|
 |
f8ded1 |
From c95cff5899e2975b16db61b811b626742e5e7114 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
f8ded1 |
Date: Mon, 1 May 2017 17:48:33 -0700
|
|
|
f8ded1 |
Subject: [PATCH 01/10] Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false
|
|
|
f8ded1 |
would cause error This patch would fix the issue. It also adds the
|
|
|
f8ded1 |
CMCUserSignedAuth authentication instance that was missed in the CS.cfg
|
|
|
f8ded1 |
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
base/ca/shared/conf/CS.cfg | 1 +
|
|
|
f8ded1 |
.../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 8 +++-----
|
|
|
f8ded1 |
2 files changed, 4 insertions(+), 5 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
|
|
|
f8ded1 |
index 078abee..3eb5b1b 100644
|
|
|
f8ded1 |
--- a/base/ca/shared/conf/CS.cfg
|
|
|
f8ded1 |
+++ b/base/ca/shared/conf/CS.cfg
|
|
|
f8ded1 |
@@ -180,6 +180,7 @@ auths.impl.SessionAuthentication.class=com.netscape.cms.authentication.SessionAu
|
|
|
f8ded1 |
auths.instance.TokenAuth.pluginName=TokenAuth
|
|
|
f8ded1 |
auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
|
|
|
f8ded1 |
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
|
|
|
f8ded1 |
+auths.instance.CMCUserSignedAuth.pluginName=CMCUserSignedAuth
|
|
|
f8ded1 |
auths.instance.raCertAuth.agentGroup=Registration Manager Agents
|
|
|
f8ded1 |
auths.instance.raCertAuth.pluginName=AgentCertAuth
|
|
|
f8ded1 |
auths.instance.flatFileAuth.pluginName=FlatFileAuth
|
|
|
f8ded1 |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
f8ded1 |
index 57f07d1..7d52fc8 100644
|
|
|
f8ded1 |
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
f8ded1 |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
f8ded1 |
@@ -885,10 +885,7 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
int nummsgs = reqSeq.size();
|
|
|
f8ded1 |
- if (!popLinkWitnessRequired) {
|
|
|
f8ded1 |
- CMS.debug(method + "popLinkWitnessRequired false, skip check");
|
|
|
f8ded1 |
- } else if (nummsgs > 0) {
|
|
|
f8ded1 |
- CMS.debug(method + "cmc.popLinkWitnessRequired is true");
|
|
|
f8ded1 |
+ if (nummsgs > 0) {
|
|
|
f8ded1 |
CMS.debug(method + "nummsgs =" + nummsgs);
|
|
|
f8ded1 |
msgs = new TaggedRequest[reqSeq.size()];
|
|
|
f8ded1 |
SEQUENCE bpids = new SEQUENCE();
|
|
|
f8ded1 |
@@ -896,7 +893,8 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
f8ded1 |
boolean valid = true;
|
|
|
f8ded1 |
for (int i = 0; i < nummsgs; i++) {
|
|
|
f8ded1 |
msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
|
|
|
f8ded1 |
- if (!context.containsKey("POPLinkWitnessV2") &&
|
|
|
f8ded1 |
+ if (popLinkWitnessRequired &&
|
|
|
f8ded1 |
+ !context.containsKey("POPLinkWitnessV2") &&
|
|
|
f8ded1 |
!context.containsKey("POPLinkWitness")) {
|
|
|
f8ded1 |
CMS.debug(method + "popLinkWitness(V2) required");
|
|
|
f8ded1 |
if (randomSeed == null) {
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From 220e35d2b5610cb051831b990451b3b3ff53604e Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
f8ded1 |
Date: Tue, 2 May 2017 21:44:36 +1000
|
|
|
f8ded1 |
Subject: [PATCH 02/10] CAInfoService: retrieve info from KRA
|
|
|
f8ded1 |
|
|
|
f8ded1 |
The CAInfoService returns CA configuration info, including
|
|
|
f8ded1 |
KRA-related values the CA clients may need to know (e.g. for
|
|
|
f8ded1 |
generating a CRMF cert request that will cause keys to be archived
|
|
|
f8ded1 |
in KRA). Currently that information is statically configured and
|
|
|
f8ded1 |
does not respect the actual configuration of the KRA.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Update the service to retrieve info from the KRA, which is queried
|
|
|
f8ded1 |
according to the KRA Connector configuration. After the KRA has
|
|
|
f8ded1 |
been successfully contacted, the recorded KRA-related settings are
|
|
|
f8ded1 |
regarded as authoritative.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
The KRA is contacted ONLY if the current info is NOT authoritative,
|
|
|
f8ded1 |
otherwise the currently recorded values are used. This means that
|
|
|
f8ded1 |
any change to relevant KRA configuration (which should occur seldom
|
|
|
f8ded1 |
if ever) necessitates restart of the CA subsystem.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
If this is unsuccessful (e.g. if the KRA is down or the connector is
|
|
|
f8ded1 |
misconfigured) we use the default values, which may be incorrect.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Fixes: https://pagure.io/dogtagpki/issue/2665
|
|
|
f8ded1 |
Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.../org/dogtagpki/server/rest/CAInfoService.java | 143 ++++++++++++++++++---
|
|
|
f8ded1 |
1 file changed, 126 insertions(+), 17 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
|
|
|
f8ded1 |
index f4724a6..398f499 100644
|
|
|
f8ded1 |
--- a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
|
|
|
f8ded1 |
+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
|
|
|
f8ded1 |
@@ -18,26 +18,63 @@
|
|
|
f8ded1 |
|
|
|
f8ded1 |
package org.dogtagpki.server.rest;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+import java.net.MalformedURLException;
|
|
|
f8ded1 |
+import java.net.URISyntaxException;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
import javax.servlet.http.HttpSession;
|
|
|
f8ded1 |
import javax.ws.rs.core.Response;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import org.dogtagpki.common.CAInfo;
|
|
|
f8ded1 |
import org.dogtagpki.common.CAInfoResource;
|
|
|
f8ded1 |
+import org.dogtagpki.common.KRAInfo;
|
|
|
f8ded1 |
+import org.dogtagpki.common.KRAInfoClient;
|
|
|
f8ded1 |
import org.slf4j.Logger;
|
|
|
f8ded1 |
import org.slf4j.LoggerFactory;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.IConfigStore;
|
|
|
f8ded1 |
+import com.netscape.certsrv.base.PKIException;
|
|
|
f8ded1 |
+import com.netscape.certsrv.client.ClientConfig;
|
|
|
f8ded1 |
+import com.netscape.certsrv.client.PKIClient;
|
|
|
f8ded1 |
+import com.netscape.certsrv.system.KRAConnectorInfo;
|
|
|
f8ded1 |
+import com.netscape.cms.servlet.admin.KRAConnectorProcessor;
|
|
|
f8ded1 |
import com.netscape.cms.servlet.base.PKIService;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
/**
|
|
|
f8ded1 |
* @author Ade Lee
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ * This class returns CA info, including KRA-related values the CA
|
|
|
f8ded1 |
+ * clients may need to know (e.g. for generating a CRMF cert request
|
|
|
f8ded1 |
+ * that will cause keys to be archived in KRA).
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ * The KRA-related info is read from the KRAInfoService, which is
|
|
|
f8ded1 |
+ * queried according to the KRA Connector configuration. After
|
|
|
f8ded1 |
+ * the KRAInfoService has been successfully contacted, the recorded
|
|
|
f8ded1 |
+ * KRA-related settings are regarded as authoritative.
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ * The KRA is contacted ONLY if the current info is NOT
|
|
|
f8ded1 |
+ * authoritative, otherwise the currently recorded values are used.
|
|
|
f8ded1 |
+ * This means that any change to relevant KRA configuration (which
|
|
|
f8ded1 |
+ * should occur seldom if ever) necessitates restart of the CA
|
|
|
f8ded1 |
+ * subsystem.
