRECOVERY, new TokenKeyRecoveryService(kra)); } /** * Processes a KRA request. This method is invoked by * request subsystem. - * + * * @param r request from request subsystem * @exception EBaseException failed to serve */ public boolean serviceRequest(IRequest r) throws EBaseException { if (Debug.ON) - Debug.trace("KRA services request " + - r.getRequestId().toString()); + Debug.trace("KRA services request " + + r.getRequestId().toString()); mKRA.log(ILogger.LL_INFO, "KRA services request " + - r.getRequestId().toString()); + r.getRequestId().toString()); IService s = (IService) mServices.get( r.getRequestType()); diff --git a/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 22a10998..84d5b5e8 100644 --- a/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/pki/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; @@ -74,14 +73,13 @@ import com.netscape.cmscore.dbs.KeyRepository; import com.netscape.cmscore.dbs.ReplicaIDRepository; import com.netscape.cmscore.request.RequestSubsystem; - /** * A class represents an key recovery authority (KRA). A KRA * is responsible to maintain key pairs that have been * escrowed. It provides archive and recovery key pairs - * functionalities. + * functionalities. * <P> - * + * * @author thomask * @version $Revision$, $Date$ */ @@ -103,7 +101,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove private final static String KEY_RESP_NAME = "keyRepository"; private static final String PROP_REPLICAID_DN = "dbs.replicadn"; - protected boolean mInitialized = false; protected IConfigStore mConfig = null; protected ILogger mLogger = CMS.getLogger(); @@ -126,15 +123,13 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove protected org.mozilla.jss.crypto.X509Certificate mJssCert = null; protected CryptoToken mKeygenToken = null; - // holds the number of bits of entropy to collect for each keygen - private int mEntropyBitsPerKeyPair=0; - - // the number of milliseconds which it is acceptable to block while - // getting entropy - anything longer will cause a warning. - // 0 means this warning is disabled - private int mEntropyBlockWarnMilliseconds = 0; - + // holds the number of bits of entropy to collect for each keygen + private int mEntropyBitsPerKeyPair = 0; + // the number of milliseconds which it is acceptable to block while + // getting entropy - anything longer will cause a warning. + // 0 means this warning is disabled + private int mEntropyBlockWarnMilliseconds = 0; // for the notification listener public IRequestListener mReqInQListener = null; @@ -142,20 +137,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); private final static byte EOL[] = { Character.LINE_SEPARATOR }; private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", "; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; /** * Constructs an escrow authority. @@ -176,7 +169,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Sets subsystem identifier. - * + * * @param id subsystem id * @exception EBaseException failed to set id */ @@ -189,76 +182,72 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } // initialize entropy collection parameters - private void initEntropy(IConfigStore config) - { + private void initEntropy(IConfigStore config) { mEntropyBitsPerKeyPair = 0; mEntropyBlockWarnMilliseconds = 50; // initialize entropy collection IConfigStore ecs = config.getSubStore("entropy"); if (ecs != null) { try { - mEntropyBitsPerKeyPair = ecs.getInteger("bitsperkeypair",0); - mEntropyBlockWarnMilliseconds = ecs.getInteger("blockwarnms",50); + mEntropyBitsPerKeyPair = ecs.getInteger("bitsperkeypair", 0); + mEntropyBlockWarnMilliseconds = ecs.getInteger("blockwarnms", 50); } catch (EBaseException eb) { // ok - we deal with missing parameters above } } - CMS.debug("KeyRecoveryAuthority Entropy bits = "+mEntropyBitsPerKeyPair); + CMS.debug("KeyRecoveryAuthority Entropy bits = " + mEntropyBitsPerKeyPair); if (mEntropyBitsPerKeyPair == 0) { //log(ILogger.LL_INFO, - //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_DISABLED")); + //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_DISABLED")); } else { //log(ILogger.LL_INFO, - //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_ENABLED")); - CMS.debug("KeyRecoveryAuthority about to add Entropy"); + //CMS.getLogMessage("CMSCORE_KRA_ENTROPY_COLLECTION_ENABLED")); + CMS.debug("KeyRecoveryAuthority about to add Entropy"); addEntropy(false); - CMS.debug("KeyRecoveryAuthority back from add Entropy"); + CMS.debug("KeyRecoveryAuthority back from add Entropy"); } } - public void addEntropy(boolean logflag) { - CMS.debug("KeyRecoveryAuthority addEntropy()"); + CMS.debug("KeyRecoveryAuthority addEntropy()"); if (mEntropyBitsPerKeyPair == 0) { - CMS.debug("KeyRecoveryAuthority returning - disabled()"); - return; - } + CMS.debug("KeyRecoveryAuthority returning - disabled()"); + return; + } long start = System.currentTimeMillis(); try { com.netscape.cmscore.security.JssSubsystem.getInstance(). - addEntropy(mEntropyBitsPerKeyPair); + addEntropy(mEntropyBitsPerKeyPair); } catch (Exception e) { - CMS.debug("KeyRecoveryAuthority returning - error - see log file"); - CMS.debug("exception: "+e.getMessage()); - CMS.debug(e); - if (logflag) { - log(ILogger.LL_INFO, - CMS.getLogMessage("CMSCORE_KRA_ENTROPY_ERROR", - e.getMessage())); - } + CMS.debug("KeyRecoveryAuthority returning - error - see log file"); + CMS.debug("exception: " + e.getMessage()); + CMS.debug(e); + if (logflag) { + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_ENTROPY_ERROR", + e.getMessage())); + } } - long end = System.currentTimeMillis(); - long duration = end-start; - - if (mEntropyBlockWarnMilliseconds > 0 && - duration > mEntropyBlockWarnMilliseconds) { - - CMS.debug("KeyRecoveryAuthority returning - warning - entropy took too long (ms="+ - duration+")"); - if (logflag) { - log(ILogger.LL_INFO, - CMS.getLogMessage("CMSCORE_KRA_ENTROPY_BLOCKED_WARNING", - ""+(int)duration)); - } + long end = System.currentTimeMillis(); + long duration = end - start; + + if (mEntropyBlockWarnMilliseconds > 0 && + duration > mEntropyBlockWarnMilliseconds) { + + CMS.debug("KeyRecoveryAuthority returning - warning - entropy took too long (ms=" + + duration + ")"); + if (logflag) { + log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_ENTROPY_BLOCKED_WARNING", + "" + (int) duration)); + } } - CMS.debug("KeyRecoveryAuthority returning "); + CMS.debug("KeyRecoveryAuthority returning "); } - - - /** - * Starts this subsystem. It loads and initializes all + /** + * Starts this subsystem. It loads and initializes all * necessary components. This subsystem is started by * KRASubsystem. * <P> @@ -267,9 +256,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * @param config configuration store for this subsystem * @exception EBaseException failed to start subsystem */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { - CMS.debug("KeyRecoveryAuthority init() begins"); + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { + CMS.debug("KeyRecoveryAuthority init() begins"); if (mInitialized) return; @@ -285,26 +274,26 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove mKeyDB = new KeyRepository(getDBSubsystem(), keydb_inc, - "ou=" + KEY_RESP_NAME + ",ou=" + - getId() + "," + - getDBSubsystem().getBaseDN()); + "ou=" + KEY_RESP_NAME + ",ou=" + + getId() + "," + + getDBSubsystem().getBaseDN()); // read transport key from internal database mTransportKeyUnit = new TransportKeyUnit(); try { - mTransportKeyUnit.init(this, mConfig.getSubStore( - PROP_TRANSPORT_KEY)); + mTransportKeyUnit.init(this, mConfig.getSubStore( + PROP_TRANSPORT_KEY)); } catch (EBaseException e) { CMS.debug("KeyRecoveryAuthority: transport unit exception " + e.toString()); -//XXX throw e; - return; + //XXX throw e; + return; } // retrieve the authority name from transport cert try { mJssCert = mTransportKeyUnit.getCertificate(); - X509CertImpl certImpl = new - X509CertImpl(mJssCert.getEncoded()); + X509CertImpl certImpl = new + X509CertImpl(mJssCert.getEncoded()); mName = (X500Name) certImpl.getSubjectDN(); } catch (CertificateEncodingException e) { @@ -320,55 +309,55 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // read transport key from storage key mStorageKeyUnit = new StorageKeyUnit(); try { - mStorageKeyUnit.init(this, - mConfig.getSubStore(PROP_STORAGE_KEY)); + mStorageKeyUnit.init(this, + mConfig.getSubStore(PROP_STORAGE_KEY)); } catch (EBaseException e) { CMS.debug("KeyRecoveryAuthority: storage unit exception " + e.toString()); throw e; } - // setup token for server-side key generation for user enrollments - String serverKeygenTokenName = mConfig.getString("serverKeygenTokenName", null); - if (serverKeygenTokenName == null) { - CMS.debug("serverKeygenTokenName set to nothing"); - if (mStorageKeyUnit.getToken() != null) { - try { - String storageToken = mStorageKeyUnit.getToken().getName(); - if (!storageToken.equals("internal")) { - CMS.debug("Auto set serverKeygenTokenName to " + storageToken); - serverKeygenTokenName = storageToken; - } - } catch (Exception e) { - } - } - } - if (serverKeygenTokenName == null) { - serverKeygenTokenName = "internal"; - } + // setup token for server-side key generation for user enrollments + String serverKeygenTokenName = mConfig.getString("serverKeygenTokenName", null); + if (serverKeygenTokenName == null) { + CMS.debug("serverKeygenTokenName set to nothing"); + if (mStorageKeyUnit.getToken() != null) { + try { + String storageToken = mStorageKeyUnit.getToken().getName(); + if (!storageToken.equals("internal")) { + CMS.debug("Auto set serverKeygenTokenName to " + storageToken); + serverKeygenTokenName = storageToken; + } + } catch (Exception e) { + } + } + } + if (serverKeygenTokenName == null) { + serverKeygenTokenName = "internal"; + } if (serverKeygenTokenName.equalsIgnoreCase(PR_INTERNAL_TOKEN_NAME)) serverKeygenTokenName = PR_INTERNAL_TOKEN_NAME; try { if (serverKeygenTokenName.equalsIgnoreCase(PR_INTERNAL_TOKEN_NAME)) { - CMS.debug("KeyRecoveryAuthority: getting internal crypto token for serverkeygen"); + CMS.debug("KeyRecoveryAuthority: getting internal crypto token for serverkeygen"); mKeygenToken = CryptoManager.getInstance().getInternalKeyStorageToken(); } else { - CMS.debug("KeyRecoveryAuthority: getting HSM token for serverkeygen"); + CMS.debug("KeyRecoveryAuthority: getting HSM token for serverkeygen"); mKeygenToken = CryptoManager.getInstance().getTokenByName(serverKeygenTokenName); } - CMS.debug("KeyRecoveryAuthority: set up keygenToken"); + CMS.debug("KeyRecoveryAuthority: set up keygenToken"); } catch (NoSuchTokenException e) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND", serverKeygenTokenName)); } catch (Exception e) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_CRYPTOMANAGER_UNINITIALIZED")); } - CMS.debug("KeyRecoveryAuthority: about to init entropy"); - initEntropy(mConfig); - CMS.debug("KeyRecoveryAuthority: completed init of entropy"); + CMS.debug("KeyRecoveryAuthority: about to init entropy"); + initEntropy(mConfig); + CMS.debug("KeyRecoveryAuthority: completed init of entropy"); - getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, - ILogger.LL_INFO, mName.toString() + " is started"); + getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, + ILogger.LL_INFO, mName.toString() + " is started"); // setup the KRA request queue IService service = new KRAService(this); @@ -383,17 +372,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // set KeyStatusUpdateInterval to be 10 minutes if serial management is enabled. mKeyDB.setKeyStatusUpdateInterval( - mRequestQueue.getRequestRepository(), - mConfig.getInteger("keyStatusUpdateInterval", 10 * 60)); + mRequestQueue.getRequestRepository(), + mConfig.getInteger("keyStatusUpdateInterval", 10 * 60)); // init request scheduler if configured String schedulerClass = - mConfig.getString("requestSchedulerClass", null); + mConfig.getString("requestSchedulerClass", null); if (schedulerClass != null) { try { IRequestScheduler scheduler = (IRequestScheduler) - Class.forName(schedulerClass).newInstance(); + Class.forName(schedulerClass).newInstance(); mRequestQueue.setRequestScheduler(scheduler); } catch (Exception e) { @@ -404,17 +393,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String replicaReposDN = mConfig.getString(PROP_REPLICAID_DN, null); if (replicaReposDN == null) { - replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); + replicaReposDN = "ou=Replica," + getDBSubsystem().getBaseDN(); } mReplicaRepot = new ReplicaIDRepository( - DBSubsystem.getInstance(), 1, replicaReposDN); + DBSubsystem.getInstance(), 1, replicaReposDN); CMS.debug("Replica Repot inited"); } public CryptoToken getKeygenToken() { - return mKeygenToken; + return mKeygenToken; } public IRequestListener getRequestInQListener() { @@ -434,27 +423,27 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Starts this service. When this method is called, all - * service - * + * service + * * @exception EBaseException failed to startup this subsystem */ public void startup() throws EBaseException { - CMS.debug("KeyRecoveryAuthority startup() begins"); + CMS.debug("KeyRecoveryAuthority startup() begins"); - if (mRequestQueue != null) { - // setup administration operations if everything else is fine - mRequestQueue.recover(); - CMS.debug("KeyRecoveryAuthority startup() call request Q recover"); + if (mRequestQueue != null) { + // setup administration operations if everything else is fine + mRequestQueue.recover(); + CMS.debug("KeyRecoveryAuthority startup() call request Q recover"); - // Note that we use our instance id for registration. - // This helps us to support multiple instances - // of a subsystem within server. + // Note that we use our instance id for registration. + // This helps us to support multiple instances + // of a subsystem within server. - // register remote admin interface - mInitialized = true; - } else { - CMS.debug("KeyRecoveryAuthority: mRequestQueue is null, could be in preop mode"); - } + // register remote admin interface + mInitialized = true; + } else { + CMS.debug("KeyRecoveryAuthority: mRequestQueue is null, could be in preop mode"); + } } /** @@ -470,15 +459,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove mKeyDB.shutdown(); mKeyDB = null; } - getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, - ILogger.LL_INFO, mName.toString() + " is stopped"); + getLogger().log(ILogger.EV_SYSTEM, ILogger.S_KRA, + ILogger.LL_INFO, mName.toString() + " is stopped"); mInitialized = false; } /** * Retrieves the configuration store of this subsystem. * <P> - * + * * @return configuration store */ public IConfigStore getConfigStore() { @@ -487,7 +476,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Changes the auto recovery state. - * + * * @param cs list of recovery agent credentials * @param on turn of auto recovery or not * @return operation success or not @@ -508,7 +497,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves the current auto recovery state. - * + * * @return enable or not */ public boolean getAutoRecoveryState() { @@ -517,11 +506,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Returns a list of users who are in auto + * Returns a list of users who are in auto * recovery mode. - * + * * @return list of user IDs that are accepted in the - * auto recovery mode + * auto recovery mode */ public Enumeration<String> getAutoRecoveryIDs() { return mAutoRecovery.keys(); @@ -529,7 +518,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Adds auto recovery mode to the given user id. - * + * * @param id new identifier to the auto recovery mode * @param creds list of credentials */ @@ -539,9 +528,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Removes auto recovery mode from the given user id. - * - * @param id id of user to be removed from auto - * recovery mode + * + * @param id id of user to be removed from auto + * recovery mode */ public void removeAutoRecovery(String id) { mAutoRecovery.remove(id); @@ -549,7 +538,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves logger from escrow authority. - * + * * @return logger */ public ILogger getLogger() { @@ -557,29 +546,29 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Retrieves number of required agents for + * Retrieves number of required agents for * recovery operation. - * + * * @return number of required agents * @exception EBaseException failed to retrieve info */ public int getNoOfRequiredAgents() throws EBaseException { if (mConfig.getBoolean("keySplitting", false)) { - return mStorageKeyUnit.getNoOfRequiredAgents(); + return mStorageKeyUnit.getNoOfRequiredAgents(); } else { int ret = -1; - ret = mConfig.getInteger("noOfRequiredRecoveryAgents", 1); + ret = mConfig.getInteger("noOfRequiredRecoveryAgents", 1); if (ret <= 0) { - throw new EBaseException("Invalid parameter noOfRequiredecoveryAgents"); + throw new EBaseException("Invalid parameter noOfRequiredecoveryAgents"); } return ret; } } /** - * Sets number of required agents for + * Sets number of required agents for * recovery operation - * + * * @return none * @exception EBaseException invalid setting */ @@ -587,7 +576,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove if (mConfig.getBoolean("keySplitting")) { mStorageKeyUnit.setNoOfRequiredAgents(number); } else { - mConfig.putInteger("noOfRequiredRecoveryAgents", number); + mConfig.putInteger("noOfRequiredRecoveryAgents", number); } } @@ -599,7 +588,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } public Hashtable<String, Object> createRecoveryParams(String recoveryID) - throws EBaseException { + throws EBaseException { Hashtable<String, Object> h = new Hashtable<String, Object>(); h.put(PARAM_CREDS, new Vector<Credential>()); @@ -608,37 +597,37 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return h; } - public void destroyRecoveryParams(String recoveryID) - throws EBaseException { + public void destroyRecoveryParams(String recoveryID) + throws EBaseException { mRecoveryParams.remove(recoveryID); } public Hashtable<String, Object> getRecoveryParams(String recoveryID) - throws EBaseException { + throws EBaseException { return (Hashtable<String, Object>) mRecoveryParams.get(recoveryID); } public void createPk12(String recoveryID, byte[] pk12) - throws EBaseException { + throws EBaseException { Hashtable<String, Object> h = getRecoveryParams(recoveryID); h.put(PARAM_PK12, pk12); } public byte[] getPk12(String recoveryID) - throws EBaseException { + throws EBaseException { return (byte[]) getRecoveryParams(recoveryID).get(PARAM_PK12); } public void createError(String recoveryID, String error) - throws EBaseException { + throws EBaseException { Hashtable<String, Object> h = getRecoveryParams(recoveryID); h.put(PARAM_ERROR, error); } public String getError(String recoveryID) - throws EBaseException { + throws EBaseException { return (String) getRecoveryParams(recoveryID).get(PARAM_ERROR); } @@ -646,10 +635,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * Retrieve the current approval agents */ public Vector<Credential> getAppAgents( - String recoveryID) throws EBaseException { + String recoveryID) throws EBaseException { Hashtable<String, Object> h = getRecoveryParams(recoveryID); @SuppressWarnings("unchecked") - Vector<Credential> dc = (Vector<Credential>) h.get(PARAM_CREDS); + Vector<Credential> dc = (Vector<Credential>) h.get(PARAM_CREDS); return dc; } @@ -660,16 +649,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * are collected. */ public Credential[] getDistributedCredentials( - String recoveryID) - throws EBaseException { + String recoveryID) + throws EBaseException { Hashtable<String, Object> h = getRecoveryParams(recoveryID); @SuppressWarnings("unchecked") - Vector<Credential> dc = (Vector<Credential>) h.get(PARAM_CREDS); + Vector<Credential> dc = (Vector<Credential>) h.get(PARAM_CREDS); Object lock = (Object) h.get(PARAM_LOCK); synchronized (lock) { - while (dc.size() < getNoOfRequiredAgents()) { - CMS.debug("KeyRecoveryAuthority: cfu in synchronized lock for getDistributedCredentials"); + while (dc.size() < getNoOfRequiredAgents()) { + CMS.debug("KeyRecoveryAuthority: cfu in synchronized lock for getDistributedCredentials"); try { lock.wait(); } catch (InterruptedException e) { @@ -685,21 +674,21 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Verifies credential. */ - private void verifyCredential(Vector<Credential> creds, String uid, - String pwd) throws EBaseException { - // see if we have the uid already + private void verifyCredential(Vector<Credential> creds, String uid, + String pwd) throws EBaseException { + // see if we have the uid already if (!mConfig.getBoolean("keySplitting")) { - // check if the uid is in the specified group + // check if the uid is in the specified group IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG); if (!ug.isMemberOf(uid, mConfig.getString("recoveryAgentGroup"))) { - // invalid group - throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); + // invalid group + throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_NOT_EXIST")); } } for (int i = 0; i < creds.size(); i++) { - Credential c = creds.elementAt(i); + Credential c = creds.elementAt(i); if (c.getIdentifier().equals(uid)) { // duplicated uid @@ -707,18 +696,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } if (mConfig.getBoolean("keySplitting")) { - mStorageKeyUnit.checkPassword(uid, pwd); + mStorageKeyUnit.checkPassword(uid, pwd); } } /** * Adds password. */ - public void addDistributedCredential(String recoveryID, - String uid, String pwd) throws EBaseException { + public void addDistributedCredential(String recoveryID, + String uid, String pwd) throws EBaseException { Hashtable<String, Object> h = getRecoveryParams(recoveryID); @SuppressWarnings("unchecked") - Vector<Credential> dc = (Vector<Credential> ) h.get(PARAM_CREDS); + Vector<Credential> dc = (Vector<Credential>) h.get(PARAM_CREDS); Object lock = (Object) h.get(PARAM_LOCK); synchronized (lock) { @@ -734,23 +723,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * Archives key. This creates a key record in the key * repository. * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used - * whenever a user private key archive request is made (this is when the - * DRM receives the request) - * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED used - * whenever a user private key archive request is processed (this is when - * the DRM processes the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST used whenever a user private key archive request is made (this is when the DRM receives the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED used whenever a user private key archive request is processed (this is when the DRM processes the request) * </ul> + * * @param rec key record to be archived * @return executed request * @exception EBaseException failed to archive key * @return the request - * <P> + * <P> */ - public IRequest archiveKey(KeyRecord rec) - throws EBaseException { + public IRequest archiveKey(KeyRecord rec) + throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); @@ -835,7 +821,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * async key recovery initiation */ public String initAsyncKeyRecovery(BigInteger kid, X509CertImpl cert, String agent) - throws EBaseException { + throws EBaseException { String auditPublicKey = auditPublicKey(cert); String auditRecoveryID = "undefined"; @@ -884,12 +870,12 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return r.getRequestId().toString(); } - /** - * is async recovery request status APPROVED - - * i.e. all required # of recovery agents approved - */ + /** + * is async recovery request status APPROVED - + * i.e. all required # of recovery agents approved + */ public boolean isApprovedAsyncKeyRecovery(String reqID) - throws EBaseException { + throws EBaseException { IRequestQueue queue = null; IRequest r = null; @@ -902,11 +888,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } - /** - * get async recovery request initiating agent - */ + /** + * get async recovery request initiating agent + */ public String getInitAgentAsyncKeyRecovery(String reqID) - throws EBaseException { + throws EBaseException { IRequestQueue queue = null; IRequest r = null; @@ -927,14 +913,14 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return null; } - /** - * add async recovery agent to approving agent list of the recovery request - * record - * This method will check to see if the agent belongs to the recovery group - * first before adding. - */ + /** + * add async recovery agent to approving agent list of the recovery request + * record + * This method will check to see if the agent belongs to the recovery group + * first before adding. + */ public void addAgentAsyncKeyRecovery(String reqID, String agentID) - throws EBaseException { + throws EBaseException { IRequestQueue queue = null; IRequest r = null; @@ -956,8 +942,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String a = st.nextToken(); // first one is the initiating agent if ((count != 0) && a.equals(agentID)) { - // duplicated uid - throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); + // duplicated uid + throw new EBaseException(CMS.getUserMessage("CMS_KRA_CREDENTIALS_EXIST")); } count++; } @@ -966,7 +952,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // and it'd look like "agent1,agent1" - that's the only dup allowed if (count <= getNoOfRequiredAgents()) { //all good, add it r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, - agents+","+agentID); + agents + "," + agentID); if (count == getNoOfRequiredAgents()) { r.setRequestStatus(RequestStatus.APPROVED); } else { @@ -983,31 +969,28 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * Recovers key for administrators. This method is * invoked by the agent operation of the key recovery servlet. * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever - * a user private key recovery request is made (this is when the DRM - * receives the request) - * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever - * a user private key recovery request is processed (this is when the DRM - * processes the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever a user private key recovery request is made (this is when the DRM receives the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever a user private key recovery request is processed (this is when the DRM processes the request) * </ul> + * * @param kid key identifier * @param creds list of recovery agent credentials * @param password password of the PKCS12 package * @param cert certficate that will be put in PKCS12 * @param delivery file, mail or something else * @param nickname string containing the nickname of the id cert for this - * subsystem + * subsystem * @exception EBaseException failed to recover key * @return a byte array containing the key */ public byte[] doKeyRecovery(BigInteger kid, - Credential creds[], String password, - X509CertImpl cert, - String delivery, String nickname, - String agent) - throws EBaseException { + Credential creds[], String password, + X509CertImpl cert, + String delivery, String nickname, + String agent) + throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRecoveryID = auditRecoveryID(); @@ -1028,8 +1011,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // set transient parameters params = createVolatileRequest(r.getRequestId()); - if (mConfig.getBoolean("keySplitting")) { - params.put(RecoveryService.ATTR_AGENT_CREDENTIALS, creds); + if (mConfig.getBoolean("keySplitting")) { + params.put(RecoveryService.ATTR_AGENT_CREDENTIALS, creds); } params.put(RecoveryService.ATTR_TRANSPORT_PWD, password); @@ -1119,29 +1102,26 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } - /** + /** * Async Recovers key for administrators. This method is * invoked by the agent operation of the key recovery servlet. * <P> - * + * * <ul> - * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever - * a user private key recovery request is made (this is when the DRM - * receives the request) - * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever - * a user private key recovery request is processed (this is when the DRM - * processes the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST used whenever a user private key recovery request is made (this is when the DRM receives the request) + * <li>signed.audit LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED used whenever a user private key recovery request is processed (this is when the DRM processes the request) * </ul> - * @param requestID request id + * + * @param requestID request id * @param password password of the PKCS12 package - * subsystem + * subsystem * @exception EBaseException failed to recover key * @return a byte array containing the key */ public byte[] doKeyRecovery( - String reqID, - String password) - throws EBaseException { + String reqID, + String password) + throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRecoveryID = reqID; @@ -1156,8 +1136,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - auditAgents = - r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + auditAgents = + r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); // set transient parameters params = createVolatileRequest(r.getRequestId()); @@ -1166,7 +1146,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { - CMS.debug("KeyRecoveryAuthority: in asynchronous doKeyRecovery(), request state ="+ r.getRequestStatus().toString()); + CMS.debug("KeyRecoveryAuthority: in asynchronous doKeyRecovery(), request state =" + r.getRequestStatus().toString()); // can only process requests in begin state r.setRequestStatus(RequestStatus.BEGIN); queue.processRequest(r); @@ -1218,7 +1198,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Constructs a recovery request and submits it * to the request subsystem for processing. - * + * * @param kid key identifier * @param creds list of recovery agent credentials * @param password password of the PKCS12 package @@ -1228,9 +1208,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * @exception EBaseException failed