From c95cff5899e2975b16db61b811b626742e5e7114 Mon Sep 17 00:00:00 2001

From: Christina Fu <cfu@redhat.com>

Date: Mon, 1 May 2017 17:48:33 -0700

Subject: [PATCH 01/10] Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false

 would cause error This patch would fix the issue.  It also adds the

 CMCUserSignedAuth authentication instance that was missed in the CS.cfg

---

 base/ca/shared/conf/CS.cfg                                        | 1 +

 .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java    | 8 +++-----

 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg

index 078abee..3eb5b1b 100644

--- a/base/ca/shared/conf/CS.cfg

+++ b/base/ca/shared/conf/CS.cfg

@@ -180,6 +180,7 @@ auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAu

 auths.instance.TokenAuth.pluginName=TokenAuth

 auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents

 auths.instance.AgentCertAuth.pluginName=AgentCertAuth

+auths.instance.CMCUserSignedAuth.pluginName=CMCUserSignedAuth

 auths.instance.raCertAuth.agentGroup=Registration Manager Agents

 auths.instance.raCertAuth.pluginName=AgentCertAuth

 auths.instance.flatFileAuth.pluginName=FlatFileAuth

diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java

index 57f07d1..7d52fc8 100644

--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java

+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java

@@ -885,10 +885,7 @@ public abstract class EnrollProfile extends BasicProfile

             }

             int nummsgs = reqSeq.size();

-            if (!popLinkWitnessRequired) {

-                CMS.debug(method + "popLinkWitnessRequired false, skip check");

-            } else if (nummsgs > 0) {

-                CMS.debug(method + "cmc.popLinkWitnessRequired is true");

+            if (nummsgs > 0) {

                 CMS.debug(method + "nummsgs =" + nummsgs);

                 msgs = new TaggedRequest[reqSeq.size()];

                 SEQUENCE bpids = new SEQUENCE();

@@ -896,7 +893,8 @@ public abstract class EnrollProfile extends BasicProfile

                 boolean valid = true;

                 for (int i = 0; i < nummsgs; i++) {

                     msgs[i] = (TaggedRequest) reqSeq.elementAt(i);

-                    if (!context.containsKey("POPLinkWitnessV2") &&

+                    if (popLinkWitnessRequired &&

+                            !context.containsKey("POPLinkWitnessV2") &&

                             !context.containsKey("POPLinkWitness")) {

                         CMS.debug(method + "popLinkWitness(V2) required");

                         if (randomSeed == null) {

-- 

1.8.3.1

From 220e35d2b5610cb051831b990451b3b3ff53604e Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Tue, 2 May 2017 21:44:36 +1000

Subject: [PATCH 02/10] CAInfoService: retrieve info from KRA

The CAInfoService returns CA configuration info, including

KRA-related values the CA clients may need to know (e.g. for

generating a CRMF cert request that will cause keys to be archived

in KRA).  Currently that information is statically configured and

does not respect the actual configuration of the KRA.

Update the service to retrieve info from the KRA, which is queried

according to the KRA Connector configuration.  After the KRA has

been successfully contacted, the recorded KRA-related settings are

regarded as authoritative.

The KRA is contacted ONLY if the current info is NOT authoritative,

otherwise the currently recorded values are used.  This means that

any change to relevant KRA configuration (which should occur seldom

if ever) necessitates restart of the CA subsystem.

If this is unsuccessful (e.g. if the KRA is down or the connector is

misconfigured) we use the default values, which may be incorrect.

Fixes: https://pagure.io/dogtagpki/issue/2665

Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746

---

 .../org/dogtagpki/server/rest/CAInfoService.java   | 143 ++++++++++++++++++---

 1 file changed, 126 insertions(+), 17 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java

index f4724a6..398f499 100644

--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java

+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java

@@ -18,26 +18,63 @@

 package org.dogtagpki.server.rest;

+import java.net.MalformedURLException;

+import java.net.URISyntaxException;

+

 import javax.servlet.http.HttpSession;

 import javax.ws.rs.core.Response;

 import org.dogtagpki.common.CAInfo;

 import org.dogtagpki.common.CAInfoResource;

+import org.dogtagpki.common.KRAInfo;