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ * If this is unsuccessful (e.g. if the KRA is down or the
|
|
|
f8ded1 |
+ * connector is misconfigured) we use the default values, which
|
|
|
f8ded1 |
+ * may be incorrect.
|
|
|
f8ded1 |
*/
|
|
|
f8ded1 |
public class CAInfoService extends PKIService implements CAInfoResource {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
private static Logger logger = LoggerFactory.getLogger(InfoService.class);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ // is the current KRA-related info authoritative?
|
|
|
f8ded1 |
+ private static boolean kraInfoAuthoritative = false;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // KRA-related fields (the initial values are only used if we
|
|
|
f8ded1 |
+ // did not yet receive authoritative info from KRA)
|
|
|
f8ded1 |
+ private static String archivalMechanism = KRAInfoService.KEYWRAP_MECHANISM;
|
|
|
f8ded1 |
+ private static String wrappingKeySet = "0";
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
@Override
|
|
|
f8ded1 |
public Response getInfo() throws Exception {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -45,30 +82,102 @@ public class CAInfoService extends PKIService implements CAInfoResource {
|
|
|
f8ded1 |
logger.debug("CAInfoService.getInfo(): session: " + session.getId());
|
|
|
f8ded1 |
|
|
|
f8ded1 |
CAInfo info = new CAInfo();
|
|
|
f8ded1 |
- String archivalMechanism = getArchivalMechanism();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (archivalMechanism != null)
|
|
|
f8ded1 |
- info.setArchivalMechanism(getArchivalMechanism());
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- info.setWrappingKeySet(getWrappingKeySet());
|
|
|
f8ded1 |
+ addKRAInfo(info);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
return createOKResponse(info);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- String getArchivalMechanism() throws EBaseException {
|
|
|
f8ded1 |
- IConfigStore cs = CMS.getConfigStore();
|
|
|
f8ded1 |
- boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
|
|
|
f8ded1 |
- if (!kra_present) return null;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
|
|
|
f8ded1 |
- return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM;
|
|
|
f8ded1 |
+ /**
|
|
|
f8ded1 |
+ * Add KRA fields if KRA is configured, querying the KRA
|
|
|
f8ded1 |
+ * if necessary.
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ * Apart from reading 'headers', this method doesn't access
|
|
|
f8ded1 |
+ * any instance data.
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ private void addKRAInfo(CAInfo info) {
|
|
|
f8ded1 |
+ KRAConnectorInfo connInfo = null;
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ KRAConnectorProcessor processor =
|
|
|
f8ded1 |
+ new KRAConnectorProcessor(getLocale(headers));
|
|
|
f8ded1 |
+ connInfo = processor.getConnectorInfo();
|
|
|
f8ded1 |
+ } catch (Throwable e) {
|
|
|
f8ded1 |
+ // connInfo remains as null
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ boolean kraEnabled =
|
|
|
f8ded1 |
+ connInfo != null
|
|
|
f8ded1 |
+ && "true".equalsIgnoreCase(connInfo.getEnable());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (kraEnabled) {
|
|
|
f8ded1 |
+ if (!kraInfoAuthoritative) {
|
|
|
f8ded1 |
+ // KRA is enabled but we are yet to successfully
|
|
|
f8ded1 |
+ // query the KRA-related info. Do it now.
|
|
|
f8ded1 |
+ queryKRAInfo(connInfo);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ info.setArchivalMechanism(archivalMechanism);
|
|
|
f8ded1 |
+ info.setWrappingKeySet(wrappingKeySet);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- String getWrappingKeySet() throws EBaseException {
|
|
|
f8ded1 |
- IConfigStore cs = CMS.getConfigStore();
|
|
|
f8ded1 |
- boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
|
|
|
f8ded1 |
- if (!kra_present) return null;
|
|
|
f8ded1 |
+ private static void queryKRAInfo(KRAConnectorInfo connInfo) {
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ KRAInfo kraInfo = getKRAInfoClient(connInfo).getInfo();
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ archivalMechanism = kraInfo.getArchivalMechanism();
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // request succeeded; the KRA is 10.4 or higher,
|
|
|
f8ded1 |
+ // therefore supports key set v1
|
|
|
f8ded1 |
+ wrappingKeySet = "1";
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // mark info as authoritative
|
|
|
f8ded1 |
+ kraInfoAuthoritative = true;
|
|
|
f8ded1 |
+ } catch (PKIException e) {
|
|
|
f8ded1 |
+ if (e.getCode() == 404) {
|
|
|
f8ded1 |
+ // The KRAInfoResource was added in 10.4,
|
|
|
f8ded1 |
+ // so we are talking to a pre-10.4 KRA
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // pre-10.4 only supports key set v0
|
|
|
f8ded1 |
+ wrappingKeySet = "0";
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // pre-10.4 KRA does not advertise the archival
|
|
|
f8ded1 |
+ // mechanism; look for the old knob in CA's config
|
|
|
f8ded1 |
+ // or fall back to the default
|
|
|
f8ded1 |
+ IConfigStore cs = CMS.getConfigStore();
|
|
|
f8ded1 |
+ boolean encrypt_archival;
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ encrypt_archival = cs.getBoolean(
|
|
|
f8ded1 |
+ "kra.allowEncDecrypt.archival", false);
|
|
|
f8ded1 |
+ } catch (EBaseException e1) {
|
|
|
f8ded1 |
+ encrypt_archival = false;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ archivalMechanism = encrypt_archival
|
|
|
f8ded1 |
+ ? KRAInfoService.ENCRYPT_MECHANISM
|
|
|
f8ded1 |
+ : KRAInfoService.KEYWRAP_MECHANISM;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // mark info as authoritative
|
|
|
f8ded1 |
+ kraInfoAuthoritative = true;
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e);
|
|
|
f8ded1 |
+ CMS.debug(e);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ } catch (Throwable e) {
|
|
|
f8ded1 |
+ CMS.debug("Failed to retrieve archive wrapping information from the CA: " + e);
|
|
|
f8ded1 |
+ CMS.debug(e);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- return cs.getString("kra.wrappingKeySet", "1");
|
|
|
f8ded1 |
+ /**
|
|
|
f8ded1 |
+ * Construct KRAInfoClient given KRAConnectorInfo
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ private static KRAInfoClient getKRAInfoClient(KRAConnectorInfo connInfo)
|
|
|
f8ded1 |
+ throws MalformedURLException, URISyntaxException, EBaseException {
|
|
|
f8ded1 |
+ ClientConfig config = new ClientConfig();
|
|
|
f8ded1 |
+ int port = Integer.parseInt(connInfo.getPort());
|
|
|
f8ded1 |
+ config.setServerURL("https", connInfo.getHost(), port);
|
|
|
f8ded1 |
+ config.setCertDatabase(
|
|
|
f8ded1 |
+ CMS.getConfigStore().getString("instanceRoot") + "/alias");
|
|
|
f8ded1 |
+ return new KRAInfoClient(new PKIClient(config), "kra");
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From c64d6331d52dcf07108226c5dff26bd8b6c41e70 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
f8ded1 |
Date: Thu, 4 May 2017 10:36:49 +0200
|
|
|
f8ded1 |
Subject: [PATCH 03/10] pki.authority: Don't send header as POST body
|
|
|
f8ded1 |
|
|
|
f8ded1 |
pki.authority was mistakenly sending headers as POST body instead of
|
|
|
f8ded1 |
sending an empty POST body with right headers.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae
|
|
|
f8ded1 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
base/common/python/pki/authority.py | 14 +++++++-------
|
|
|
f8ded1 |
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
|
|
|
f8ded1 |
index 9fa459c..0d83a4b 100644
|
|
|
f8ded1 |
--- a/base/common/python/pki/authority.py
|
|
|
f8ded1 |
+++ b/base/common/python/pki/authority.py
|
|
|
f8ded1 |
@@ -140,7 +140,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
url = self.ca_url + '/' + str(aid)
|
|
|
f8ded1 |
headers = {'Content-type': 'application/json',
|
|
|
f8ded1 |
'Accept': 'application/json'}
|
|
|
f8ded1 |
- r = self.connection.get(url, headers)
|
|
|
f8ded1 |
+ r = self.connection.get(url, headers=headers)
|
|
|
f8ded1 |
return AuthorityData.from_json(r.json())
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@pki.handle_exceptions()
|
|
|
f8ded1 |
@@ -167,7 +167,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
raise ValueError(
|
|
|
f8ded1 |
"Invalid format passed in - PEM or DER expected.")