to recover key */ public IRequest recoverKey(BigInteger kid, - Credential creds[], String password, - X509CertImpl cert, - String delivery) throws EBaseException { + Credential creds[], String password, + X509CertImpl cert, + String delivery) throws EBaseException { IRequestQueue queue = getRequestQueue(); IRequest r = queue.newRequest("recovery"); @@ -1244,7 +1224,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Recovers key for end-entities. - * + * * @param creds list of credentials * @param encryptionChain certificate chain * @param signingCert signing cert @@ -1254,9 +1234,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * @exception EBaseException failed to recover key */ public IRequest recoverKey(Credential creds[], CertificateChain - encryptionChain, X509CertImpl signingCert, - X509CertImpl transportCert, - X500Name ownerName) throws EBaseException { + encryptionChain, X509CertImpl signingCert, + X509CertImpl transportCert, + X500Name ownerName) throws EBaseException { IRequestQueue queue = getRequestQueue(); IRequest r = queue.newRequest("recovery"); @@ -1267,7 +1247,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove certChainOut.toByteArray()); } catch (IOException e) { log(ILogger.LL_FAILURE, - "Error encoding certificate chain"); + "Error encoding certificate chain"); } r.setExtData(RecoveryService.ATTR_SIGNING_CERT, signingCert); @@ -1280,7 +1260,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove ownerNameOut.toByteArray()); } catch (IOException e) { log(ILogger.LL_FAILURE, - "Error encoding X500Name for owner name"); + "Error encoding X500Name for owner name"); } queue.processRequest(r); @@ -1291,7 +1271,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * Retrieves the storage key unit. The storage key * is used to wrap the user key for long term * storage. - * + * * @return storage key unit. */ public IStorageKeyUnit getStorageKeyUnit() { @@ -1300,7 +1280,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves the transport key unit. - * + * * @return transport key unit */ public ITransportKeyUnit getTransportKeyUnit() { @@ -1310,7 +1290,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Returns the name of this subsystem. This name is * extracted from the transport certificate. - * + * * @return KRA name */ public X500Name getX500Name() { @@ -1322,9 +1302,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Returns the nickname for the id cert of this + * Returns the nickname for the id cert of this * subsystem. - * + * * @return nickname of the transport certificate */ public String getNickname() { @@ -1341,11 +1321,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } catch (EBaseException e) { } } - + public String getNewNickName() throws EBaseException { return mConfig.getString(PROP_NEW_NICKNAME, ""); } - + public void setNewNickName(String name) { mConfig.putString(PROP_NEW_NICKNAME, name); } @@ -1357,7 +1337,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves KRA request repository. * <P> - * + * * @return request repository */ public IRequestQueue getRequestQueue() { @@ -1365,7 +1345,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } /** - * Retrieves the key repository. The key repository + * Retrieves the key repository. The key repository * stores archived keys. * <P> */ @@ -1376,18 +1356,17 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Retrieves replica repository. * <P> - * + * * @return replica repository */ public IReplicaIDRepository getReplicaRepository() { return mReplicaRepot; } - /** * Retrieves the DN of this escrow authority. * <P> - * + * * @return distinguished name */ protected String getDN() { @@ -1403,23 +1382,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Logs an event. - * + * * @param level log level * @param msg message to log */ public void log(int level, String msg) { - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, - level, msg); + mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, + level, msg); } /** * Registers a request listener. - * + * * @param l request listener */ public void registerRequestListener(IRequestListener l) { // it's initialized. - if (mNotify != null) + if (mNotify != null) mNotify.registerListener(l); } @@ -1447,29 +1426,29 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove mReqInQListener = (IRequestListener) Class.forName(requestInQListenerClassName).newInstance(); mReqInQListener.init(this, nc); } catch (Exception e1) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_REGISTER_LISTENER", requestInQListenerClassName)); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_REGISTER_LISTENER", requestInQListenerClassName)); } } else { - log(ILogger.LL_INFO, - "No KRA notification Module configuration found"); + log(ILogger.LL_INFO, + "No KRA notification Module configuration found"); } } catch (EPropertyNotFound e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); } catch (EListenersException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); } catch (EBaseException e) { - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_NOTIFY_ERROR", e.toString())); } } /** * temporary accepted ras. */ - /* code no longer used + /* code no longer used public X500Name[] getAcceptedRAs() { // temporary. use usr/grp for real thing. X500Name radn = null; @@ -1492,7 +1471,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } return new X500Name[] { radn }; } - */ + */ public Hashtable<String, Hashtable<String, Object>> mVolatileRequests = new Hashtable<String, Hashtable<String, Object>>(); @@ -1524,10 +1503,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log - * + * * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -1539,19 +1518,19 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } /** * Signed Audit Log Subject ID - * + * * This method is called to obtain the "SubjectID" for * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message SubjectID */ private String auditSubjectID() { @@ -1583,11 +1562,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Requester ID - * + * * This method is called to obtain the "RequesterID" for * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message RequesterID */ private String auditRequesterID() { @@ -1619,11 +1598,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Recovery ID - * + * * This method is called to obtain the "RecoveryID" for * a signed audit log message. * <P> - * + * * @return id string containing the signed audit log message RecoveryID */ private String auditRecoveryID() { @@ -1655,11 +1634,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "X509Certificate" for a signed audit log message. * <P> - * + * * @param cert an X509Certificate * @return key string containing the certificate's public key */ @@ -1695,11 +1674,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Log Public Key - * + * * This method is called to obtain the public key from the passed in * "KeyRecord" for a signed audit log message. * <P> - * + * * @param rec a Key Record * @return key string containing the certificate's public key */ @@ -1752,11 +1731,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove /** * Signed Audit Agents - * + * * This method is called to extract agent uids from the passed in * "Credentials[]" and return a string of comma-separated agent uids. * <P> - * + * * @param creds array of credentials * @return a comma-separated string of agent uids */ @@ -1781,7 +1760,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } if (uid != null && - !uid.equals("")) { + !uid.equals("")) { if (i == 0) { agents = uid; @@ -1794,4 +1773,3 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return agents; } } - diff --git a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index c69ab8c1..09dc4d95 100644 --- a/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/pki/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; @@ -66,18 +65,18 @@ import com.netscape.cmscore.util.Debug; /** * A class representing keygen/archival request procesor for requests - * from netkey RAs. + * from netkey RAs. * the user private key of the encryption cert is wrapped with a - * session symmetric key. The session symmetric key is wrapped with the + * session symmetric key. The session symmetric key is wrapped with the * storage key and stored in the internal database for long term * storage. * The user private key of the encryption cert is to be wrapped with the * DES key which came in in the request wrapped with the KRA - * transport cert. The wrapped user private key is then sent back to + * transport cert. The wrapped user private key is then sent back to * the caller (netkey RA) ...netkey RA should already has kek-wrapped * des key from the TKS. They are to be sent together back to * the token. - * + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ @@ -85,31 +84,24 @@ import com.netscape.cmscore.util.Debug; public class NetkeyKeygenService implements IService { public final static String ATTR_KEY_RECORD = "keyRecord"; public final static String ATTR_PROOF_OF_ARCHIVAL = - "proofOfArchival"; + "proofOfArchival"; // private - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; // these need to be defined in LogMessages_en.properties later when we do this - private final static String - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; - private final static String - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; - private final static String - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; - private final static String - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; + private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; + private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; + private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = + "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; private IKeyRecoveryAuthority mKRA = null; private ITransportKeyUnit mTransportUnit = null; private IStorageKeyUnit mStorageUnit = null; @@ -140,17 +132,17 @@ public class NetkeyKeygenService implements IService { return archOpts; } - public KeyPair generateKeyPair( - KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg) - throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, + public KeyPair generateKeyPair( + KeyPairAlgorithm kpAlg, int keySize, PQGParams pqg) + throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException, InvalidParameterException, PQGParamGenException { CryptoToken token = mKRA.getKeygenToken(); - - CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: "+token.getName()); + + CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName()); /* - make it temporary so can work with HSM + make it temporary so can work with HSM netHSM works with temporary == true sensitive == <do not specify> @@ -167,19 +159,19 @@ public class NetkeyKeygenService implements IService { boolean sp = false; boolean ep = false; if (kgConfig != null) { - try { - tp = kgConfig.getBoolean("temporaryPairs", false); - sp = kgConfig.getBoolean("sensitivePairs", false); - ep = kgConfig.getBoolean("extractablePairs", false); - // by default, let nethsm work - if ((tp == false) && (sp == false) && (ep == false)) { + try { + tp = kgConfig.getBoolean("temporaryPairs", false); + sp = kgConfig.getBoolean("sensitivePairs", false); + ep = kgConfig.getBoolean("extractablePairs", false); + // by default, let nethsm work + if ((tp == false) && (sp == false) && (ep == false)) { + tp = true; + } + } catch (Exception e) { + CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); + // by default, let nethsm work tp = true; } - } catch (Exception e) { - CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed"); - // by default, let nethsm work - tp = true; - } } else { // by default, let nethsm work CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true"); @@ -187,18 +179,18 @@ public class NetkeyKeygenService implements IService { } /* only specified to "true" will it be set */ if (tp == true) { - CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); - kpGen.temporaryPairs(true); + CMS.debug("NetkeyKeygenService: setting temporaryPairs to true"); + kpGen.temporaryPairs(true); } if (sp == true) { - CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); + CMS.debug("NetkeyKeygenService: setting sensitivePairs to true"); kpGen.sensitivePairs(true); } if (ep == true) { - CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); + CMS.debug("NetkeyKeygenService: setting extractablePairs to true"); kpGen.extractablePairs(true); } - + if (kpAlg == KeyPairAlgorithm.DSA) { if (pqg == null) { kpGen.initialize(keySize); @@ -210,14 +202,14 @@ public class NetkeyKeygenService implements IService { } if (pqg == null) { - KeyPair kp = null; - synchronized (new Object()) { + KeyPair kp = null; + synchronized (new Object()) { CMS.debug("NetkeyKeygenService: key pair generation begins"); - kp = kpGen.genKeyPair(); + kp = kpGen.genKeyPair(); CMS.debug("NetkeyKeygenService: key pair generation done"); - mKRA.addEntropy(true); - } - return kp; + mKRA.addEntropy(true); + } + return kp; } else { // DSA KeyPair kp = null; @@ -233,10 +225,8 @@ public class NetkeyKeygenService implements IService { } } - - - public KeyPair generateKeyPair( String alg, - int keySize, PQGParams pqg) throws EBaseException { + public KeyPair generateKeyPair(String alg, + int keySize, PQGParams pqg) throws EBaseException { KeyPairAlgorithm kpAlg = null; @@ -246,7 +236,7 @@ public class NetkeyKeygenService implements IService { kpAlg = KeyPairAlgorithm.DSA; try { - KeyPair kp = generateKeyPair( kpAlg, keySize, pqg); + KeyPair kp = generateKeyPair(kpAlg, keySize, pqg); return kp; } catch (InvalidParameterException e) { @@ -270,9 +260,9 @@ public class NetkeyKeygenService implements IService { ByteArrayOutputStream output = new ByteArrayOutputStream(); Base64OutputStream b64 = new Base64OutputStream(new PrintStream(new - FilterOutputStream(output) + FilterOutputStream(output) ) - ); + ); b64.write(bytes); b64.flush(); @@ -284,33 +274,31 @@ public class NetkeyKeygenService implements IService { // this encrypts bytes with a symmetric key public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) - { - try { - Cipher cipher = token.getCipherContext( + IVParameterSpec IV) { + try { + Cipher cipher = token.getCipherContext( EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: "+e.toString()); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("NetkeyKeygenService:initEncrypt() threw exception: " + e.toString()); return null; } } - /** * Services an archival request from netkey. * <P> - * + * * @param request enrollment request * @return serving successful or not * @exception EBaseException failed to serve */ - public boolean serviceRequest(IRequest request) - throws EBaseException { + public boolean serviceRequest(IRequest request) + throws EBaseException { String auditMessage = null; String auditSubjectID = null; String auditRequesterID = "TPSagent"; @@ -318,78 +306,78 @@ public class NetkeyKeygenService implements IService { String auditPublicKey = ILogger.UNIDENTIFIED; byte[] wrapped_des_key; - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; - String