+import org.dogtagpki.common.KRAInfoClient;

 import org.slf4j.Logger;

 import org.slf4j.LoggerFactory;

 import com.netscape.certsrv.apps.CMS;

 import com.netscape.certsrv.base.EBaseException;

 import com.netscape.certsrv.base.IConfigStore;

+import com.netscape.certsrv.base.PKIException;

+import com.netscape.certsrv.client.ClientConfig;

+import com.netscape.certsrv.client.PKIClient;

+import com.netscape.certsrv.system.KRAConnectorInfo;

+import com.netscape.cms.servlet.admin.KRAConnectorProcessor;

 import com.netscape.cms.servlet.base.PKIService;

 /**

  * @author Ade Lee

+ *

+ * This class returns CA info, including KRA-related values the CA

+ * clients may need to know (e.g. for generating a CRMF cert request

+ * that will cause keys to be archived in KRA).

+ *

+ * The KRA-related info is read from the KRAInfoService, which is

+ * queried according to the KRA Connector configuration.  After

+ * the KRAInfoService has been successfully contacted, the recorded

+ * KRA-related settings are regarded as authoritative.

+ *

+ * The KRA is contacted ONLY if the current info is NOT

+ * authoritative, otherwise the currently recorded values are used.

+ * This means that any change to relevant KRA configuration (which

+ * should occur seldom if ever) necessitates restart of the CA

+ * subsystem.

+ *

+ * If this is unsuccessful (e.g. if the KRA is down or the

+ * connector is misconfigured) we use the default values, which

+ * may be incorrect.

  */

 public class CAInfoService extends PKIService implements CAInfoResource {

     private static Logger logger = LoggerFactory.getLogger(InfoService.class);

+    // is the current KRA-related info authoritative?

+    private static boolean kraInfoAuthoritative = false;

+

+    // KRA-related fields (the initial values are only used if we

+    // did not yet receive authoritative info from KRA)

+    private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM;

+    private static String wrappingKeySet = "0";

+

     @Override

     public Response getInfo() throws Exception {

@@ -45,30 +82,102 @@ public class CAInfoService extends PKIService implements CAInfoResource {

         logger.debug("CAInfoService.getInfo(): session: " + session.getId());

         CAInfo info = new CAInfo();

-        String archivalMechanism = getArchivalMechanism();

-

-        if (archivalMechanism != null)

-            info.setArchivalMechanism(getArchivalMechanism());

-        info.setWrappingKeySet(getWrappingKeySet());

+        addKRAInfo(info);

         return createOKResponse(info);

     }

-    String getArchivalMechanism() throws EBaseException {

-        IConfigStore cs = CMS.getConfigStore();

-        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);

-        if (!kra_present) return null;

-

-        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);

-        return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM;

+    /**

+     * Add KRA fields if KRA is configured, querying the KRA

+     * if necessary.

+     *

+     * Apart from reading 'headers', this method doesn't access

+     * any instance data.

+     */

+    private void addKRAInfo(CAInfo info) {

+        KRAConnectorInfo connInfo = null;

+        try {

+            KRAConnectorProcessor processor =

+                new KRAConnectorProcessor(getLocale(headers));

+            connInfo = processor.getConnectorInfo();

+        } catch (Throwable e) {

+            // connInfo remains as null

+        }

+        boolean kraEnabled =

+            connInfo != null

+            && "true".equalsIgnoreCase(connInfo.getEnable());

+

+        if (kraEnabled) {

+            if (!kraInfoAuthoritative) {

+                // KRA is enabled but we are yet to successfully

+                // query the KRA-related info.  Do it now.

+                queryKRAInfo(connInfo);

+            }

+

+            info.setArchivalMechanism(archivalMechanism);

+            info.setWrappingKeySet(wrappingKeySet);

+        }

     }

-    String getWrappingKeySet() throws EBaseException {

-        IConfigStore cs = CMS.getConfigStore();

-        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);

-        if (!kra_present) return null;

+    private static void queryKRAInfo(KRAConnectorInfo connInfo) {

+        try {

+            KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo();

+

+            archivalMechanism = kraInfo.getArchivalMechanism();

+

+            // request succeeded; the KRA is 10.4 or higher,

+            // therefore supports key set v1

+            wrappingKeySet = "1";

+

+            // mark info as authoritative

+            kraInfoAuthoritative = true;