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- r = self.connection.get(url, headers)
|
|
|
f8ded1 |
+ r = self.connection.get(url, headers=headers)
|
|
|
f8ded1 |
return r.text
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@pki.handle_exceptions()
|
|
|
f8ded1 |
@@ -189,7 +189,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
elif output_format == "PKCS7":
|
|
|
f8ded1 |
headers['Accept'] = "application/pkcs7-mime"
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- r = self.connection.get(url, headers)
|
|
|
f8ded1 |
+ r = self.connection.get(url, headers=headers)
|
|
|
f8ded1 |
return r.text
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@pki.handle_exceptions()
|
|
|
f8ded1 |
@@ -238,7 +238,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
response = self.connection.post(
|
|
|
f8ded1 |
self.ca_url,
|
|
|
f8ded1 |
create_request,
|
|
|
f8ded1 |
- headers)
|
|
|
f8ded1 |
+ headers=headers)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
new_ca = AuthorityData.from_json(response.json())
|
|
|
f8ded1 |
return new_ca
|
|
|
f8ded1 |
@@ -257,7 +257,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
headers = {'Content-type': 'application/json',
|
|
|
f8ded1 |
'Accept': 'application/json'}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- self.connection.post(url, headers)
|
|
|
f8ded1 |
+ self.connection.post(url, None, headers=headers)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@pki.handle_exceptions()
|
|
|
f8ded1 |
def disable_ca(self, aid):
|
|
|
f8ded1 |
@@ -272,7 +272,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
headers = {'Content-type': 'application/json',
|
|
|
f8ded1 |
'Accept': 'application/json'}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- self.connection.post(url, headers)
|
|
|
f8ded1 |
+ self.connection.post(url, None, headers=headers)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@pki.handle_exceptions()
|
|
|
f8ded1 |
def delete_ca(self, aid):
|
|
|
f8ded1 |
@@ -287,7 +287,7 @@ class AuthorityClient(object):
|
|
|
f8ded1 |
headers = {'Content-type': 'application/json',
|
|
|
f8ded1 |
'Accept': 'application/json'}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- self.connection.delete(url, headers)
|
|
|
f8ded1 |
+ self.connection.delete(url, headers=headers)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
encoder.NOTYPES['AuthorityData'] = AuthorityData
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From 62a78bfa227b5e75a7cb931d7e65e824f5fe01ec Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
f8ded1 |
Date: Fri, 5 May 2017 19:54:15 +1000
|
|
|
f8ded1 |
Subject: [PATCH 04/10] Fix PKCS #12 import during clone installation
|
|
|
f8ded1 |
|
|
|
f8ded1 |
PKCS #12 export was updated to use AES / PBES2 encryption for the
|
|
|
f8ded1 |
key bags, but an import code path used when spawning a clone was
|
|
|
f8ded1 |
missed, and now fails (because it doesn't grok PBES2).
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Update it to use CryptoStore.importEncryptedPrivateKeyInfo()
|
|
|
f8ded1 |
instead, fixing the problem.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Fixes: https://pagure.io/dogtagpki/issue/2677
|
|
|
f8ded1 |
Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.../cms/servlet/csadmin/ConfigurationUtils.java | 32 +++++++---------------
|
|
|
f8ded1 |
1 file changed, 10 insertions(+), 22 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
f8ded1 |
index ee1984b..07c64af 100644
|
|
|
f8ded1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
f8ded1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
f8ded1 |
@@ -886,9 +886,7 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
CMS.debug(" - Bag #" + j + ": key");
|
|
|
f8ded1 |
- EncryptedPrivateKeyInfo privkeyinfo =
|
|
|
f8ded1 |
- (EncryptedPrivateKeyInfo) bag.getInterpretedBagContent();
|
|
|
f8ded1 |
- PrivateKeyInfo pkeyinfo = privkeyinfo.decrypt(password, new PasswordConverter());
|
|
|
f8ded1 |
+ byte[] epki = bag.getBagContent().getEncoded();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
SET bagAttrs = bag.getBagAttributes();
|
|
|
f8ded1 |
String subjectDN = null;
|
|
|
f8ded1 |
@@ -910,9 +908,10 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- // pkeyinfo_v stores private key (PrivateKeyInfo) and subject DN (String)
|
|
|
f8ded1 |
+ // pkeyinfo_v stores EncryptedPrivateKeyInfo
|
|
|
f8ded1 |
+ // (byte[]) and subject DN (String)
|
|
|
f8ded1 |
Vector<Object> pkeyinfo_v = new Vector<Object>();
|
|
|
f8ded1 |
- pkeyinfo_v.addElement(pkeyinfo);
|
|
|
f8ded1 |
+ pkeyinfo_v.addElement(epki);
|
|
|
f8ded1 |
if (subjectDN != null)
|
|
|
f8ded1 |
pkeyinfo_v.addElement(subjectDN);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -971,7 +970,7 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- importKeyCert(pkeyinfo_collection, cert_collection);
|
|
|
f8ded1 |
+ importKeyCert(password, pkeyinfo_collection, cert_collection);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
public static void verifySystemCertificates() throws Exception {
|
|
|
f8ded1 |
@@ -1012,6 +1011,7 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
public static void importKeyCert(
|
|
|
f8ded1 |
+ Password password,
|
|
|
f8ded1 |
Vector<Vector<Object>> pkeyinfo_collection,
|
|
|
f8ded1 |
Vector<Vector<Object>> cert_collection
|
|
|
f8ded1 |
) throws Exception {
|
|
|
f8ded1 |
@@ -1028,7 +1028,7 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
CMS.debug("Importing new keys:");
|
|
|
f8ded1 |
for (int i = 0; i < pkeyinfo_collection.size(); i++) {
|
|
|
f8ded1 |
Vector<Object> pkeyinfo_v = pkeyinfo_collection.elementAt(i);
|
|
|
f8ded1 |
- PrivateKeyInfo pkeyinfo = (PrivateKeyInfo) pkeyinfo_v.elementAt(0);
|
|
|
f8ded1 |
+ byte[] epki = (byte[]) pkeyinfo_v.elementAt(0);
|
|
|
f8ded1 |
String nickname = (String) pkeyinfo_v.elementAt(1);
|
|
|
f8ded1 |
CMS.debug("- Key: " + nickname);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -1037,11 +1037,6 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
continue;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- // encode private key
|
|
|
f8ded1 |
- ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
|
|
f8ded1 |
- pkeyinfo.encode(bos);
|
|
|
f8ded1 |
- byte[] pkey = bos.toByteArray();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
CMS.debug(" Find cert with subject DN " + nickname);
|
|
|
f8ded1 |
// TODO: use better mechanism to find the cert
|
|
|
f8ded1 |
byte[] x509cert = getX509Cert(nickname, cert_collection);
|
|
|
f8ded1 |
@@ -1063,16 +1058,9 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
// this is OK
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- // encrypt private key
|
|
|
f8ded1 |
- SymmetricKey sk = CryptoUtil.generateKey(token, KeyGenAlgorithm.DES3, 0, null, true);
|
|
|
f8ded1 |
- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
f8ded1 |
- IVParameterSpec param = new IVParameterSpec(iv);
|
|
|
f8ded1 |
- byte[] encpkey = CryptoUtil.encryptUsingSymmetricKey(token, sk, pkey, EncryptionAlgorithm.DES3_CBC_PAD, param);
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- // unwrap private key to load into database
|
|
|
f8ded1 |
- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
|
|
|
f8ded1 |
- wrapper.initUnwrap(sk, param);
|
|
|
f8ded1 |
- wrapper.unwrapPrivate(encpkey, getPrivateKeyType(publicKey), publicKey);
|
|
|
f8ded1 |