iv_s =""; + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + String iv_s = ""; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); } catch (Exception e) { - CMS.debug("NetkeyKeygenService.serviceRequest: "+ e.toString()); + CMS.debug("NetkeyKeygenService.serviceRequest: " + e.toString()); } - IVParameterSpec algParam = new IVParameterSpec(iv); + IVParameterSpec algParam = new IVParameterSpec(iv); wrapped_des_key = null; - boolean archive = true; - PK11SymKey sk= null; - byte[] publicKeyData = null;; - String PubKey = ""; + boolean archive = true; + PK11SymKey sk = null; + byte[] publicKeyData = null; + ; + String PubKey = ""; String id = request.getRequestId().toString(); if (id != null) { auditArchiveID = id.trim(); } - String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); - if (rArchive.equals("true")) { - archive = true; - CMS.debug("NetkeyKeygenService: serviceRequest " +"archival requested for serverSideKeyGen"); - } else { - archive = false; - CMS.debug("NetkeyKeygenService: serviceRequest " +"archival not requested for serverSideKeyGen"); + String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); + if (rArchive.equals("true")) { + archive = true; + CMS.debug("NetkeyKeygenService: serviceRequest " + "archival requested for serverSideKeyGen"); + } else { + archive = false; + CMS.debug("NetkeyKeygenService: serviceRequest " + "archival not requested for serverSideKeyGen"); } String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); - String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); - int keysize = Integer.parseInt(rKeysize); - auditSubjectID=rCUID+":"+rUserid; + String rKeysize = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_SIZE); + int keysize = Integer.parseInt(rKeysize); + auditSubjectID = rCUID + ":" + rUserid; SessionContext sContext = SessionContext.getContext(); - String agentId=""; + String agentId = ""; if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); + (String) sContext.get(SessionContext.USER_ID); } auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, - agentId, - ILogger.SUCCESS, - auditSubjectID); + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST, + agentId, + ILogger.SUCCESS, + auditSubjectID); audit(auditMessage); - String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString); + // CMS.debug("NetkeyKeygenService: received DRM-trans-wrapped DES key ="+rWrappedDesKeyString); wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); CMS.debug("NetkeyKeygenService: wrapped_des_key specialDecoded"); - // get the token for generating user keys - CryptoToken keygenToken = mKRA.getKeygenToken(); - if (keygenToken == null) { - CMS.debug("NetkeyKeygenService: failed getting keygenToken"); - request.setExtData(IRequest.RESULT, Integer.valueOf(10)); - return false; - } else - CMS.debug("NetkeyKeygenService: got keygenToken"); + // get the token for generating user keys + CryptoToken keygenToken = mKRA.getKeygenToken(); + if (keygenToken == null) { + CMS.debug("NetkeyKeygenService: failed getting keygenToken"); + request.setExtData(IRequest.RESULT, Integer.valueOf(10)); + return false; + } else + CMS.debug("NetkeyKeygenService: got keygenToken"); if ((wrapped_des_key != null) && - (wrapped_des_key.length > 0)) { + (wrapped_des_key.length > 0)) { // unwrap the DES key - sk= (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key); + sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key); /* XXX could be done in HSM*/ KeyPair keypair = null; @@ -400,37 +388,37 @@ public class NetkeyKeygenService implements IService { keysize /*Integer.parseInt(len)*/, null /*pqgParams*/); if (keypair == null) { - CMS.debug("NetkeyKeygenService: failed generating key pair for "+rCUID+":"+rUserid); + CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, agentId, ILogger.FAILURE, - auditSubjectID); + auditSubjectID); audit(auditMessage); return false; } - CMS.debug("NetkeyKeygenService: finished generate key pair for " +rCUID+":"+rUserid); + CMS.debug("NetkeyKeygenService: finished generate key pair for " + rCUID + ":" + rUserid); try { - publicKeyData = keypair.getPublic().getEncoded(); - if (publicKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); - return false; - } else { - //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length); - PubKey = base64Encode(publicKeyData); - - //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length()); - request.setExtData("public_key", PubKey); - } + publicKeyData = keypair.getPublic().getEncoded(); + if (publicKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed getting publickey encoded"); + return false; + } else { + //CMS.debug("NetkeyKeygenService: public key binary length ="+ publicKeyData.length); + PubKey = base64Encode(publicKeyData); + + //CMS.debug("NetkeyKeygenService: public key length =" + PubKey.length()); + request.setExtData("public_key", PubKey); + } auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, + LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, agentId, ILogger.SUCCESS, auditSubjectID, @@ -440,7 +428,7 @@ public class NetkeyKeygenService implements IService { //...extract the private key handle (not privatekeydata) java.security.PrivateKey privKey = - keypair.getPrivate(); + keypair.getPrivate(); if (privKey == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); @@ -450,159 +438,159 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: got private key"); } - if (sk == null) { - CMS.debug("NetkeyKeygenService: no DES key"); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - return false; - } else { - CMS.debug("NetkeyKeygenService: received DES key"); - } - - // 3 wrapping should be done in HSM - // wrap private key with DES - KeyWrapper symWrap = - keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); - CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName()); - CMS.debug("NetkeyKeygenService: got key wrapper"); - - CMS.debug("NetkeyKeygenService: key transport key is on slot: "+sk.getOwningToken().getName()); - symWrap.initWrap((SymmetricKey)sk, algParam); - byte wrapped[] = symWrap.wrap((PrivateKey)privKey); - /* - CMS.debug("NetkeyKeygenService: wrap called"); - CMS.debug(wrapped); - */ - /* This is for using with my decryption tool and ASN1 - decoder to see if the private key is indeed PKCS#8 format - { // cfu debug - String oFilePath = "/tmp/wrappedPrivKey.bin"; - File file = new File(oFilePath); - FileOutputStream ostream = new FileOutputStream(oFilePath); - ostream.write(wrapped); - ostream.close(); - } - */ - String wrappedPrivKeyString = /*base64Encode(wrapped);*/ - com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, - agentId, - ILogger.FAILURE, - auditSubjectID, - PubKey); - - audit(auditMessage); - return false; - } else { - request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, - agentId, - ILogger.SUCCESS, - auditSubjectID, - PubKey); - - audit(auditMessage); - } - - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - - /* - * archival - option flag "archive" controllable by the caller - TPS - */ - if (archive) { - // - // privateKeyData ::= SEQUENCE { - // sessionKey OCTET_STRING, - // encKey OCTET_STRING, - // } - // - // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, - agentId, - ILogger.SUCCESS, - auditSubjectID, - auditArchiveID); - - audit(auditMessage); - CMS.debug("KRA encrypts private key to put on internal ldap db"); - byte privateKeyData[] = - mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey); - - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); - return false; - } else - CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); - - // create key record - KeyRecord rec = new KeyRecord(null, publicKeyData, - privateKeyData, rCUID+":"+rUserid, - keypair.getPublic().getAlgorithm(), - agentId); - - CMS.debug("NetkeyKeygenService: got key record"); - - // we deal with RSA key only - try { - RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); - - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); - CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); - return false; - } - //?? - IKeyRepository storage = mKRA.getKeyRepository(); - BigInteger serialNo = storage.getNextSerialNumber(); - - if (serialNo == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); - CMS.debug("NetkeyKeygenService: serialNo null"); - return false; - } - CMS.debug("NetkeyKeygenService: before addKeyRecord"); - rec.set(KeyRecord.ATTR_ID, serialNo); - request.setExtData(ATTR_KEY_RECORD, serialNo); - storage.addKeyRecord(rec); - CMS.debug("NetkeyKeygenService: key archived for "+rCUID+":"+rUserid); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - agentId, - ILogger.SUCCESS, - PubKey); - - audit(auditMessage); - - } //if archive + if (sk == null) { + CMS.debug("NetkeyKeygenService: no DES key"); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + return false; + } else { + CMS.debug("NetkeyKeygenService: received DES key"); + } - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - } catch (Exception e) { - CMS.debug("NetKeyKeygenService: " + e.toString()); - Debug.printStackTrace(e); + // 3 wrapping should be done in HSM + // wrap private key with DES + KeyWrapper symWrap = + keygenToken.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); + CMS.debug("NetkeyKeygenService: wrapper token=" + keygenToken.getName()); + CMS.debug("NetkeyKeygenService: got key wrapper"); + + CMS.debug("NetkeyKeygenService: key transport key is on slot: " + sk.getOwningToken().getName()); + symWrap.initWrap((SymmetricKey) sk, algParam); + byte wrapped[] = symWrap.wrap((PrivateKey) privKey); + /* + CMS.debug("NetkeyKeygenService: wrap called"); + CMS.debug(wrapped); + */ + /* This is for using with my decryption tool and ASN1 + decoder to see if the private key is indeed PKCS#8 format + { // cfu debug + String oFilePath = "/tmp/wrappedPrivKey.bin"; + File file = new File(oFilePath); + FileOutputStream ostream = new FileOutputStream(oFilePath); + ostream.write(wrapped); + ostream.close(); + } + */ + String wrappedPrivKeyString = /*base64Encode(wrapped);*/ + com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); + if (wrappedPrivKeyString == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + agentId, + ILogger.FAILURE, + auditSubjectID, + PubKey); + + audit(auditMessage); + return false; + } else { + request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + agentId, + ILogger.SUCCESS, + auditSubjectID, + PubKey); + + audit(auditMessage); } - } else + + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + /* + * archival - option flag "archive" controllable by the caller - TPS + */ + if (archive) { + // + // privateKeyData ::= SEQUENCE { + // sessionKey OCTET_STRING, + // encKey OCTET_STRING, + // } + // + // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, + agentId, + ILogger.SUCCESS, + auditSubjectID, + auditArchiveID); + + audit(auditMessage); + CMS.debug("KRA encrypts private key to put on internal ldap db"); + byte privateKeyData[] = + mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey); + + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); + return false; + } else + CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); + + // create key record + KeyRecord rec = new KeyRecord(null, publicKeyData, + privateKeyData, rCUID + ":" + rUserid, + keypair.getPublic().getAlgorithm(), + agentId); + + CMS.debug("NetkeyKeygenService: got key record"); + + // we deal with RSA key only + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); + return false; + } + //?? + IKeyRepository storage = mKRA.getKeyRepository(); + BigInteger serialNo = storage.getNextSerialNumber(); + + if (serialNo == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(11)); + CMS.debug("NetkeyKeygenService: serialNo null"); + return false; + } + CMS.debug("NetkeyKeygenService: before addKeyRecord"); + rec.set(KeyRecord.ATTR_ID, serialNo); + request.setExtData(ATTR_KEY_RECORD, serialNo); + storage.addKeyRecord(rec); + CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); + + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + agentId, + ILogger.SUCCESS, + PubKey); + + audit(auditMessage); + + } //if archive + + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + } catch (Exception e) { + CMS.debug("NetKeyKeygenService: " + e.toString()); + Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } + } else request.setExtData(IRequest.RESULT, Integer.valueOf(2)); - + return true; } //serviceRequest /** * Signed Audit Log - *y + * y * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -614,9 +602,9 @@ public class NetkeyKeygenService implements IService { } mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } } diff --git a/pki/base/kra/src/com/netscape/kra/RecoveryService.java b/pki/base/kra/src/com/netscape/kra/RecoveryService.java index f364bf4f..51723e53 100644 --- a/pki/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/RecoveryService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayOutputStream; import java.io.CharConversionException; import java.math.BigInteger; @@ -75,12 +74,10 @@ import com.netscape.cmscore.util.Debug; * are 2 types of recovery modes: (1) administrator or * (2) end-entity. * <P> - * Administrator recovery will create a PKCS12 file where - * stores the certificate and the recovered key. + * Administrator recovery will create a PKCS12 file where stores the certificate and the recovered key. * <P> - * End Entity recovery will send RA or CA a response where - * stores the recovered key. - * + * End Entity recovery will send RA or CA a response where stores the recovered key. + * * @author thomask (original) * @author cfu (non-RSA keys; private keys secure handling); * @version $Revision$, $Date$ @@ -96,12 +93,12 @@ public class RecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = - "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = - "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; // for Async Key Recovery @@ -125,7 +122,7 @@ public class RecoveryService implements IService { * (either Administrator or End-Entity), the method reads * the key record from the database, and tried to recover the * key with the storage key unit. - * + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -146,22 +143,22 @@ public class RecoveryService implements IService { CMS.debug("RecoveryService: serviceRequest: use internal token "); ct = cm.getInternalCryptoToken(); } else { - CMS.debug("RecoveryService: serviceRequest: tokenName="+tokName); + CMS.debug("RecoveryService: serviceRequest: tokenName=" + tokName); ct = cm.getTokenByName(tokName); } allowEncDecrypt_recovery = config.getBoolean("kra.allowEncDecrypt.recovery", false); } catch (Exception e) { CMS.debug("RecoveryService exception: use internal token :" - + e.toString()); + + e.toString()); ct = cm.getInternalCryptoToken(); } if (ct == null) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR"+ "cannot get crypto token")); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR" + "cannot get crypto