+        } catch (PKIException e) {

+            if (e.getCode() == 404) {

+                // The KRAInfoResource was added in 10.4,

+                // so we are talking to a pre-10.4 KRA

+

+                // pre-10.4 only supports key set v0

+                wrappingKeySet = "0";

+

+                // pre-10.4 KRA does not advertise the archival

+                // mechanism; look for the old knob in CA's config

+                // or fall back to the default

+                IConfigStore cs = CMS.getConfigStore();

+                boolean encrypt_archival;

+                try {

+                    encrypt_archival = cs.getBoolean(

+                        "kra.allowEncDecrypt.archival", false);

+                } catch (EBaseException e1) {

+                    encrypt_archival = false;

+                }

+                archivalMechanism = encrypt_archival

+                    ? KRAInfoService.ENCRYPT_MECHANISM

+                    : KRAInfoService.KEYWRAP_MECHANISM;

+

+                // mark info as authoritative

+                kraInfoAuthoritative = true;

+            } else {

+                CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e);

+                CMS.debug(e);

+            }

+        } catch (Throwable e) {

+            CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e);

+            CMS.debug(e);

+        }

+    }

-        return cs.getString("kra.wrappingKeySet", "1");

+    /**

+     * Construct KRAInfoClient given KRAConnectorInfo

+     */

+    private static KRAInfoClient getKRAInfoClient(KRAConnectorInfo connInfo)

+            throws MalformedURLException, URISyntaxException, EBaseException {

+        ClientConfig config = new ClientConfig();

+        int port = Integer.parseInt(connInfo.getPort());

+        config.setServerURL("https", connInfo.getHost(), port);

+        config.setCertDatabase(

+            CMS.getConfigStore().getString("instanceRoot") + "/alias");

+        return new KRAInfoClient(new PKIClient(config), "kra");

     }

+

 }

-- 

1.8.3.1

From c64d6331d52dcf07108226c5dff26bd8b6c41e70 Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Thu, 4 May 2017 10:36:49 +0200

Subject: [PATCH 03/10] pki.authority: Don't send header as POST body

pki.authority was mistakenly sending headers as POST body instead of

sending an empty POST body with right headers.

Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae

Signed-off-by: Christian Heimes <cheimes@redhat.com>

---

 base/common/python/pki/authority.py | 14 +++++++-------

 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py

index 9fa459c..0d83a4b 100644

--- a/base/common/python/pki/authority.py

+++ b/base/common/python/pki/authority.py

@@ -140,7 +140,7 @@ class AuthorityClient(object):

         url = self.ca_url + '/' + str(aid)

         headers = {'Content-type': 'application/json',

                    'Accept': 'application/json'}

-        r = self.connection.get(url, headers)

+        r = self.connection.get(url, headers=headers)

         return AuthorityData.from_json(r.json())

     @pki.handle_exceptions()

@@ -167,7 +167,7 @@ class AuthorityClient(object):

             raise ValueError(

                 "Invalid format passed in - PEM or DER expected.")

-        r = self.connection.get(url, headers)

+        r = self.connection.get(url, headers=headers)

         return r.text

     @pki.handle_exceptions()

@@ -189,7 +189,7 @@ class AuthorityClient(object):

         elif output_format == "PKCS7":

             headers['Accept'] = "application/pkcs7-mime"

-        r = self.connection.get(url, headers)

+        r = self.connection.get(url, headers=headers)

         return r.text

     @pki.handle_exceptions()

@@ -238,7 +238,7 @@ class AuthorityClient(object):

         response = self.connection.post(

             self.ca_url,

             create_request,

-            headers)

+            headers=headers)

         new_ca = AuthorityData.from_json(response.json())

         return new_ca

@@ -257,7 +257,7 @@ class AuthorityClient(object):

         headers = {'Content-type': 'application/json',

                    'Accept': 'application/json'}

-        self.connection.post(url, headers)

+        self.connection.post(url, None, headers=headers)

     @pki.handle_exceptions()

     def disable_ca(self, aid):

@@ -272,7 +272,7 @@ class AuthorityClient(object):

         headers = {'Content-type': 'application/json',

                    'Accept': 'application/json'}

-        self.connection.post(url, headers)