+ // import private key into database
|
|
|
f8ded1 |
+ store.importEncryptedPrivateKeyInfo(
|
|
|
f8ded1 |
+ new PasswordConverter(), password, nickname, publicKey, epki);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
CMS.debug("Importing new certificates:");
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From 3fb95590cdf0e45418fa0be7a020691567ef152a Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
f8ded1 |
Date: Fri, 5 May 2017 20:13:07 +1000
|
|
|
f8ded1 |
Subject: [PATCH 05/10] Delete unused methods
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.../cms/servlet/csadmin/ConfigurationUtils.java | 103 ---------------------
|
|
|
f8ded1 |
1 file changed, 103 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
f8ded1 |
index 07c64af..c9a375f 100644
|
|
|
f8ded1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
f8ded1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
f8ded1 |
@@ -1203,13 +1203,6 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
return null;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public static org.mozilla.jss.crypto.PrivateKey.Type getPrivateKeyType(PublicKey pubkey) {
|
|
|
f8ded1 |
- if (pubkey.getAlgorithm().equals("EC")) {
|
|
|
f8ded1 |
- return org.mozilla.jss.crypto.PrivateKey.Type.EC;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- return org.mozilla.jss.crypto.PrivateKey.Type.RSA;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
public static boolean isCASigningCert(String name) throws EBaseException {
|
|
|
f8ded1 |
IConfigStore cs = CMS.getConfigStore();
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
@@ -3495,102 +3488,6 @@ public class ConfigurationUtils {
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public static void addKeyBag(PrivateKey pkey, X509Certificate x509cert,
|
|
|
f8ded1 |
- Password pass, byte[] localKeyId, SEQUENCE safeContents)
|
|
|
f8ded1 |
- throws NoSuchAlgorithmException, InvalidBERException, InvalidKeyException,
|
|
|
f8ded1 |
- InvalidAlgorithmParameterException, NotInitializedException, TokenException, IllegalStateException,
|
|
|
f8ded1 |
- IllegalBlockSizeException, BadPaddingException, CharConversionException {
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- PasswordConverter passConverter = new PasswordConverter();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
|
|
|
f8ded1 |
- byte salt[] = random.generateSeed(4); // 4 bytes salt
|
|
|
f8ded1 |
- byte[] priData = getEncodedKey(pkey);
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- PrivateKeyInfo pki = (PrivateKeyInfo)
|
|
|
f8ded1 |
- ASN1Util.decode(PrivateKeyInfo.getTemplate(), priData);
|
|
|
f8ded1 |
- ASN1Value key = EncryptedPrivateKeyInfo.createPBE(
|
|
|
f8ded1 |
- PBEAlgorithm.PBE_SHA1_DES3_CBC,
|
|
|
f8ded1 |
- pass, salt, 1, passConverter, pki);
|
|
|
f8ded1 |
- SET keyAttrs = createBagAttrs(
|
|
|
f8ded1 |
- x509cert.getSubjectDN().toString(), localKeyId);
|
|
|
f8ded1 |
- SafeBag keyBag = new SafeBag(SafeBag.PKCS8_SHROUDED_KEY_BAG,
|
|
|
f8ded1 |
- key, keyAttrs);
|
|
|
f8ded1 |
- safeContents.addElement(keyBag);
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- public static byte[] addCertBag(X509Certificate x509cert, String nickname,
|
|
|
f8ded1 |
- SEQUENCE safeContents) throws CertificateEncodingException, NoSuchAlgorithmException,
|
|
|
f8ded1 |
- CharConversionException {
|
|
|
f8ded1 |
- byte[] localKeyId = null;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- ASN1Value cert = new OCTET_STRING(x509cert.getEncoded());
|
|
|
f8ded1 |
- localKeyId = createLocalKeyId(x509cert);
|
|
|
f8ded1 |
- SET certAttrs = null;
|
|
|
f8ded1 |
- if (nickname != null)
|
|
|
f8ded1 |
- certAttrs = createBagAttrs(nickname, localKeyId);
|
|
|
f8ded1 |
- SafeBag certBag = new SafeBag(SafeBag.CERT_BAG,
|
|
|
f8ded1 |
- new CertBag(CertBag.X509_CERT_TYPE, cert), certAttrs);
|
|
|
f8ded1 |
- safeContents.addElement(certBag);
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- return localKeyId;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- public static byte[] getEncodedKey(PrivateKey pkey) throws NotInitializedException, NoSuchAlgorithmException,
|
|
|
f8ded1 |
- TokenException, IllegalStateException, CharConversionException, InvalidKeyException,
|
|
|
f8ded1 |
- InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
|
|
|
f8ded1 |
- CryptoManager cm = CryptoManager.getInstance();
|
|
|
f8ded1 |
- CryptoToken token = cm.getInternalKeyStorageToken();
|
|
|
f8ded1 |
- KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.DES3);
|
|
|
f8ded1 |
- SymmetricKey sk = kg.generate();
|
|
|
f8ded1 |
- KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
|
|
|
f8ded1 |
- byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
f8ded1 |
- IVParameterSpec param = new IVParameterSpec(iv);
|
|
|
f8ded1 |
- wrapper.initWrap(sk, param);
|
|
|
f8ded1 |
- byte[] enckey = wrapper.wrap(pkey);
|
|
|
f8ded1 |
- Cipher c = token.getCipherContext(EncryptionAlgorithm.DES3_CBC_PAD);
|
|
|
f8ded1 |
- c.initDecrypt(sk, param);
|
|
|
f8ded1 |
- byte[] recovered = c.doFinal(enckey);
|
|
|
f8ded1 |
- return recovered;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- public static byte[] createLocalKeyId(X509Certificate cert)
|
|
|
f8ded1 |
- throws NoSuchAlgorithmException, CertificateEncodingException {
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- // SHA1 hash of the X509Cert der encoding
|
|
|
f8ded1 |
- byte certDer[] = cert.getEncoded();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- MessageDigest md = MessageDigest.getInstance("SHA");
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- md.update(certDer);
|
|
|
f8ded1 |
- return md.digest();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- public static SET createBagAttrs(String nickName, byte localKeyId[]) throws CharConversionException {
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- SET attrs = new SET();
|
|
|
f8ded1 |
- SEQUENCE nickNameAttr = new SEQUENCE();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- nickNameAttr.addElement(SafeBag.FRIENDLY_NAME);
|
|
|
f8ded1 |
- SET nickNameSet = new SET();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- nickNameSet.addElement(new BMPString(nickName));
|
|
|
f8ded1 |
- nickNameAttr.addElement(nickNameSet);
|
|
|
f8ded1 |
- attrs.addElement(nickNameAttr);
|
|
|
f8ded1 |
- SEQUENCE localKeyAttr = new SEQUENCE();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- localKeyAttr.addElement(SafeBag.LOCAL_KEY_ID);
|
|
|
f8ded1 |
- SET localKeySet = new SET();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- localKeySet.addElement(new OCTET_STRING(localKeyId));
|
|
|
f8ded1 |
- localKeyAttr.addElement(localKeySet);
|
|
|
f8ded1 |
- attrs.addElement(localKeyAttr);
|
|
|
f8ded1 |
- return attrs;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
public static void createAdminCertificate(String certRequest, String certRequestType, String subject)
|
|
|
f8ded1 |
throws Exception {
|
|
|
f8ded1 |
IConfigStore cs = CMS.getConfigStore();
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From f26b3aaee1cf36941f387b464b937ffee1403048 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
|
|
|
f8ded1 |
Date: Fri, 5 May 2017 11:44:17 -0700
|
|
|
f8ded1 |
Subject: [PATCH 06/10] Non server keygen issue in SCP03.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
|
|
|
f8ded1 |
|
|
|
f8ded1 |