token")); } - IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); + IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats"); if (statsSub != null) { - statsSub.startTiming("recovery", true /* main action */); + statsSub.startTiming("recovery", true /* main action */); } if (Debug.ON) @@ -184,17 +181,17 @@ public class RecoveryService implements IService { mKRA.log(ILogger.LL_INFO, "KRA reading key record"); if (statsSub != null) { - statsSub.startTiming("get_key"); + statsSub.startTiming("get_key"); } KeyRecord keyRecord = (KeyRecord) mStorage.readKeyRecord(serialno); if (statsSub != null) { - statsSub.endTiming("get_key"); + statsSub.endTiming("get_key"); } // see if the certificate matches the key byte pubData[] = keyRecord.getPublicKeyData(); - X509Certificate x509cert = - request.getExtDataInCert(ATTR_USER_CERT); + X509Certificate x509cert = + request.getExtDataInCert(ATTR_USER_CERT); byte inputPubData[] = x509cert.getPublicKey().getEncoded(); if (inputPubData.length != pubData.length) { @@ -212,49 +209,50 @@ public class RecoveryService implements IService { boolean isRSA = true; String keyAlg = x509cert.getPublicKey().getAlgorithm(); - if (keyAlg != null) { - CMS.debug("RecoveryService: publicKey alg ="+keyAlg); - if (!keyAlg.equals("RSA")) isRSA = false; + if (keyAlg != null) { + CMS.debug("RecoveryService: publicKey alg =" + keyAlg); + if (!keyAlg.equals("RSA")) + isRSA = false; } // Unwrap the archived private key byte privateKeyData[] = null; X509Certificate transportCert = - request.getExtDataInCert(ATTR_TRANSPORT_CERT); + request.getExtDataInCert(ATTR_TRANSPORT_CERT); if (transportCert == null) { if (statsSub != null) { - statsSub.startTiming("recover_key"); + statsSub.startTiming("recover_key"); } PrivateKey privKey = null; if (allowEncDecrypt_recovery == true) { privateKeyData = recoverKey(params, keyRecord); } else { - privKey= recoverKey(params, keyRecord, isRSA); + privKey = recoverKey(params, keyRecord, isRSA); } if (statsSub != null) { - statsSub.endTiming("recover_key"); + statsSub.endTiming("recover_key"); } if ((isRSA == true) && (allowEncDecrypt_recovery == true)) { if (statsSub != null) { - statsSub.startTiming("verify_key"); + statsSub.startTiming("verify_key"); } // verifyKeyPair() is RSA-centric if (verifyKeyPair(pubData, privateKeyData) == false) { mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } if (statsSub != null) { - statsSub.endTiming("verify_key"); + statsSub.endTiming("verify_key"); } } if (statsSub != null) { - statsSub.startTiming("create_p12"); + statsSub.startTiming("create_p12"); } if (allowEncDecrypt_recovery == true) { createPFX(request, params, privateKeyData); @@ -262,31 +260,31 @@ public class RecoveryService implements IService { createPFX(request, params, privKey, ct); } if (statsSub != null) { - statsSub.endTiming("create_p12"); + statsSub.endTiming("create_p12"); } } else { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) - params.get(ATTR_AGENT_CREDENTIALS); - mKRA.getStorageKeyUnit().login(creds); + Credential creds[] = (Credential[]) + params.get(ATTR_AGENT_CREDENTIALS); + mKRA.getStorageKeyUnit().login(creds); } if (statsSub != null) { - statsSub.startTiming("unwrap_key"); + statsSub.startTiming("unwrap_key"); } PrivateKey privateKey = mKRA.getStorageKeyUnit().unwrap( keyRecord.getPrivateKeyData(), null); if (statsSub != null) { - statsSub.endTiming("unwrap_key"); + statsSub.endTiming("unwrap_key"); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mKRA.getStorageKeyUnit().logout(); + mKRA.getStorageKeyUnit().logout(); } } - mKRA.log(ILogger.LL_INFO, "key " + - serialno.toString() + - " recovered"); + mKRA.log(ILogger.LL_INFO, "key " + + serialno.toString() + + " recovered"); // for audit log String authMgr = AuditFormat.NOAUTH; @@ -295,32 +293,32 @@ public class RecoveryService implements IService { if (sContext != null) { String agentId = - (String) sContext.get(SessionContext.USER_ID); + (String) sContext.get(SessionContext.USER_ID); initiative = AuditFormat.FROMAGENT + " agentID: " + agentId; AuthToken authToken = (AuthToken) sContext.get(SessionContext.AUTH_TOKEN); - + if (authToken != null) { authMgr = authToken.getInString(AuthToken.TOKEN_AUTHMGR_INST_NAME); } } CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_KRA, - AuditFormat.LEVEL, - AuditFormat.FORMAT, - new Object[] { - IRequest.KEYRECOVERY_REQUEST, - request.getRequestId(), - initiative, - authMgr, - "completed", - ((X509CertImpl) x509cert).getSubjectDN(), - "serial number: 0x" + serialno.toString(16)} - ); + ILogger.S_KRA, + AuditFormat.LEVEL, + AuditFormat.FORMAT, + new Object[] { + IRequest.KEYRECOVERY_REQUEST, + request.getRequestId(), + initiative, + authMgr, + "completed", + ((X509CertImpl) x509cert).getSubjectDN(), + "serial number: 0x" + serialno.toString(16) } + ); if (statsSub != null) { - statsSub.endTiming("recovery"); + statsSub.endTiming("recovery"); } return true; @@ -329,63 +327,62 @@ public class RecoveryService implements IService { /* * verifyKeyPair()- RSA-centric key verification */ - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } /** * Recovers key. (using unwrapping/wrapping on token) - * - used when allowEncDecrypt_recovery is false + * - used when allowEncDecrypt_recovery is false */ - public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean isRSA) - throws EBaseException { + public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean isRSA) + throws EBaseException { - if (!isRSA) { + if (!isRSA) { CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false"); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); - } - try { + } + try { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); - mStorageUnit.login(creds); + mStorageUnit.login(creds); } /* wrapped retrieve session key and private key */ @@ -400,50 +397,49 @@ public class RecoveryService implements IService { byte publicKeyData[] = keyRecord.getPublicKeyData(); PublicKey pubkey = null; try { - pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); + pubkey = X509Key.parsePublicKey(new DerValue(publicKeyData)); } catch (Exception e) { - CMS.debug("RecoverService: after parsePublicKey:"+e.toString()); + CMS.debug("RecoverService: after parsePublicKey:" + e.toString()); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "pubic key parsing failure")); } - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; PrivateKey privKey = - mStorageUnit.unwrap( - session, - keyRecord.getAlgorithm(), - iv, - pri, - (PublicKey) pubkey); + mStorageUnit.unwrap( + session, + keyRecord.getAlgorithm(), + iv, + pri, + (PublicKey) pubkey); if (privKey == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key unwrapping failure")); } if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); + mStorageUnit.logout(); } return privKey; } catch (Exception e) { - CMS.debug("RecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString()); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverKey() failed with allowEncDecrypt_recovery=false:"+e.toString())); + CMS.debug("RecoverService: recoverKey() failed with allowEncDecrypt_recovery=false:" + e.toString()); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "recoverKey() failed with allowEncDecrypt_recovery=false:" + e.toString())); } } - /** * Creates a PFX (PKCS12) file. (the unwrapping/wrapping way) - * - used when allowEncDecrypt_recovery is false - * + * - used when allowEncDecrypt_recovery is false + * * @param request CRMF recovery request * @param priKey private key handle * @exception EBaseException failed to create P12 file */ - public void createPFX(IRequest request, Hashtable params, - PrivateKey priKey, CryptoToken ct) throws EBaseException { + public void createPFX(IRequest request, Hashtable params, + PrivateKey priKey, CryptoToken ct) throws EBaseException { CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false"); try { // create p12 X509Certificate x509cert = - request.getExtDataInCert(ATTR_USER_CERT); + request.getExtDataInCert(ATTR_USER_CERT); String pwd = (String) params.get(ATTR_TRANSPORT_PWD); // add certificate @@ -461,7 +457,7 @@ public class RecoveryService implements IService { nickname, localKeyId); // attributes: user friendly name, Local Key ID SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, - new CertBag(CertBag.X509_CERT_TYPE, cert), + new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs); encSafeContents.addElement(certBag); @@ -469,21 +465,21 @@ public class RecoveryService implements IService { // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); CMS.debug("RecoverService: createPFX() adds key to P12"); - org.mozilla.jss.util.Password pass = new - org.mozilla.jss.util.Password( - pwd.toCharArray()); + org.mozilla.jss.util.Password pass = new + org.mozilla.jss.util.Password( + pwd.toCharArray()); SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new - PasswordConverter(); - byte salt[] = {0x01, 0x01, 0x01, 0x01}; + PasswordConverter passConverter = new + PasswordConverter(); + byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, + PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, passConverter, priKey, ct); SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), + x509cert.getSubjectDN().toString(), localKeyId); SafeBag keyBag = new SafeBag( @@ -493,15 +489,15 @@ public class RecoveryService implements IService { safeContents.addElement(keyBag); // build contents - AuthenticatedSafes authSafes = new - AuthenticatedSafes(); + AuthenticatedSafes authSafes = new + AuthenticatedSafes(); authSafes.addSafeContents( - safeContents - ); + safeContents + ); authSafes.addSafeContents( - encSafeContents - ); + encSafeContents + ); // authSafes.addEncryptedSafeContents( // authSafes.DEFAULT_KEY_GEN_ALG, @@ -510,8 +506,8 @@ public class RecoveryService implements IService { PFX pfx = new PFX(authSafes); pfx.computeMacData(pass, null, 5); // ?? - ByteArrayOutputStream fos = new - ByteArrayOutputStream(); + ByteArrayOutputStream fos = new + ByteArrayOutputStream(); pfx.encode(fos); pass.clear(); @@ -527,26 +523,25 @@ public class RecoveryService implements IService { mKRA.getRequestQueue().updateRequest(request); } - /** * Recovers key. - * - used when allowEncDecrypt_recovery is true + * - used when allowEncDecrypt_recovery is true */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); - mStorageUnit.login(creds); + mStorageUnit.login(creds); } mKRA.log(ILogger.LL_INFO, "KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { - mStorageUnit.logout(); + mStorageUnit.logout(); } if (privateKeyData == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); @@ -557,19 +552,19 @@ public class RecoveryService implements IService { /** * Creates a PFX (PKCS12) file. - * - used when allowEncDecrypt_recovery is true - * + * - used when allowEncDecrypt_recovery is true + * * @param request CRMF recovery request * @param priData decrypted private key (PrivateKeyInfo) * @exception EBaseException failed to create P12 file */ - public void createPFX(IRequest request, Hashtable params, - byte priData[]) throws EBaseException { + public void createPFX(IRequest request, Hashtable params, + byte priData[]) throws EBaseException { CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true"); try { // create p12 X509Certificate x509cert = - request.getExtDataInCert(ATTR_USER_CERT); + request.getExtDataInCert(ATTR_USER_CERT); String pwd = (String) params.get(ATTR_TRANSPORT_PWD); // add certificate @@ -586,29 +581,29 @@ public class RecoveryService implements IService { nickname, localKeyId); // attributes: user friendly name, Local Key ID SafeBag certBag = new SafeBag(SafeBag.CERT_BAG, - new CertBag(CertBag.X509_CERT_TYPE, cert), + new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs); encSafeContents.addElement(certBag); // add key mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); - org.mozilla.jss.util.Password pass = new - org.mozilla.jss.util.Password( - pwd.toCharArray()); + org.mozilla.jss.util.Password pass = new + org.mozilla.jss.util.Password( + pwd.toCharArray()); SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new - PasswordConverter(); - byte salt[] = {0x01, 0x01, 0x01, 0x01}; + PasswordConverter passConverter = new + PasswordConverter(); + byte salt[] = { 0x01, 0x01, 0x01, 0x01 }; PrivateKeyInfo pki = (PrivateKeyInfo) - ASN1Util.decode(PrivateKeyInfo.getTemplate(), - priData); + ASN1Util.decode(PrivateKeyInfo.getTemplate(), + priData); ASN1Value key = EncryptedPrivateKeyInfo.createPBE( - PBEAlgorithm.PBE_SHA1_DES3_CBC, + PBEAlgorithm.PBE_SHA1_DES3_CBC, pass, salt, 1, passConverter, pki); SET keyAttrs = createBagAttrs( - x509cert.getSubjectDN().toString(), + x509cert.getSubjectDN().toString(), localKeyId); SafeBag keyBag = new SafeBag( SafeBag.PKCS8_SHROUDED_KEY_BAG, key, @@ -617,15 +612,15 @@ public class RecoveryService implements IService { safeContents.addElement(keyBag); // build contents - AuthenticatedSafes authSafes = new - AuthenticatedSafes(); + AuthenticatedSafes authSafes = new + AuthenticatedSafes(); authSafes.addSafeContents( - safeContents - ); + safeContents + ); authSafes.addSafeContents( - encSafeContents - ); + encSafeContents + ); // authSafes.addEncryptedSafeContents( // authSafes.DEFAULT_KEY_GEN_ALG, @@ -634,8 +629,8 @@ public class RecoveryService implements IService { PFX pfx = new PFX(authSafes); pfx.computeMacData(pass, null, 5); // ?? - ByteArrayOutputStream fos = new - ByteArrayOutputStream(); + ByteArrayOutputStream fos = new + ByteArrayOutputStream(); pfx.encode(fos); pass.clear(); @@ -655,7 +650,7 @@ public class RecoveryService implements IService { * Creates local key identifier. */ public byte[] createLocalKeyId(X509Certificate cert) - throws EBaseException { + throws EBaseException { try { // SHA1 hash of the X509Cert der encoding byte certDer[] = cert.getEncoded(); @@ -666,12 +661,12 @@ public class RecoveryService implements IService { md.update(certDer); return md.digest(); } catch (CertificateEncodingException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); } catch (NoSuchAlgorithmException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_ID", e.toString())); throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYID_FAILED_1", e.toString())); } } @@ -679,8 +674,8 @@ public class RecoveryService implements IService { /** * Creates bag attributes. */ - public SET createBagAttrs(String nickName, byte localKeyId[]) - throws EBaseException { + public SET createBagAttrs(String nickName, byte localKeyId[]) + throws EBaseException { try { SET attrs = new SET(); SEQUENCE nickNameAttr = new SEQUENCE(); @@ -701,8 +696,8 @@ public class RecoveryService implements IService { attrs.addElement(localKeyAttr); return attrs; } catch (CharConversionException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_CREAT_KEY_BAG", e.toString())); throw new EKRAException(CMS.getUserMessage("CMS_KRA_KEYBAG_FAILED_1", e.toString())); } } diff --git a/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java index 2c3ba716..f2539509 100644 --- a/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java +++ b/pki/base/kra/src/com/netscape/kra/StorageKeyUnit.