+        self.connection.post(url, None, headers=headers)

     @pki.handle_exceptions()

     def delete_ca(self, aid):

@@ -287,7 +287,7 @@ class AuthorityClient(object):

         headers = {'Content-type': 'application/json',

                    'Accept': 'application/json'}

-        self.connection.delete(url, headers)

+        self.connection.delete(url, headers=headers)

 encoder.NOTYPES['AuthorityData'] = AuthorityData

-- 

1.8.3.1

From 62a78bfa227b5e75a7cb931d7e65e824f5fe01ec Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Fri, 5 May 2017 19:54:15 +1000

Subject: [PATCH 04/10] Fix PKCS #12 import during clone installation

PKCS #12 export was updated to use AES / PBES2 encryption for the

key bags, but an import code path used when spawning a clone was

missed, and now fails (because it doesn't grok PBES2).

Update it to use CryptoStore.importEncryptedPrivateKeyInfo()

instead, fixing the problem.

Fixes: https://pagure.io/dogtagpki/issue/2677

Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9

---

 .../cms/servlet/csadmin/ConfigurationUtils.java    | 32 +++++++---------------

 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

index ee1984b..07c64af 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

@@ -886,9 +886,7 @@ public class ConfigurationUtils {

                 if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) {

                     CMS.debug("  - Bag #" + j + ": key");

-                    EncryptedPrivateKeyInfo privkeyinfo =

-                            (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent();

-                    PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter());

+                    byte[] epki = bag.getBagContent().getEncoded();

                     SET bagAttrs = bag.getBagAttributes();

                     String subjectDN = null;

@@ -910,9 +908,10 @@ public class ConfigurationUtils {

                         }

                     }

-                    // pkeyinfo_v stores private key (PrivateKeyInfo) and subject DN (String)

+                    // pkeyinfo_v stores EncryptedPrivateKeyInfo

+                    // (byte[]) and subject DN (String)

                     Vector<Object> pkeyinfo_v = new Vector<Object>();

-                    pkeyinfo_v.addElement(pkeyinfo);

+                    pkeyinfo_v.addElement(epki);

                     if (subjectDN != null)

                         pkeyinfo_v.addElement(subjectDN);

@@ -971,7 +970,7 @@ public class ConfigurationUtils {

             }

         }

-        importKeyCert(pkeyinfo_collection, cert_collection);

+        importKeyCert(password, pkeyinfo_collection, cert_collection);

     }

     public static void verifySystemCertificates() throws Exception {

@@ -1012,6 +1011,7 @@ public class ConfigurationUtils {

     }

     public static void importKeyCert(

+            Password password,

             Vector<Vector<Object>> pkeyinfo_collection,

             Vector<Vector<Object>> cert_collection

             ) throws Exception {

@@ -1028,7 +1028,7 @@ public class ConfigurationUtils {

         CMS.debug("Importing new keys:");

         for (int i = 0; i < pkeyinfo_collection.size(); i++) {

             Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i);

-            PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0);

+            byte[] epki = (byte[]) pkeyinfo_v.elementAt(0);

             String nickname = (String) pkeyinfo_v.elementAt(1);

             CMS.debug("- Key: " + nickname);

@@ -1037,11 +1037,6 @@ public class ConfigurationUtils {

                 continue;

             }

-            // encode private key

-            ByteArrayOutputStream bos = new ByteArrayOutputStream();

-            pkeyinfo.encode(bos);

-            byte[] pkey = bos.toByteArray();

-

             CMS.debug("  Find cert with subject DN " + nickname);

             // TODO: use better mechanism to find the cert

             byte[] x509cert = getX509Cert(nickname, cert_collection);

@@ -1063,16 +1058,9 @@ public class ConfigurationUtils {

                 // this is OK

             }

-            // encrypt private key

-            SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true);

-            byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };

-            IVParameterSpec param = new IVParameterSpec(iv);

-            byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey(token, sk, pkey, EncryptionAlgorithm.DES3_CBC_PAD, param);

-

-            // unwrap private key to load into database

-            KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);

-            wrapper.initUnwrap(sk, param);

-            wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey);

+            // import private key into database

+            store.importEncryptedPrivateKeyInfo(

+                new PasswordConverter(), password, nickname, publicKey, epki);