We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.../server/tps/channel/SecureChannel.java | 4 +-
|
|
|
f8ded1 |
.../server/tps/processor/TPSProcessor.java | 51 +++++++++++++++-------
|
|
|
f8ded1 |
2 files changed, 37 insertions(+), 18 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
|
|
|
f8ded1 |
index fc5472c..5e5646b 100644
|
|
|
f8ded1 |
--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
|
|
|
f8ded1 |
+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
|
|
|
f8ded1 |
@@ -148,8 +148,8 @@ public class SecureChannel {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
CMS.debug("SecureChannel.SecureChannel: For SCP03. : ");
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- CMS.debug("kekDesKey: " + kekDesKey.toHexString());
|
|
|
f8ded1 |
- CMS.debug("keyCheck: " + keyCheck.toHexString());
|
|
|
f8ded1 |
+ if (keyCheck != null)
|
|
|
f8ded1 |
+ CMS.debug("keyCheck: " + keyCheck.toHexString());
|
|
|
f8ded1 |
|
|
|
f8ded1 |
this.platProtInfo = platformInfo;
|
|
|
f8ded1 |
this.processor = processor;
|
|
|
f8ded1 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
f8ded1 |
index 0cfac59..0f96915 100644
|
|
|
f8ded1 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
f8ded1 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
f8ded1 |
@@ -33,6 +33,8 @@ import java.util.List;
|
|
|
f8ded1 |
import java.util.Map;
|
|
|
f8ded1 |
import java.util.Set;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+import netscape.security.x509.RevocationReason;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
import org.dogtagpki.server.tps.TPSSession;
|
|
|
f8ded1 |
import org.dogtagpki.server.tps.TPSSubsystem;
|
|
|
f8ded1 |
import org.dogtagpki.server.tps.authentication.AuthUIParameter;
|
|
|
f8ded1 |
@@ -100,8 +102,6 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol;
|
|
|
f8ded1 |
import com.netscape.cmsutil.crypto.CryptoUtil;
|
|
|
f8ded1 |
import com.netscape.symkey.SessionKey;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
-import netscape.security.x509.RevocationReason;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
public class TPSProcessor {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
public static final int RESULT_NO_ERROR = 0;
|
|
|
f8ded1 |
@@ -923,20 +923,39 @@ public class TPSProcessor {
|
|
|
f8ded1 |
TPSBuffer drmDesKeyBuff = resp.getDRM_Trans_DesKey();
|
|
|
f8ded1 |
TPSBuffer kekDesKeyBuff = resp.getKekWrappedDesKey();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());
|
|
|
f8ded1 |
- CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());
|
|
|
f8ded1 |
- CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());
|
|
|
f8ded1 |
- CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());
|
|
|
f8ded1 |
- CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());
|
|
|
f8ded1 |
- CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());
|
|
|
f8ded1 |
- CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
f8ded1 |
- encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
f8ded1 |
- macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
f8ded1 |
- macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
f8ded1 |
- kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
f8ded1 |
- kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
f8ded1 |
+ if (encSessionKeyBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " encSessionKeyBuff: " + encSessionKeyBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (kekSessionKeyBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " kekSessionKeyBuff: " + kekSessionKeyBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (macSessionKeyBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " macSessionKeyBuff: " + macSessionKeyBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (hostCryptogramBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " hostCryptogramBuff: " + hostCryptogramBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (keyCheckBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " keyCheckBuff: " + keyCheckBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (drmDesKeyBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " drmDessKeyBuff: " + drmDesKeyBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (kekDesKeyBuff != null)
|
|
|
f8ded1 |
+ CMS.debug(method + " kekDesKeyBuff: " + kekDesKeyBuff.toHexString());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (encSessionKeyBuff != null)
|
|
|
f8ded1 |
+ encSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
f8ded1 |
+ encSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (macSessionKeyBuff != null)
|
|
|
f8ded1 |
+ macSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
f8ded1 |
+ macSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (kekSessionKeyBuff != null)
|
|
|
f8ded1 |
+ kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
f8ded1 |
+ kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03,
|
|
|
f8ded1 |
drmDesKeyBuff, kekDesKeyBuff,
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From f84bfab30647ae1492fcdca0a026bfa4d91350c9 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Ade Lee <alee@redhat.com>
|
|
|
f8ded1 |
Date: Mon, 1 May 2017 15:56:58 -0400
|
|
|
f8ded1 |
Subject: [PATCH 07/10] Make sure generated asym keys are extractable
|
|
|
f8ded1 |
|
|
|
f8ded1 |
In HSMs, we were not able to retrieve asym keys that were
|
|
|
f8ded1 |
generated from the AsymKeyGenService, because the right
|
|
|
f8ded1 |
flags were not set (ie. set like in the server side
|
|
|
f8ded1 |
keygen case).
|
|
|
f8ded1 |
|
|
|
f8ded1 |
To do this, I extracted the key generation function from
|
|
|
f8ded1 |
NetKeygenService to KeyRecoveryAuthority, so that it could
|
|
|
f8ded1 |
be used by both services.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Bugzilla BZ# 1386303
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.../certsrv/kra/IKeyRecoveryAuthority.java | 17 ++
|
|
|
f8ded1 |
.../src/com/netscape/kra/AsymKeyGenService.java | 23 +--
|
|
|
f8ded1 |
.../src/com/netscape/kra/KeyRecoveryAuthority.java | 184 ++++++++++++++++++++
|
|
|
f8ded1 |
.../src/com/netscape/kra/NetkeyKeygenService.java | 185 +--------------------
|
|
|
f8ded1 |
4 files changed, 213 insertions(+), 196 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
|
|
|
f8ded1 |
index a12d773..4f709e9 100644
|
|
|
f8ded1 |
--- a/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
|
|
|
f8ded1 |
+++ b/base/common/src/com/netscape/certsrv/kra/IKeyRecoveryAuthority.java
|
|
|
f8ded1 |
@@ -17,12 +17,15 @@
|
|
|
f8ded1 |
// --- END COPYRIGHT BLOCK ---
|
|
|
f8ded1 |
package com.netscape.certsrv.kra;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+import java.security.KeyPair;
|
|
|
f8ded1 |
import java.util.Enumeration;
|
|
|
f8ded1 |
import java.util.Hashtable;
|
|
|
f8ded1 |
import java.util.Vector;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import org.dogtagpki.legacy.policy.IPolicyProcessor;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.PQGParams;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.ISubsystem;
|
|
|
f8ded1 |
@@ -337,4 +340,18 @@ public interface IKeyRecoveryAuthority extends ISubsystem {
|
|
|
f8ded1 |
* @return
|
|
|
f8ded1 |
*/
|
|
|
f8ded1 |
public boolean isRetrievalSynchronous(String realm);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ /**
|
|
|
f8ded1 |
+ * Generate an asymmetric key pair.