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.CharConversionException; import java.io.File; import java.io.FileInputStream; @@ -62,16 +61,15 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.security.Credential; import com.netscape.certsrv.security.IStorageKeyUnit; - /** * A class represents a storage key unit. Currently, this * is implemented with cryptix, the final implementation * should be built on JSS/HCL. - * + * * @author thomask * @version $Revision$, $Date$ */ -public class StorageKeyUnit extends EncryptionUnit implements +public class StorageKeyUnit extends EncryptionUnit implements ISubsystem, IStorageKeyUnit { private IConfigStore mConfig = null; @@ -89,7 +87,6 @@ public class StorageKeyUnit extends EncryptionUnit implements private byte mPrivateKeyData[] = null; private boolean mKeySplitting = false; - private static final String PROP_N = "n"; private static final String PROP_M = "m"; private static final String PROP_UID = "uid"; @@ -105,7 +102,7 @@ public class StorageKeyUnit extends EncryptionUnit implements * Constructs this token. */ public StorageKeyUnit() { - super(); + super(); } /** @@ -116,8 +113,8 @@ public class StorageKeyUnit extends EncryptionUnit implements } /** - * Sets subsystem identifier. Once the system is - * loaded, system identifier cannot be changed + * Sets subsystem identifier. Once the system is + * loaded, system identifier cannot be changed * dynamically. */ public void setId(String id) throws EBaseException { @@ -125,26 +122,31 @@ public class StorageKeyUnit extends EncryptionUnit implements } /** - * return true if byte arrays are equal, false otherwise + * return true if byte arrays are equal, false otherwise */ private boolean byteArraysMatch(byte a[], byte b[]) { - if (a==null || b==null) { return false; } - if (a.length != b.length) { return false; } - for (int i=0; i<a.length; i++) { - if (a[i] != b[i]) { return false; } - } - return true; + if (a == null || b == null) { + return false; + } + if (a.length != b.length) { + return false; + } + for (int i = 0; i < a.length; i++) { + if (a[i] != b[i]) { + return false; + } + } + return true; } - /** * Initializes this subsystem. */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { mKRA = (IKeyRecoveryAuthority) owner; mConfig = config; - + mKeySplitting = owner.getConfigStore().getBoolean("keySplitting", false); try { @@ -154,154 +156,154 @@ public class StorageKeyUnit extends EncryptionUnit implements mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_INIT", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); } - + if (mConfig.getString(PROP_HARDWARE, null) != null) { System.setProperty("cms.skip_token", mConfig.getString(PROP_HARDWARE)); -// The strategy here is to read all the certs in the token -// and cycle through them until we find one that matches the -// kra-cert.db file + // The strategy here is to read all the certs in the token + // and cycle through them until we find one that matches the + // kra-cert.db file - if (mKeySplitting) { + if (mKeySplitting) { - byte certFileData[] = null; - try { - File certFile = new File( - mConfig.getString(PROP_CERTDB)); + byte certFileData[] = null; + try { + File certFile = new File( + mConfig.getString(PROP_CERTDB)); - certFileData = new byte[ - (Long.valueOf(certFile.length())).intValue()]; - FileInputStream fi = new FileInputStream(certFile); + certFileData = new byte[ + (Long.valueOf(certFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(certFile); - fi.read(certFileData); - fi.close(); + fi.read(certFileData); + fi.close(); - // pick up cert by nickName + // pick up cert by nickName - } catch (IOException e) { - mKRA.log(ILogger.LL_INFO, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } + } catch (IOException e) { + mKRA.log(ILogger.LL_INFO, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + + try { + X509Certificate certs[] = + getToken().getCryptoStore().getCertificates(); + for (int i = 0; i < certs.length; i++) { + if (byteArraysMatch(certs[i].getEncoded(), certFileData)) { + mCert = certs[i]; + } + } + if (mCert == null) { + mKRA.log(ILogger.LL_FAILURE, "Storage Cert could not be initialized. No cert in token matched kra-cert file"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", "mCert == null")); + } else { + mKRA.log(ILogger.LL_INFO, "Using Storage Cert " + mCert.getSubjectDN()); + } + } catch (CertificateEncodingException e) { + mKRA.log(ILogger.LL_FAILURE, "Error encoding cert "); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } catch (TokenException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } + } - try { - X509Certificate certs[] = - getToken().getCryptoStore().getCertificates(); - for (int i=0;i <certs.length;i++) { - if (byteArraysMatch(certs[i].getEncoded(),certFileData)) { - mCert = certs[i]; - } - } - if (mCert == null) { - mKRA.log(ILogger.LL_FAILURE, "Storage Cert could not be initialized. No cert in token matched kra-cert file"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", "mCert == null")); - } else { - mKRA.log(ILogger.LL_INFO, "Using Storage Cert "+mCert.getSubjectDN()); - } - } catch (CertificateEncodingException e) { - mKRA.log(ILogger.LL_FAILURE, "Error encoding cert "); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } catch (TokenException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } - } - } else { // read certificate from file byte certData[] = null; try { - if (mKeySplitting) { - File certFile = new File( - mConfig.getString(PROP_CERTDB)); + if (mKeySplitting) { + File certFile = new File( + mConfig.getString(PROP_CERTDB)); - certData = new byte[ - (Long.valueOf(certFile.length())).intValue()]; - FileInputStream fi = new FileInputStream(certFile); + certData = new byte[ + (Long.valueOf(certFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(certFile); - fi.read(certData); - fi.close(); + fi.read(certData); + fi.close(); - // pick up cert by nickName - mCert = mManager.findCertByNickname( + // pick up cert by nickName + mCert = mManager.findCertByNickname( config.getString(PROP_NICKNAME)); - } else { - mCert = mManager.findCertByNickname( + } else { + mCert = mManager.findCertByNickname( config.getString(PROP_NICKNAME)); - } + } } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); } catch (TokenException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); } catch (ObjectNotFoundException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); // XXX - this import wont work try { - mCert = mManager.importCertPackage(certData, + mCert = mManager.importCertPackage(certData, "kraStorageCert"); } catch (Exception ex) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_IMPORT_CERT", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_IMPORT_CERT", e.toString())); throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", ex.toString())); } } - - if (mKeySplitting) { - // read private key from the file - try { - File priFile = new File(mConfig.getString(PROP_KEYDB)); - - mPrivateKeyData = new byte[ - (Long.valueOf(priFile.length())).intValue()]; - FileInputStream fi = new FileInputStream(priFile); - fi.read(mPrivateKeyData); - fi.close(); - } catch (IOException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_PRIVATE", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); + if (mKeySplitting) { + // read private key from the file + try { + File priFile = new File(mConfig.getString(PROP_KEYDB)); + + mPrivateKeyData = new byte[ + (Long.valueOf(priFile.length())).intValue()]; + FileInputStream fi = new FileInputStream(priFile); + + fi.read(mPrivateKeyData); + fi.close(); + } catch (IOException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_PRIVATE", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); + } } - } - + } - if (mKeySplitting) { - // open internal data storage configuration - mTokenFile = mConfig.getString(PROP_MN); - try { - // read m, n and no of identifier - mStorageConfig = CMS.createFileConfigStore(mTokenFile); - } catch (EBaseException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_MN", - e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + if (mKeySplitting) { + // open internal data storage configuration + mTokenFile = mConfig.getString(PROP_MN); + try { + // read m, n and no of identifier + mStorageConfig = CMS.createFileConfigStore(mTokenFile); + } catch (EBaseException e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_MN", + e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_OPERATION")); + } } - } - try { - if (mCert == null) { - CMS.debug("mCert is null...retrieving "+ config.getString(PROP_NICKNAME)); - mCert = mManager.findCertByNickname( - config.getString(PROP_NICKNAME)); - CMS.debug("mCert = "+mCert); - } - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); - } + try { + if (mCert == null) { + CMS.debug("mCert is null...retrieving " + config.getString(PROP_NICKNAME)); + mCert = mManager.findCertByNickname( + config.getString(PROP_NICKNAME)); + CMS.debug("mCert = " + mCert); + } + } catch (Exception e) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_READ_CERT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } } @@ -316,7 +318,7 @@ public class StorageKeyUnit extends EncryptionUnit implements */ public void shutdown() { } - + /** * Returns the configuration store of this token. */ @@ -325,7 +327,7 @@ public class StorageKeyUnit extends EncryptionUnit implements } public static SymmetricKey buildSymmetricKeyWithInternalStorage( - String pin) throws EBaseException { + String pin) throws EBaseException { try { return buildSymmetricKey(CryptoManager.getInstance().getInternalKeyStorageToken(), pin); } catch (Exception e) { @@ -336,8 +338,8 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Builds symmetric key from the given password. */ - public static SymmetricKey buildSymmetricKey(CryptoToken token, - String pin) throws EBaseException { + public static SymmetricKey buildSymmetricKey(CryptoToken token, + String pin) throws EBaseException { try { Password pass = new Password(pin.toCharArray()); @@ -345,8 +347,8 @@ public class StorageKeyUnit extends EncryptionUnit implements kg = token.getKeyGenerator( PBEAlgorithm.PBE_SHA1_DES3_CBC); - byte salt[] = {0x01, 0x01, 0x01, 0x01, - 0x01, 0x01, 0x01, 0x01}; + byte salt[] = { 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01 }; PBEKeyGenParams kgp = new PBEKeyGenParams(pass, salt, 5); @@ -354,21 +356,21 @@ public class StorageKeyUnit extends EncryptionUnit implements kg.initialize(kgp); return kg.generate(); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "buildSymmetricKey:" + - e.toString())); + e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "buildSymmetricKey:" + - e.toString())); + e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "buildSymmetricKey:" + - e.toString())); + e.toString())); } catch (CharConversionException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "buildSymmetricKey:" + - e.toString())); + e.toString())); } } @@ -376,49 +378,49 @@ public class StorageKeyUnit extends EncryptionUnit implements * Unwraps the storage key with the given symmetric key. */ public PrivateKey unwrapStorageKey(CryptoToken token, - SymmetricKey sk, byte wrapped[], - PublicKey pubKey) - throws EBaseException { + SymmetricKey sk, byte wrapped[], + PublicKey pubKey) + throws EBaseException { try { CMS.debug("StorageKeyUnit.unwrapStorageKey."); KeyWrapper wrapper = token.getKeyWrapper( KeyWrapAlgorithm.DES3_CBC_PAD); - - wrapper.initUnwrap(sk, IV); + + wrapper.initUnwrap(sk, IV); // XXX - it does not like the public key that is // not a crypto X509Certificate - PrivateKey pk = wrapper.unwrapTemporaryPrivate(wrapped, + PrivateKey pk = wrapper.unwrapTemporaryPrivate(wrapped, PrivateKey.RSA, pubKey); return pk; } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "unwrapStorageKey:" + - e.toString())); + e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "unwrapStorageKey:" + - e.toString())); + e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "unwrapStorageKey:" + - e.toString())); + e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "unwrapStorageKey:" + - e.toString())); + e.toString())); } } - + /** * Used by config-cert. */ public byte[] wrapStorageKey(CryptoToken token, - SymmetricKey sk, PrivateKey pri) - throws EBaseException { + SymmetricKey sk, PrivateKey pri) + throws EBaseException { CMS.debug("StorageKeyUnit.wrapStorageKey."); try { // move public & private to config/storage.dat @@ -432,21 +434,21 @@ public class StorageKeyUnit extends EncryptionUnit implements wrapper.initWrap(sk, IV); return wrapper.wrap(pri); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + - e.toString())); + e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + - e.toString())); + e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + - e.toString())); + e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", "wrapStorageKey:" + - e.toString())); + e.toString())); } } @@ -460,7 +462,7 @@ public class StorageKeyUnit extends EncryptionUnit implements PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); for (int i = 0; i < pk.length; i++) { - if (arraysEqual(pk[i].getUniqueID(), + if (arraysEqual(pk[i].getUniqueID(), ((TokenCertificate) mCert).getUniqueID())) { mPrivateKey = pk[i]; } @@ -473,7 +475,7 @@ public class StorageKeyUnit extends EncryptionUnit implements try { SymmetricKey sk = buildSymmetricKey(mToken, pin); - mPrivateKey = unwrapStorageKey(mToken, sk, + mPrivateKey = unwrapStorageKey(mToken, sk, mPrivateKeyData, getPublicKey()); } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGIN", e.toString())); @@ -487,8 +489,8 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Logins to this token. */ - public void login(Credential creds[]) - throws EBaseException { + public void login(Credential creds[]) + throws EBaseException { String pwd = constructPassword(creds); login(pwd); @@ -500,9 +502,9 @@ public class StorageKeyUnit extends EncryptionUnit implements public void logout() { try { if (mConfig.getString(PROP_HARDWARE, null) != null) { - if (mConfig.getBoolean(PROP_LOGOUT, false)) { - getToken().logout(); - } + if (mConfig.getBoolean(PROP_LOGOUT, false)) { + getToken().logout(); + } } } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_STORAGE_LOGOUT", e.toString())); @@ -519,8 +521,8 @@ public class StorageKeyUnit extends EncryptionUnit implements for (int i = 0;; i++) { try { - String uid = - mStorageConfig.getString(PROP_UID + i); + String uid = + mStorageConfig.getString(PROP_UID + i); if (uid == null) break; @@ -535,13 +537,13 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Changes agent password. */ - public boolean changeAgentPassword(String id, String oldpwd, - String newpwd) throws EBaseException { + public boolean changeAgentPassword(String id, String oldpwd, + String newpwd) throws EBaseException { // locate the id(s) for (int i = 0;; i++) { try { - String uid = - mStorageConfig.getString(PROP_UID + i); + String uid = + mStorageConfig.getString(PROP_UID + i); if (uid == null) break; @@ -549,8 +551,8 @@ public class StorageKeyUnit