         }

         CMS.debug("Importing new certificates:");

-- 

1.8.3.1

From 3fb95590cdf0e45418fa0be7a020691567ef152a Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Fri, 5 May 2017 20:13:07 +1000

Subject: [PATCH 05/10] Delete unused methods

Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203

---

 .../cms/servlet/csadmin/ConfigurationUtils.java    | 103 ---------------------

 1 file changed, 103 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

index 07c64af..c9a375f 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java

@@ -1203,13 +1203,6 @@ public class ConfigurationUtils {

         return null;

     }

-    public static org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) {

-        if (pubkey.getAlgorithm().equals("EC")) {

-            return org.mozilla.jss.crypto.PrivateKey.Type.EC;

-        }

-        return org.mozilla.jss.crypto.PrivateKey.Type.RSA;

-    }

-

     public static boolean isCASigningCert(String name) throws EBaseException {

         IConfigStore cs = CMS.getConfigStore();

         try {

@@ -3495,102 +3488,6 @@ public class ConfigurationUtils {

         }

     }

-    public static void addKeyBag(PrivateKey pkey, X509Certificate x509cert,

-            Password pass, byte[] localKeyId, SEQUENCE safeContents)

-            throws NoSuchAlgorithmException, InvalidBERException, InvalidKeyException,

-            InvalidAlgorithmParameterException, NotInitializedException, TokenException, IllegalStateException,

-            IllegalBlockSizeException, BadPaddingException, CharConversionException {

-

-        PasswordConverter passConverter = new PasswordConverter();

-

-        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");

-        byte salt[] = random.generateSeed(4); // 4 bytes salt

-        byte[] priData = getEncodedKey(pkey);

-

-        PrivateKeyInfo pki = (PrivateKeyInfo)

-                ASN1Util.decode(PrivateKeyInfo.getTemplate(), priData);

-        ASN1Value key = EncryptedPrivateKeyInfo.createPBE(

-                PBEAlgorithm.PBE_SHA1_DES3_CBC,

-                pass, salt, 1, passConverter, pki);

-        SET keyAttrs = createBagAttrs(

-                x509cert.getSubjectDN().toString(), localKeyId);

-        SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG,

-                key, keyAttrs);

-        safeContents.addElement(keyBag);

-

-    }

-

-    public static byte[] addCertBag(X509Certificate x509cert, String nickname,

-            SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException,

-            CharConversionException {

-        byte[] localKeyId = null;

-

-        ASN1Value cert = new OCTET_STRING(x509cert.getEncoded());

-        localKeyId = createLocalKeyId(x509cert);

-        SET certAttrs = null;

-        if (nickname != null)

-            certAttrs = createBagAttrs(nickname, localKeyId);

-        SafeBag certBag = new SafeBag(SafeBag.CERT_BAG,

-                new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs);

-        safeContents.addElement(certBag);

-

-        return localKeyId;

-    }

-

-    public static byte[] getEncodedKey(PrivateKey pkey) throws NotInitializedException, NoSuchAlgorithmException,

-            TokenException, IllegalStateException, CharConversionException, InvalidKeyException,

-            InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {

-        CryptoManager cm = CryptoManager.getInstance();

-        CryptoToken token = cm.getInternalKeyStorageToken();

-        KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3);

-        SymmetricKey sk = kg.generate();

-        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);

-        byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };

-        IVParameterSpec param = new IVParameterSpec(iv);

-        wrapper.initWrap(sk, param);

-        byte[] enckey = wrapper.wrap(pkey);

-        Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);

-        c.initDecrypt(sk, param);

-        byte[] recovered = c.doFinal(enckey);

-        return recovered;

-    }

-

-    public static byte[] createLocalKeyId(X509Certificate cert)

-            throws NoSuchAlgorithmException, CertificateEncodingException {

-

-        // SHA1 hash of the X509Cert der encoding

-        byte certDer[] = cert.getEncoded();

-

-        MessageDigest md = MessageDigest.getInstance("SHA");

-

-        md.update(certDer);

-        return md.digest();

-

-    }

-

-    public static SET createBagAttrs(String nickName, byte localKeyId[]) throws CharConversionException {

-

-        SET attrs = new SET();

-        SEQUENCE nickNameAttr = new SEQUENCE();