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ * @param alg
|
|
|
f8ded1 |
+ * @param keySize
|
|
|
f8ded1 |
+ * @param keyCurve
|
|
|
f8ded1 |
+ * @param pqg
|
|
|
f8ded1 |
+ * @param usageList - RSA only for now
|
|
|
f8ded1 |
+ * @return key pair
|
|
|
f8ded1 |
+ * @throws EBaseException
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ public KeyPair generateKeyPair(String alg, int keySize, String keyCurve,
|
|
|
f8ded1 |
+ PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
|
|
|
f8ded1 |
index 9528972..7351d50 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
|
|
|
f8ded1 |
@@ -19,14 +19,10 @@ package com.netscape.kra;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import java.math.BigInteger;
|
|
|
f8ded1 |
import java.security.KeyPair;
|
|
|
f8ded1 |
-import java.security.NoSuchAlgorithmException;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.KeyPairAlgorithm;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.KeyPairGenerator;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.PrivateKey;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.TokenException;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
@@ -42,7 +38,6 @@ import com.netscape.certsrv.request.IRequest;
|
|
|
f8ded1 |
import com.netscape.certsrv.request.IService;
|
|
|
f8ded1 |
import com.netscape.certsrv.request.RequestId;
|
|
|
f8ded1 |
import com.netscape.certsrv.security.IStorageKeyUnit;
|
|
|
f8ded1 |
-import com.netscape.cms.servlet.key.KeyRequestDAO;
|
|
|
f8ded1 |
import com.netscape.cmscore.dbs.KeyRecord;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import netscape.security.util.WrappingParams;
|
|
|
f8ded1 |
@@ -132,8 +127,6 @@ public class AsymKeyGenService implements IService {
|
|
|
f8ded1 |
CMS.debug("AsymKeyGenService.serviceRequest. Request id: " + request.getRequestId());
|
|
|
f8ded1 |
CMS.debug("AsymKeyGenService.serviceRequest algorithm: " + algorithm);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- KeyPairAlgorithm keyPairAlgorithm = KeyRequestDAO.ASYMKEY_GEN_ALGORITHMS.get(algorithm.toUpperCase());
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
|
|
|
f8ded1 |
String auditSubjectID = owner;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -141,16 +134,18 @@ public class AsymKeyGenService implements IService {
|
|
|
f8ded1 |
CryptoToken token = kra.getKeygenToken();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
// Generating the asymmetric keys
|
|
|
f8ded1 |
- KeyPairGenerator keyPairGen = null;
|
|
|
f8ded1 |
KeyPair kp = null;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
- keyPairGen = token.getKeyPairGenerator(keyPairAlgorithm);
|
|
|
f8ded1 |
- keyPairGen.initialize(keySize);
|
|
|
f8ded1 |
- if (usageList != null)
|
|
|
f8ded1 |
- keyPairGen.setKeyPairUsages(usageList, usageList);
|
|
|
f8ded1 |
- kp = keyPairGen.genKeyPair();
|
|
|
f8ded1 |
- } catch (NoSuchAlgorithmException | TokenException e) {
|
|
|
f8ded1 |
+ kp = kra.generateKeyPair(
|
|
|
f8ded1 |
+ algorithm.toUpperCase(),
|
|
|
f8ded1 |
+ keySize,
|
|
|
f8ded1 |
+ null, // keyCurve for ECC, not yet supported
|
|
|
f8ded1 |
+ null, // PQG not yet supported
|
|
|
f8ded1 |
+ usageList
|
|
|
f8ded1 |
+ );
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ } catch (EBaseException e) {
|
|
|
f8ded1 |
CMS.debugStackTrace();
|
|
|
f8ded1 |
auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
|
|
|
f8ded1 |
clientKeyId, null, "Failed to generate Asymmetric key");
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
f8ded1 |
index ec920e6..54953d1 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
f8ded1 |
@@ -20,6 +20,10 @@ package com.netscape.kra;
|
|
|
f8ded1 |
import java.io.ByteArrayOutputStream;
|
|
|
f8ded1 |
import java.io.IOException;
|
|
|
f8ded1 |
import java.math.BigInteger;
|
|
|
f8ded1 |
+import java.security.InvalidAlgorithmParameterException;
|
|
|
f8ded1 |
+import java.security.InvalidParameterException;
|
|
|
f8ded1 |
+import java.security.KeyPair;
|
|
|
f8ded1 |
+import java.security.NoSuchAlgorithmException;
|
|
|
f8ded1 |
import java.security.cert.CertificateEncodingException;
|
|
|
f8ded1 |
import java.security.cert.CertificateException;
|
|
|
f8ded1 |
import java.security.cert.X509Certificate;
|
|
|
f8ded1 |
@@ -32,6 +36,12 @@ import org.dogtagpki.legacy.kra.KRAPolicy;
|
|
|
f8ded1 |
import org.dogtagpki.legacy.policy.IPolicyProcessor;
|
|
|
f8ded1 |
import org.mozilla.jss.NoSuchTokenException;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.KeyPairAlgorithm;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.KeyPairGenerator;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.PQGParamGenException;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.PQGParams;
|
|
|
f8ded1 |
+import org.mozilla.jss.crypto.TokenException;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.authority.IAuthority;
|
|
|
f8ded1 |
@@ -1816,4 +1826,178 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
|
|
|
f8ded1 |
|
|
|
f8ded1 |
return agents;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ public KeyPair generateKeyPair(String alg, int keySize, String keyCurve,
|
|
|
f8ded1 |
+ PQGParams pqg, KeyPairGeneratorSpi.Usage[] usageList) throws EBaseException {
|
|
|
f8ded1 |
+ KeyPairAlgorithm kpAlg = null;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (alg.equals("RSA"))
|
|
|
f8ded1 |
+ kpAlg = KeyPairAlgorithm.RSA;
|
|
|
f8ded1 |
+ else if (alg.equals("EC"))
|
|
|
f8ded1 |
+ kpAlg = KeyPairAlgorithm.EC;
|
|
|
f8ded1 |
+ else
|
|
|
f8ded1 |
+ kpAlg = KeyPairAlgorithm.DSA;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg, usageList);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ return kp;
|
|
|
f8ded1 |
+ } catch (InvalidParameterException e) {
|
|
|
f8ded1 |
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS",
|
|
|
f8ded1 |
+ "" + keySize));
|
|
|
f8ded1 |
+ } catch (PQGParamGenException e) {
|
|
|
f8ded1 |
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED"));
|
|
|
f8ded1 |
+ } catch (NoSuchAlgorithmException e) {
|
|
|
f8ded1 |
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED",
|
|
|
f8ded1 |
+ kpAlg.toString()));
|
|
|
f8ded1 |
+ } catch (TokenException e) {
|
|
|
f8ded1 |
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString()));
|
|
|
f8ded1 |
+ } catch (InvalidAlgorithmParameterException e) {
|
|
|
f8ded1 |
+ throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA"));
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ public KeyPair generateKeyPair(
|
|
|
f8ded1 |
+ KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg,
|
|
|
f8ded1 |
+ KeyPairGeneratorSpi.Usage[] usageList )
|
|
|
f8ded1 |
+ throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
|
|
|
f8ded1 |
+ InvalidParameterException, PQGParamGenException {
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ CryptoToken token = getKeygenToken();
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName());
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ /*
|
|
|
f8ded1 |
+ make it temporary so can work with HSM
|
|
|
f8ded1 |
+ netHSM works with
|
|
|
f8ded1 |
+ temporary == true
|
|
|
f8ded1 |
+ sensitive == <do not specify>
|
|
|
f8ded1 |
+ extractable == <do not specify>
|
|
|
f8ded1 |
+ LunaSA2 works with
|
|
|
f8ded1 |
+ temporary == true
|
|
|
f8ded1 |
+ sensitive == true
|
|
|
f8ded1 |
+ extractable == true
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg);
|
|
|
f8ded1 |
+ IConfigStore config = CMS.getConfigStore();
|
|
|
f8ded1 |
+ IConfigStore kgConfig = config.getSubStore("kra.keygen");
|
|
|
f8ded1 |
+ boolean tp = false;
|
|
|
f8ded1 |
+ boolean sp = false;
|
|
|
f8ded1 |
+ boolean ep = false;
|
|
|
f8ded1 |
+ if ((kgConfig != null) && (!kgConfig.equals(""))) {
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ tp = kgConfig.getBoolean("temporaryPairs", false);
|
|
|
f8ded1 |
+ sp = kgConfig.getBoolean("sensitivePairs", false);
|
|
|
f8ded1 |
+ ep = kgConfig.getBoolean("extractablePairs", false);