extends EncryptionUnit implements byte share[] = decryptShareWithInternalStorage(mStorageConfig.getString(PROP_SHARE + i), oldpwd); mStorageConfig.putString(PROP_SHARE + i, - encryptShareWithInternalStorage( - share, newpwd)); + encryptShareWithInternalStorage( + share, newpwd)); mStorageConfig.commit(false); return true; } @@ -564,10 +566,10 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Changes the m out of n recovery schema. */ - public boolean changeAgentMN(int new_n, int new_m, - Credential oldcreds[], - Credential newcreds[]) - throws EBaseException { + public boolean changeAgentMN(int new_n, int new_m, + Credential oldcreds[], + Credential newcreds[]) + throws EBaseException { if (new_n != newcreds.length) { throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_N")); @@ -587,22 +589,22 @@ public class StorageKeyUnit extends EncryptionUnit implements IShare s = null; try { - String className = mConfig.getString("share_class", + String className = mConfig.getString("share_class", "com.netscape.cms.shares.OldShare"); - s = (IShare)Class.forName(className).newInstance(); + s = (IShare) Class.forName(className).newInstance(); } catch (Exception e) { - CMS.debug("Loading Shares error " + e); + CMS.debug("Loading Shares error " + e); } if (s == null) { - CMS.debug("Share plugin is not found"); - return false; + CMS.debug("Share plugin is not found"); + return false; } try { - s.initialize(secret.getBytes(), new_m); + s.initialize(secret.getBytes(), new_m); } catch (Exception e) { - CMS.debug("Failed to initialize Share plugin"); - return false; + CMS.debug("Failed to initialize Share plugin"); + return false; } for (int i = 0; i < newcreds.length; i++) { @@ -615,20 +617,20 @@ public class StorageKeyUnit extends EncryptionUnit implements mStorageConfig.putInteger(PROP_N, new_n); mStorageConfig.putInteger(PROP_M, new_m); for (int i = 0; i < newcreds.length; i++) { - mStorageConfig.putString(PROP_UID + i, - newcreds[i].getIdentifier()); + mStorageConfig.putString(PROP_UID + i, + newcreds[i].getIdentifier()); // use password to encrypt shares... - mStorageConfig.putString(PROP_SHARE + i, - encryptShareWithInternalStorage(shares[i], - newcreds[i].getPassword())); + mStorageConfig.putString(PROP_SHARE + i, + encryptShareWithInternalStorage(shares[i], + newcreds[i].getPassword())); } try { mStorageConfig.commit(false); return true; } catch (EBaseException e) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_CHANGE_MN", e.toString())); + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_CHANGE_MN", e.toString())); } return false; } @@ -683,33 +685,33 @@ public class StorageKeyUnit extends EncryptionUnit implements public PrivateKey getPrivateKey() { if (!mKeySplitting) { - try { - PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); - for (int i = 0; i < pk.length; i++) { - if (arraysEqual(pk[i].getUniqueID(), + try { + PrivateKey pk[] = getToken().getCryptoStore().getPrivateKeys(); + for (int i = 0; i < pk.length; i++) { + if (arraysEqual(pk[i].getUniqueID(), ((TokenCertificate) mCert).getUniqueID())) { return pk[i]; } - } - } catch (TokenException e) { - } - return null; - } else { - return mPrivateKey; - } + } + } catch (TokenException e) { + } + return null; + } else { + return mPrivateKey; + } } /** * Verifies the integrity of the given key pairs. */ public void verify(byte publicKey[], PrivateKey privateKey) - throws EBaseException { + throws EBaseException { // XXX } public String encryptShareWithInternalStorage( - byte share[], String pwd) - throws EBaseException { + byte share[], String pwd) + throws EBaseException { try { return encryptShare(CryptoManager.getInstance().getInternalKeyStorageToken(), share, pwd); } catch (Exception e) { @@ -721,8 +723,8 @@ public class StorageKeyUnit extends EncryptionUnit implements * Protectes the share with the given password. */ public String encryptShare(CryptoToken token, - byte share[], String pwd) - throws EBaseException { + byte share[], String pwd) + throws EBaseException { try { CMS.debug("StorageKeyUnit.encryptShare"); Cipher cipher = token.getCipherContext( @@ -737,22 +739,22 @@ public class StorageKeyUnit extends EncryptionUnit implements // configuration return com.netscape.osutil.OSUtil.BtoA(enc).trim(); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } catch (BadPaddingException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } catch (IllegalBlockSizeException e) { - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEY_1", e.toString())); } } @@ -798,21 +800,21 @@ public class StorageKeyUnit extends EncryptionUnit implements } if (uid.equals(userid)) { byte data[] = decryptShareWithInternalStorage( - mStorageConfig.getString(PROP_SHARE + i), - pwd); - if (data == null) { - throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); + mStorageConfig.getString(PROP_SHARE + i), + pwd); + if (data == null) { + throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); } return; } } throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - + } public byte[] decryptShareWithInternalStorage( - String encoding, String pwd) - throws EBaseException { + String encoding, String pwd) + throws EBaseException { try { return decryptShare(CryptoManager.getInstance().getInternalKeyStorageToken(), encoding, pwd); } catch (Exception e) { @@ -824,8 +826,8 @@ public class StorageKeyUnit extends EncryptionUnit implements * Decrypts shares with the given password. */ public byte[] decryptShare(CryptoToken token, - String encoding, String pwd) - throws EBaseException { + String encoding, String pwd) + throws EBaseException { try { CMS.debug("StorageKeyUnit.decryptShare"); byte share[] = CMS.AtoB(encoding); @@ -851,25 +853,25 @@ public class StorageKeyUnit extends EncryptionUnit implements // // e.printStackTrace(); // - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (TokenException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (NoSuchAlgorithmException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (InvalidKeyException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (InvalidAlgorithmParameterException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (IllegalBlockSizeException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } catch (BadPaddingException e) { - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", e.toString())); } } @@ -877,8 +879,8 @@ public class StorageKeyUnit extends EncryptionUnit implements /** * Reconstructs password from recovery agents. */ - private String constructPassword(Credential creds[]) - throws EBaseException { + private String constructPassword(Credential creds[]) + throws EBaseException { // sort the credential according to the order in // configuration file Hashtable v = new Hashtable(); @@ -897,7 +899,7 @@ public class StorageKeyUnit extends EncryptionUnit implements if (uid.equals(creds[j].getIdentifier())) { byte pwd[] = decryptShareWithInternalStorage( mStorageConfig.getString( - PROP_SHARE + i), + PROP_SHARE + i), creds[j].getPassword()); if (pwd == null) { throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); @@ -918,11 +920,11 @@ public class StorageKeyUnit extends EncryptionUnit implements IJoinShares j = null; try { - String className = mConfig.getString("joinshares_class", + String className = mConfig.getString("joinshares_class", "com.netscape.cms.shares.OldJoinShares"); - j = (IJoinShares)Class.forName(className).newInstance(); + j = (IJoinShares) Class.forName(className).newInstance(); } catch (Exception e) { - CMS.debug("JoinShares error " + e); + CMS.debug("JoinShares error " + e); } if (j == null) { CMS.debug("JoinShares plugin is not found"); @@ -930,7 +932,7 @@ public class StorageKeyUnit extends EncryptionUnit implements } try { - j.initialize(v.size()); + j.initialize(v.size()); } catch (Exception e) { CMS.debug("Failed to initialize JoinShares"); throw new EBaseException(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); @@ -940,8 +942,8 @@ public class StorageKeyUnit extends EncryptionUnit implements while (e.hasMoreElements()) { String next = (String) e.nextElement(); - j.addShare(Integer.parseInt(next) + 1, - (byte[]) v.get(next)); + j.addShare(Integer.parseInt(next) + 1, + (byte[]) v.get(next)); } try { byte secret[] = j.recoverSecret(); @@ -949,9 +951,9 @@ public class StorageKeyUnit extends EncryptionUnit implements return pwd; } catch (Exception ee) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_STORAGE_RECONSTRUCT", e.toString())); - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_STORAGE_RECONSTRUCT", e.toString())); + throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PASSWORD", ee.toString())); } } diff --git a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index f9ff8385..a9287b59 100644 --- a/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/pki/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FilterOutputStream; @@ -52,9 +51,9 @@ import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.util.Cert; - /** * A class represents recovery request processor. + * * @author Christina Fu (cfu) * @version $Revision$, $Date$ */ @@ -68,12 +67,12 @@ public class TokenKeyRecoveryService implements IService { public static final String ATTR_TRANSPORT_PWD = "transportPwd"; public static final String ATTR_SIGNING_CERT = "signingCert"; public static final String ATTR_PKCS12 = "pkcs12"; - public static final String ATTR_ENCRYPTION_CERTS = - "encryptionCerts"; - public static final String ATTR_AGENT_CREDENTIALS = - "agentCredentials"; + public static final String ATTR_ENCRYPTION_CERTS = + "encryptionCerts"; + public static final String ATTR_AGENT_CREDENTIALS = + "agentCredentials"; // same as encryption certs - public static final String ATTR_USER_CERT = "cert"; + public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; private IKeyRecoveryAuthority mKRA = null; @@ -81,13 +80,11 @@ public class TokenKeyRecoveryService implements IService { private IStorageKeyUnit mStorageUnit = null; private ITransportKeyUnit mTransportUnit = null; - private final static String - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; - private final static String - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; + private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); /** @@ -97,15 +94,15 @@ public class TokenKeyRecoveryService implements IService { mKRA = kra; mStorage = mKRA.getKeyRepository(); mStorageUnit = mKRA.getStorageKeyUnit(); - mTransportUnit = kra.getTransportKeyUnit(); + mTransportUnit = kra.getTransportKeyUnit(); } - /** + /** * Process the HTTP request. - * + * * @param s The URL to decode */ - protected String URLdecode(String s) { + protected String URLdecode(String s) { if (s == null) return null; ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); @@ -125,11 +122,11 @@ public class TokenKeyRecoveryService implements IService { } } // end for return out.toString(); - } + } public static String normalizeCertStr(String s) { String val = ""; - + for (int i = 0; i < s.length(); i++) { if (s.charAt(i) == '\\') { i++; @@ -153,9 +150,9 @@ public class TokenKeyRecoveryService implements IService { ByteArrayOutputStream output = new ByteArrayOutputStream(); Base64OutputStream b64 = new Base64OutputStream(new PrintStream(new - FilterOutputStream(output) + FilterOutputStream(output) ) - ); + ); b64.write(bytes); b64.flush(); @@ -167,34 +164,32 @@ public class TokenKeyRecoveryService implements IService { // this encrypts bytes with a symmetric key public byte[] encryptIt(byte[] toBeEncrypted, SymmetricKey symKey, CryptoToken token, - IVParameterSpec IV) - { - try { - Cipher cipher = token.getCipherContext( + IVParameterSpec IV) { + try { + Cipher cipher = token.getCipherContext( EncryptionAlgorithm.DES3_CBC_PAD); - - cipher.initEncrypt(symKey, IV); - byte pri[] = cipher.doFinal(toBeEncrypted); - return pri; - } catch (Exception e) { - CMS.debug("initEncrypt() threw exception: "+e.toString()); + + cipher.initEncrypt(symKey, IV); + byte pri[] = cipher.doFinal(toBeEncrypted); + return pri; + } catch (Exception e) { + CMS.debug("initEncrypt() threw exception: " + e.toString()); return null; } } - /** * Processes a recovery request. The method reads * the key record from the database, and tries to recover the - * key with the storage key unit. Once recovered, it wraps it + * key with the storage key unit. Once recovered, it wraps it * with desKey * In the params - * - cert is used for recovery record search - * - cuid may be used for additional validation check - * - userid may be used for additional validation check - * - wrappedDesKey is used for wrapping recovered private key - * + * - cert is used for recovery record search + * - cuid may be used for additional validation check + * - userid may be used for additional validation check + * - wrappedDesKey is used for wrapping recovered private key + * * @param request recovery request * @return operation success or not * @exception EBaseException failed to serve @@ -205,56 +200,55 @@ public class TokenKeyRecoveryService implements IService { String auditRequesterID = "TPSagent"; String auditRecoveryID = ILogger.UNIDENTIFIED; String auditPublicKey = ILogger.UNIDENTIFIED; - String iv_s =""; + String iv_s = ""; CMS.debug("KRA services token key recovery request"); byte[] wrapped_des_key; - byte iv[] = {0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1}; + byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; try { SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.nextBytes(iv); } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService.serviceRequest: "+ e.toString()); + CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); } String id = request.getRequestId().toString(); if (id != null) { auditRecoveryID = id.trim(); } - SessionContext sContext = SessionContext.getContext(); - String agentId=""; - if (sContext != null) { + SessionContext sContext = SessionContext.getContext(); + String agentId = ""; + if (sContext != null) { agentId = - (String) sContext.get(SessionContext.USER_ID); - } + (String) sContext.get(SessionContext.USER_ID); + } Hashtable params = mKRA.getVolatileRequest( request.getRequestId()); - if (params == null) { // possibly we are in recovery mode - CMS.debug("getVolatileRequest params null"); - // return true; + CMS.debug("getVolatileRequest params null"); + // return true; } wrapped_des_key = null; - PK11SymKey sk= null; + PK11SymKey sk = null; String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - auditSubjectID=rCUID+":"+rUserid; + auditSubjectID = rCUID + ":" + rUserid; - CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key ="+rWrappedDesKeyString); + CMS.debug("TokenKeyRecoveryService: received DRM-trans-wrapped des key =" + rWrappedDesKeyString); wrapped_des_key = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDesKeyString); CMS.debug("TokenKeyRecoveryService: wrapped_des_key specialDecoded"); if ((wrapped_des_key != null) && - (wrapped_des_key.length > 0)) { + (wrapped_des_key.length > 0)) { // unwrap the des key sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key); @@ -298,7 +292,7 @@ public class TokenKeyRecoveryService implements IService { String cert = normalizeCertStr(cert_s); java.security.cert.X509Certificate x509cert = null; try { - x509cert= (java.security.cert.X509Certificate) Cert.mapCert(cert); + x509cert = (java.security.cert.X509Certificate) Cert.mapCert(cert); if (x509cert == null) { CMS.debug("cert mapping failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(5)); @@ -326,291 +320,291 @@ public class TokenKeyRecoveryService implements IService { return false; } - try { - /* - CryptoToken internalToken = - CryptoManager.getInstance().getInternalKeyStorageToken(); - */ - CryptoToken token = mStorageUnit.getToken(); - CMS.debug("TokenKeyRecoveryService: got token slot:"+token.getName()); - IVParameterSpec algParam = new IVParameterSpec(iv); - - Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); - - KeyRecord keyRecord = null; - CMS.debug( "KRA reading key record"); - try { - keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); - if (keyRecord != null) - CMS.debug("read key record"); - else { - CMS.debug("key record not found"); - request.setExtData(IRequest.RESULT, Integer.valueOf(8)); - auditMessage = CMS.getLogMessage( + try { + /* + CryptoToken internalToken = + CryptoManager.getInstance().getInternalKeyStorageToken(); + */ + CryptoToken token = mStorageUnit.getToken(); + CMS.debug("TokenKeyRecoveryService: got token slot:" + token.getName()); + IVParameterSpec algParam = new IVParameterSpec(iv); + + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD); + + KeyRecord keyRecord = null; + CMS.debug("KRA reading key record"); + try { + keyRecord = (KeyRecord) mStorage.readKeyRecord(cert); + if (keyRecord != null) + CMS.debug("read key record"); + else { + CMS.debug("key record not found"); + request.setExtData(IRequest.RESULT, Integer.valueOf(8)); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + return false; + } + } catch (Exception e) { + com.netscape.cmscore.util.Debug.printStackTrace(e); + request.setExtData(IRequest.RESULT, Integer.valueOf(9)); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - }catch (Exception e) { - com.netscape.cmscore.util.Debug.printStackTrace(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(9)); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + audit(auditMessage); + return false; + } - audit(auditMessage); - return false; - } - - // see if the owner name matches (cuid:userid) -XXX need make this optional - String owner = keyRecord.getOwnerName(); - CMS.debug("TokenKeyRecoveryService: owner name on record =" +owner); - CMS.debug("TokenKeyRecoveryService: owner name from TPS =" +rCUID+":"+rUserid); - if (owner != null) { - if (owner.equals(rCUID+":"+rUserid)) { - CMS.debug("TokenKeyRecoveryService: owner name matches"); - } else { - CMS.debug("TokenKeyRecoveryService: owner name mismatches"); - } - } - - // see if the certificate matches the key - byte pubData[] = keyRecord.getPublicKeyData(); - byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - - if (inputPubData.length != pubData.length) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); + // see if the owner name matches (cuid:userid) -XXX need make this optional + String owner = keyRecord.getOwnerName(); + CMS.debug("TokenKeyRecoveryService: owner name on record =" + owner); + CMS.debug("TokenKeyRecoveryService: owner name from TPS =" + rCUID + ":" + rUserid); + if (owner != null) { + if (owner.equals(rCUID + ":" + rUserid)) { + CMS.debug("TokenKeyRecoveryService: owner name matches"); + } else { + CMS.debug("TokenKeyRecoveryService: owner name mismatches"); + } + } - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } + // see if the certificate matches the key + byte pubData[] = keyRecord.getPublicKeyData(); + byte inputPubData[] = x509cert.getPublicKey().getEncoded(); - for (int i = 0; i < pubData.length; i++) { - if (pubData[i] != inputPubData[i]) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( + if (inputPubData.length != pubData.length) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); - } - } - - // Unwrap the archived private key - byte privateKeyData[] = null; - privateKeyData = recoverKey(params, keyRecord); - if (privateKeyData == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + + for (int i = 0; i < pubData.length; i++) { + if (pubData[i] != inputPubData[i]) { + mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); + } + } + + // Unwrap the archived private key + byte privateKeyData[] = null; + privateKeyData = recoverKey(params, keyRecord); + if (privateKeyData == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } - CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); - - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - - CMS.debug("request.setExtData: iv_s: " + iv_s); - - /* LunaSA returns data with padding which we need to remove */ - ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); - DerValue dv = new DerValue(dis); - byte p[] = dv.toByteArray(); - int l = p.length; - CMS.debug("length different data length=" + l + - " real length=" + privateKeyData.length ); - if (l != privateKeyData.length) { - privateKeyData = p; - } + audit(auditMessage); + return false; + } + CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); + + iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); + request.setExtData("iv_s", iv_s); + + CMS.debug("request.setExtData: iv_s: " + iv_s); + + /* LunaSA returns data with padding which we need to remove */ + ByteArrayInputStream dis = new ByteArrayInputStream(privateKeyData); + DerValue dv = new DerValue(dis); + byte p[] = dv.toByteArray(); + int l = p.length; + CMS.debug("length different data length=" + l + + " real length=" + privateKeyData.length); + if (l != privateKeyData.length) { + privateKeyData = p; + } - if (verifyKeyPair(pubData, privateKeyData) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( + if (verifyKeyPair(pubData, privateKeyData) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } else { - CMS.debug("TokenKeyRecoveryService: private key verified with public key"); - } + audit(auditMessage); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } else { + CMS.debug("TokenKeyRecoveryService: private key verified with public key"); + } - //encrypt and put in private key - cipher.initEncrypt(sk, algParam); - byte wrapped[] = cipher.doFinal(privateKeyData); + //encrypt and put in private key + cipher.initEncrypt(sk, algParam); + byte wrapped[] = cipher.doFinal(privateKeyData); - String wrappedPrivKeyString = + String wrappedPrivKeyString = com.netscape.cmsutil.util.Utils.SpecialEncode(wrapped); - if (wrappedPrivKeyString == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( + if (wrappedPrivKeyString == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); - audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); - request.setExtData("wrappedUserPrivate", - wrappedPrivKeyString); - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); - CMS.debug( "TokenKeyRecoveryService: key for " +rCUID+":"+rUserid +" recovered"); - } - - //convert and put in the public key - String b64PKey = base64Encode(pubData); - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - b64PKey); - audit(auditMessage); - - if (b64PKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); + request.setExtData("wrappedUserPrivate", + wrappedPrivKeyString); + request.setExtData(IRequest.RESULT, Integer.valueOf(1)); + CMS.debug("TokenKeyRecoveryService: key for " + rCUID + ":" + rUserid + " recovered"); + } + + //convert and put in the public key + String b64PKey = base64Encode(pubData); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + b64PKey); + + audit(auditMessage); + + if (b64PKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, auditSubjectID, ILogger.FAILURE, auditRecoveryID, agentId); + audit(auditMessage); + return false; + } else { + CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + + b64PKey); + } + request.setExtData("public_key", b64PKey); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.SUCCESS, + auditRecoveryID, + agentId); + audit(auditMessage); - return false; - } else { - CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = "+ - b64PKey); - } - request.setExtData("public_key", b64PKey); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - agentId); - - audit(auditMessage); - return true; + return true; - } catch (Exception e) { - CMS.debug("TokenKeyRecoveryService: " + e.toString()); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - } + } catch (Exception e) { + CMS.debug("TokenKeyRecoveryService: " + e.toString()); + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + } return true; } - public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) - { - try { - DerValue publicKeyVal = new DerValue(publicKeyData); - DerInputStream publicKeyIn = publicKeyVal.data; - publicKeyIn.getSequence(0); - DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); - DerInputStream publicKeyDerIn = publicKeyDer.data; - BigInt publicKeyModulus = publicKeyDerIn.getInteger(); - BigInt publicKeyExponent = publicKeyDerIn.getInteger(); - - DerValue privateKeyVal = new DerValue(privateKeyData); - if (privateKeyVal.tag != DerValue.tag_Sequence) - return false; - DerInputStream privateKeyIn = privateKeyVal.data; - privateKeyIn.getInteger(); - privateKeyIn.getSequence(0); - DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); - DerInputStream privateKeyDerIn = privateKeyDer.data; - BigInt privateKeyVersion = privateKeyDerIn.getInteger(); - BigInt privateKeyModulus = privateKeyDerIn.getInteger(); - BigInt privateKeyExponent = privateKeyDerIn.getInteger(); - - if (!publicKeyModulus.equals(privateKeyModulus)) { - CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); - return false; - } - - if (!publicKeyExponent.equals(privateKeyExponent)) { - CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); - return false; - } - - return true; - } catch (Exception e) { - CMS.debug("verifyKeyPair error " + e); - return false; - } + public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { + try { + DerValue publicKeyVal = new DerValue(publicKeyData); + DerInputStream publicKeyIn = publicKeyVal.data; + publicKeyIn.getSequence(0); + DerValue publicKeyDer = new DerValue(publicKeyIn.getBitString()); + DerInputStream publicKeyDerIn = publicKeyDer.data; + BigInt publicKeyModulus = publicKeyDerIn.getInteger(); + BigInt publicKeyExponent = publicKeyDerIn.getInteger(); + + DerValue privateKeyVal = new DerValue(privateKeyData); + if (privateKeyVal.tag != DerValue.tag_Sequence) + return false; + DerInputStream privateKeyIn = privateKeyVal.data; + privateKeyIn.getInteger(); + privateKeyIn.getSequence(0); + DerValue privateKeyDer = new DerValue(privateKeyIn.getOctetString()); + DerInputStream privateKeyDerIn = privateKeyDer.data; + BigInt privateKeyVersion = privateKeyDerIn.getInteger(); + BigInt privateKeyModulus = privateKeyDerIn.getInteger(); + BigInt privateKeyExponent = privateKeyDerIn.getInteger(); + + if (!publicKeyModulus.equals(privateKeyModulus)) { + CMS.debug("verifyKeyPair modulus mismatch publicKeyModulus=" + publicKeyModulus + " privateKeyModulus=" + privateKeyModulus); + return false; + } + + if (!publicKeyExponent.equals(privateKeyExponent)) { + CMS.debug("verifyKeyPair exponent mismatch publicKeyExponent=" + publicKeyExponent + " privateKeyExponent=" + privateKeyExponent); + return false; + } + + return true; + } catch (Exception e) { + CMS.debug("verifyKeyPair error " + e); + return false; + } } - + /** * Recovers key. */ - public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) - throws EBaseException { - /* - Credential creds[] = (Credential[]) - request.get(ATTR_AGENT_CREDENTIALS); - - mStorageUnit.login(creds); - */ - CMS.debug( "KRA decrypts internal private"); - byte privateKeyData[] = - mStorageUnit.decryptInternalPrivate( - keyRecord.getPrivateKeyData()); - /* - mStorageUnit.logout(); - */ + public synchronized byte[] recoverKey(Hashtable request, KeyRecord keyRecord) + throws EBaseException { + /* + Credential creds[] = (Credential[]) + request.get(ATTR_AGENT_CREDENTIALS); + + mStorageUnit.login(creds); + */ + CMS.debug("KRA decrypts internal private"); + byte privateKeyData[] = + mStorageUnit.decryptInternalPrivate( + keyRecord.getPrivateKeyData()); + /* + mStorageUnit.logout(); + */ if (privateKeyData == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND")); throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "no private key")); } return privateKeyData; } + /** * Signed Audit Log - *y + * y * This method is called to store messages to the signed audit log. * <P> - * + * * @param msg signed audit log message */ private void audit(String msg) { @@ -622,10 +616,10 @@ public class TokenKeyRecoveryService implements IService { } mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, - null, - ILogger.S_SIGNED_AUDIT, - ILogger.LL_SECURITY, - msg); + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); } } diff --git a/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java index 86b2dbfc..90ac2120 100644 --- a/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/pki/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -34,15 +34,14 @@ import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmsutil.util.Cert; - /** * A class represents the transport key pair. This key pair * is used to protected EE's private key in transit. - * + * * @author thomask * @version $Revision$, $Date$ */ -public class TransportKeyUnit extends EncryptionUnit implements +public class TransportKeyUnit extends EncryptionUnit implements ISubsystem, ITransportKeyUnit { public static final String PROP_NICKNAME = "nickName"; @@ -78,8 +77,8 @@ public class TransportKeyUnit extends EncryptionUnit implements /** * Initializes this subsystem. */ - public void init(ISubsystem owner, IConfigStore config) - throws EBaseException { + public void init(ISubsystem owner, IConfigStore config) + throws EBaseException { mConfig = config; try { mManager = CryptoManager.getInstance(); @@ -87,11 +86,10 @@ public class TransportKeyUnit extends EncryptionUnit implements String algo = config.getString("signingAlgorithm", "SHA256withRSA"); // #613795 - initialize this; otherwise JSS is not happy - CryptoToken token = getToken(); + CryptoToken token = getToken(); SignatureAlgorithm sigalg = Cert.mapAlgorithmToJss(algo); - Signature signer = token.getSignatureContext(sigalg); + Signature signer = token.getSignatureContext(sigalg); signer.initSign(getPrivateKey()); - } catch (org.mozilla.jss.CryptoManager.NotInitializedException e) { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", e.toString())); @@ -130,7 +128,7 @@ public class TransportKeyUnit extends EncryptionUnit implements */ public void shutdown() { } - + /** * Returns the configuration store of this token. */ @@ -191,7 +189,7 @@ public class TransportKeyUnit extends EncryptionUnit implements * Verifies the integrity of the given key pair. */ public void verify(byte publicKey[], PrivateKey privateKey) - throws EBaseException { + throws EBaseException { // XXX } } |