-

-        nickNameAttr.addElement(SafeBag.FRIENDLY_NAME);

-        SET nickNameSet = new SET();

-

-        nickNameSet.addElement(new BMPString(nickName));

-        nickNameAttr.addElement(nickNameSet);

-        attrs.addElement(nickNameAttr);

-        SEQUENCE localKeyAttr = new SEQUENCE();

-

-        localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID);

-        SET localKeySet = new SET();

-

-        localKeySet.addElement(new OCTET_STRING(localKeyId));

-        localKeyAttr.addElement(localKeySet);

-        attrs.addElement(localKeyAttr);

-        return attrs;

-

-    }

-

     public static void createAdminCertificate(String certRequest, String certRequestType, String subject)

             throws Exception {

         IConfigStore cs = CMS.getConfigStore();

-- 

1.8.3.1

From f26b3aaee1cf36941f387b464b937ffee1403048 Mon Sep 17 00:00:00 2001

From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>

Date: Fri, 5 May 2017 11:44:17 -0700

Subject: [PATCH 06/10] Non server keygen issue in SCP03.

Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663

We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.

---

 .../server/tps/channel/SecureChannel.java          |  4 +-

 .../server/tps/processor/TPSProcessor.java         | 51 +++++++++++++++-------

 2 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java

index fc5472c..5e5646b 100644

--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java

+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java

@@ -148,8 +148,8 @@ public class SecureChannel {

         CMS.debug("SecureChannel.SecureChannel: For SCP03. :  ");

-        CMS.debug("kekDesKey: " + kekDesKey.toHexString());

-        CMS.debug("keyCheck: " + keyCheck.toHexString());

+        if (keyCheck != null)

+            CMS.debug("keyCheck: " + keyCheck.toHexString());

         this.platProtInfo = platformInfo;

         this.processor = processor;

diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java

index 0cfac59..0f96915 100644

--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java

+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java

@@ -33,6 +33,8 @@ import java.util.List;

 import java.util.Map;

 import java.util.Set;

+import netscape.security.x509.RevocationReason;

+

 import org.dogtagpki.server.tps.TPSSession;

 import org.dogtagpki.server.tps.TPSSubsystem;

 import org.dogtagpki.server.tps.authentication.AuthUIParameter;

@@ -100,8 +102,6 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol;

 import com.netscape.cmsutil.crypto.CryptoUtil;

 import com.netscape.symkey.SessionKey;

-import netscape.security.x509.RevocationReason;

-

 public class TPSProcessor {

     public static final int RESULT_NO_ERROR = 0;

@@ -923,20 +923,39 @@ public class TPSProcessor {

             TPSBuffer drmDesKeyBuff = resp.getDRM_Trans_DesKey();

             TPSBuffer kekDesKeyBuff = resp.getKekWrappedDesKey();

-            CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());

-            CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());

-            CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());

-            CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());

-            CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());

-            CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());

-            CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());

-

-            encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,

-                    encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);

-            macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,

-                    macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);

-            kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,

-                    kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);

+            if (encSessionKeyBuff != null)

+                CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());

+

+            if (kekSessionKeyBuff != null)

+                CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());

+

+            if (macSessionKeyBuff != null)

+                CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());

+

+            if (hostCryptogramBuff != null)

+                CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());

+

+            if (keyCheckBuff != null)

+                CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());

+

+            if (drmDesKeyBuff != null)

+                CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());

+

+            if (kekDesKeyBuff != null)

+                CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());

+

+

+            if (encSessionKeyBuff != null)

+                encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,

+                        encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);

+

+            if (macSessionKeyBuff != null)

+                macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,

+                        macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);

+

+            if (kekSessionKeyBuff != null)

+                kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,

+                        kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);

             channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03,

                     drmDesKeyBuff, kekDesKeyBuff,

-- 

1.8.3.1

From f84bfab30647ae1492fcdca0a026bfa4d91350c9 Mon Sep 17 00:00:00 2001

From: Ade Lee <alee@redhat.com>

Date: Mon, 1 May 2017 15:56:58 -0400

Subject: [PATCH 07/10] Make sure generated asym keys are extractable

In HSMs, we were not able to retrieve asym keys that were

generated from the AsymKeyGenService, because the right