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: found config store: kra.keygen");
|
|
|
f8ded1 |
+ // by default, let nethsm work
|
|
|
f8ded1 |
+ if ((tp == false) && (sp == false) && (ep == false)) {
|
|
|
f8ded1 |
+ if (kpAlg == KeyPairAlgorithm.EC) {
|
|
|
f8ded1 |
+ // set to what works for nethsm
|
|
|
f8ded1 |
+ tp = true;
|
|
|
f8ded1 |
+ sp = false;
|
|
|
f8ded1 |
+ ep = true;
|
|
|
f8ded1 |
+ } else
|
|
|
f8ded1 |
+ tp = true;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ } catch (Exception e) {
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
|
|
|
f8ded1 |
+ // by default, let nethsm work
|
|
|
f8ded1 |
+ tp = true;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ // by default, let nethsm work
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true");
|
|
|
f8ded1 |
+ if (kpAlg == KeyPairAlgorithm.EC) {
|
|
|
f8ded1 |
+ // set to what works for nethsm
|
|
|
f8ded1 |
+ tp = true;
|
|
|
f8ded1 |
+ sp = false;
|
|
|
f8ded1 |
+ ep = true;
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ tp = true;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (kpAlg == KeyPairAlgorithm.EC) {
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ boolean isECDHE = false;
|
|
|
f8ded1 |
+ KeyPair pair = null;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // used with isECDHE == true
|
|
|
f8ded1 |
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = {
|
|
|
f8ded1 |
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
|
|
|
f8ded1 |
+ };
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ // used with isECDHE == false
|
|
|
f8ded1 |
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = {
|
|
|
f8ded1 |
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
|
|
|
f8ded1 |
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER
|
|
|
f8ded1 |
+ };
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ try {
|
|
|
f8ded1 |
+ pair = CryptoUtil.generateECCKeyPair(token.getName(),
|
|
|
f8ded1 |
+ keyCurve /*ECC_curve default*/,
|
|
|
f8ded1 |
+ null,
|
|
|
f8ded1 |
+ (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH,
|
|
|
f8ded1 |
+ tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/);
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: after key pair generation" );
|
|
|
f8ded1 |
+ } catch (Exception e) {
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString());
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ return pair;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ } else { // !EC
|
|
|
f8ded1 |
+ //only specified to "true" will it be set
|
|
|
f8ded1 |
+ if (tp == true) {
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
|
|
|
f8ded1 |
+ kpGen.temporaryPairs(true);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (sp == true) {
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
|
|
|
f8ded1 |
+ kpGen.sensitivePairs(true);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (ep == true) {
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
|
|
|
f8ded1 |
+ kpGen.extractablePairs(true);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (kpAlg == KeyPairAlgorithm.DSA) {
|
|
|
f8ded1 |
+ if (pqg == null) {
|
|
|
f8ded1 |
+ kpGen.initialize(keySize);
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ kpGen.initialize(pqg);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ kpGen.initialize(keySize);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (usageList != null)
|
|
|
f8ded1 |
+ kpGen.setKeyPairUsages(usageList, usageList);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ if (pqg == null) {
|
|
|
f8ded1 |
+ KeyPair kp = null;
|
|
|
f8ded1 |
+ synchronized (new Object()) {
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: key pair generation begins");
|
|
|
f8ded1 |
+ kp = kpGen.genKeyPair();
|
|
|
f8ded1 |
+ CMS.debug("NetkeyKeygenService: key pair generation done");
|
|
|
f8ded1 |
+ addEntropy(true);
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ return kp;
|
|
|
f8ded1 |
+ } else {
|
|
|
f8ded1 |
+ // DSA
|
|
|
f8ded1 |
+ KeyPair kp = null;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
+ /* no DSA for now... netkey prototype
|
|
|
f8ded1 |
+ do {
|
|
|
f8ded1 |
+ // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair
|
|
|
f8ded1 |
+ kp = kpGen.genKeyPair();
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ while (isBadDSAKeyPair(kp));
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ return kp;
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
f8ded1 |
index e09eb42..f068a4a 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
f8ded1 |
@@ -23,11 +23,8 @@ import java.io.FilterOutputStream;
|
|
|
f8ded1 |
import java.io.IOException;
|
|
|
f8ded1 |
import java.io.PrintStream;
|
|
|
f8ded1 |
import java.math.BigInteger;
|
|
|
f8ded1 |
-import java.security.InvalidAlgorithmParameterException;
|
|
|
f8ded1 |
import java.security.InvalidKeyException;
|
|
|
f8ded1 |
-import java.security.InvalidParameterException;
|
|
|
f8ded1 |
import java.security.KeyPair;
|
|
|
f8ded1 |
-import java.security.NoSuchAlgorithmException;
|
|
|
f8ded1 |
import java.security.SecureRandom;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import org.mozilla.jss.asn1.ASN1Util;
|
|
|
f8ded1 |
@@ -35,21 +32,15 @@ import org.mozilla.jss.crypto.CryptoToken;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.EncryptionAlgorithm;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.IVParameterSpec;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.KeyGenAlgorithm;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.KeyPairAlgorithm;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.KeyPairGenerator;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.KeyWrapAlgorithm;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.PQGParamGenException;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.PQGParams;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.PrivateKey;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.SymmetricKey;
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.TokenException;
|
|
|
f8ded1 |
import org.mozilla.jss.pkcs11.PK11SymKey;
|
|
|
f8ded1 |
import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
|
|
|
f8ded1 |
import org.mozilla.jss.util.Base64OutputStream;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
-import com.netscape.certsrv.base.IConfigStore;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.MetaInfo;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.SessionContext;
|
|
|
f8ded1 |
import com.netscape.certsrv.dbs.keydb.IKeyRecord;
|
|
|
f8ded1 |
@@ -122,177 +113,6 @@ public class NetkeyKeygenService implements IService {
|
|
|
f8ded1 |
return archOpts;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public KeyPair generateKeyPair(
|
|
|
f8ded1 |
- KeyPairAlgorithm kpAlg, int keySize, String keyCurve, PQGParams pqg)
|
|
|
f8ded1 |
- throws NoSuchAlgorithmException, TokenException, InvalidAlgorithmParameterException,
|
|
|
f8ded1 |
- InvalidParameterException, PQGParamGenException {
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- CryptoToken token = mKRA.getKeygenToken();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: key pair is to be generated on slot: " + token.getName());
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- /*
|
|
|
f8ded1 |
- make it temporary so can work with HSM
|
|
|
f8ded1 |
- netHSM works with
|
|
|
f8ded1 |
- temporary == true
|
|
|
f8ded1 |
- sensitive == <do not specify>
|
|
|
f8ded1 |
- extractable == <do not specify>
|
|
|
f8ded1 |
- LunaSA2 works with
|
|
|
f8ded1 |
- temporary == true
|
|
|
f8ded1 |
- sensitive == true
|
|
|
f8ded1 |
- extractable == true
|
|
|
f8ded1 |
- */
|
|
|
f8ded1 |
- KeyPairGenerator kpGen = token.getKeyPairGenerator(kpAlg);
|
|
|
f8ded1 |
- IConfigStore config = CMS.getConfigStore();
|
|
|
f8ded1 |
- IConfigStore kgConfig = config.getSubStore("kra.keygen");
|
|
|
f8ded1 |
- boolean tp = false;
|
|
|
f8ded1 |
- boolean sp = false;
|
|
|
f8ded1 |
- boolean ep = false;
|
|
|
f8ded1 |
- if ((kgConfig != null) && (!kgConfig.equals(""))) {
|
|
|
f8ded1 |
- try {
|
|
|
f8ded1 |
- tp = kgConfig.getBoolean("temporaryPairs", false);
|
|
|
f8ded1 |
- sp = kgConfig.getBoolean("sensitivePairs", false);
|
|
|
f8ded1 |
- ep = kgConfig.getBoolean("extractablePairs", false);
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: found config store: kra.keygen");
|
|
|
f8ded1 |
- // by default, let nethsm work
|
|
|
f8ded1 |
- if ((tp == false) && (sp == false) && (ep == false)) {
|
|
|
f8ded1 |
- if (kpAlg == KeyPairAlgorithm.EC) {
|
|
|
f8ded1 |
- // set to what works for nethsm
|
|
|
f8ded1 |
- tp = true;
|
|
|
f8ded1 |
- sp = false;
|
|
|
f8ded1 |
- ep = true;
|
|
|
f8ded1 |
- } else
|
|
|
f8ded1 |
- tp = true;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- } catch (Exception e) {
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: kgConfig.getBoolean failed");
|
|
|
f8ded1 |
- // by default, let nethsm work
|
|
|
f8ded1 |
- tp = true;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- } else {
|
|
|
f8ded1 |
- // by default, let nethsm work
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: cannot find config store: kra.keygen, assume temporaryPairs==true");
|
|
|
f8ded1 |
- if (kpAlg == KeyPairAlgorithm.EC) {
|
|
|
f8ded1 |
- // set to what works for nethsm
|
|
|
f8ded1 |
- tp = true;
|
|
|
f8ded1 |
- sp = false;
|
|
|
f8ded1 |
- ep = true;
|
|
|
f8ded1 |
- } else {
|
|
|
f8ded1 |
- tp = true;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (kpAlg == KeyPairAlgorithm.EC) {
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- boolean isECDHE = false;
|
|
|
f8ded1 |
- KeyPair pair = null;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- // used with isECDHE == true
|
|
|
f8ded1 |
- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDSA[] = {
|
|
|
f8ded1 |
- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.DERIVE
|
|
|
f8ded1 |
- };
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- // used with isECDHE == false
|
|
|
f8ded1 |
- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage usages_mask_ECDH[] = {
|
|
|
f8ded1 |
- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN,
|
|
|
f8ded1 |
- org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage.SIGN_RECOVER
|
|
|
f8ded1 |
- };
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- try {
|
|
|
f8ded1 |
- pair = CryptoUtil.generateECCKeyPair(token.getName(),
|
|
|
f8ded1 |
- keyCurve /*ECC_curve default*/,
|
|
|
f8ded1 |
- null,
|
|
|
f8ded1 |
- (isECDHE==true) ? usages_mask_ECDSA: usages_mask_ECDH,
|
|
|
f8ded1 |
- tp /*temporary*/, sp? 1:0 /*sensitive*/, ep? 1:0 /*extractable*/);
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: after key pair generation" );
|
|
|
f8ded1 |
- } catch (Exception e) {
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: key pair generation with exception:"+e.toString());
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- return pair;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- } else { // !EC
|
|
|
f8ded1 |
- //only specified to "true" will it be set
|
|
|
f8ded1 |
- if (tp == true) {
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: setting temporaryPairs to true");
|
|
|
f8ded1 |
- kpGen.temporaryPairs(true);
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (sp == true) {
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: setting sensitivePairs to true");
|
|
|
f8ded1 |
- kpGen.sensitivePairs(true);
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (ep == true) {
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: setting extractablePairs to true");
|
|
|
f8ded1 |
- kpGen.extractablePairs(true);
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (kpAlg == KeyPairAlgorithm.DSA) {
|
|
|
f8ded1 |
- if (pqg == null) {
|
|
|
f8ded1 |
- kpGen.initialize(keySize);
|
|
|
f8ded1 |
- } else {
|
|
|
f8ded1 |
- kpGen.initialize(pqg);
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- } else {
|
|
|
f8ded1 |
- kpGen.initialize(keySize);
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (pqg == null) {
|
|
|
f8ded1 |
- KeyPair kp = null;
|
|
|
f8ded1 |
- synchronized (new Object()) {
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: key pair generation begins");
|
|
|
f8ded1 |
- kp = kpGen.genKeyPair();
|
|
|
f8ded1 |
- CMS.debug("NetkeyKeygenService: key pair generation done");
|
|
|
f8ded1 |
- mKRA.addEntropy(true);
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- return kp;
|
|
|
f8ded1 |
- } else {
|
|
|
f8ded1 |
- // DSA
|
|
|
f8ded1 |
- KeyPair kp = null;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- /* no DSA for now... netkey prototype
|
|
|
f8ded1 |
- do {
|
|
|
f8ded1 |
- // 602548 NSS bug - to overcome it, we use isBadDSAKeyPair
|
|
|
f8ded1 |
- kp = kpGen.genKeyPair();
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- while (isBadDSAKeyPair(kp));
|
|
|
f8ded1 |
- */
|
|
|
f8ded1 |
- return kp;
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- public KeyPair generateKeyPair(String alg,
|
|
|
f8ded1 |
- int keySize, String keyCurve, PQGParams pqg) throws EBaseException {
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- KeyPairAlgorithm kpAlg = null;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- if (alg.equals("RSA"))
|
|
|
f8ded1 |
- kpAlg = KeyPairAlgorithm.RSA;
|
|
|
f8ded1 |
- else if (alg.equals("EC"))
|
|
|
f8ded1 |
- kpAlg = KeyPairAlgorithm.EC;
|
|
|
f8ded1 |
- else
|
|
|
f8ded1 |
- kpAlg = KeyPairAlgorithm.DSA;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- try {
|
|
|
f8ded1 |
- KeyPair kp = generateKeyPair(kpAlg, keySize, keyCurve, pqg);
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
- return kp;
|
|
|
f8ded1 |
- } catch (InvalidParameterException e) {
|
|
|
f8ded1 |
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_KEYSIZE_PARAMS",
|
|
|
f8ded1 |
- "" + keySize));
|
|
|
f8ded1 |
- } catch (PQGParamGenException e) {
|
|
|
f8ded1 |
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_PQG_GEN_FAILED"));
|
|
|
f8ded1 |
- } catch (NoSuchAlgorithmException e) {
|
|
|
f8ded1 |
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED",
|
|
|
f8ded1 |
- kpAlg.toString()));
|
|
|
f8ded1 |
- } catch (TokenException e) {
|
|
|
f8ded1 |
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_ERROR_1", e.toString()));
|
|
|
f8ded1 |
- } catch (InvalidAlgorithmParameterException e) {
|
|
|
f8ded1 |
- throw new EBaseException(CMS.getUserMessage("CMS_BASE_ALG_NOT_SUPPORTED", "DSA"));
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
private static String base64Encode(byte[] bytes) throws IOException {
|
|
|
f8ded1 |
// All this streaming is lame, but Base64OutputStream needs a
|
|
|
f8ded1 |
// PrintStream
|
|
|
f8ded1 |
@@ -430,10 +250,11 @@ public class NetkeyKeygenService implements IService {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
CMS.debug("NetkeyKeygenService: about to generate key pair");
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- keypair = generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */,
|
|
|
f8ded1 |
+ keypair = mKRA.generateKeyPair(rKeytype /* rKeytype: "RSA" or "EC" */,
|
|
|
f8ded1 |
keysize /*Integer.parseInt(len)*/,
|
|
|
f8ded1 |
rKeycurve /* for "EC" only */,
|
|
|
f8ded1 |
- null /*pqgParams*/);
|
|
|
f8ded1 |
+ null /*pqgParams*/,
|
|
|
f8ded1 |
+ null /* usageList*/);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
if (keypair == null) {
|
|
|
f8ded1 |
CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid);
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From bea446868e282955d9c70028be657530eaccbe29 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Ade Lee <alee@redhat.com>
|
|
|
f8ded1 |
Date: Mon, 1 May 2017 18:25:59 -0400
|
|
|
f8ded1 |
Subject: [PATCH 08/10] Use AES-CBC in storage unit for archival in key
|
|
|
f8ded1 |
wrapping
|
|
|
f8ded1 |
|
|
|
f8ded1 |
When AES-KW or AES-KWP is not available, we need to be sure to use
|
|
|
f8ded1 |
a key wrap algorithm that is available for keywrap. This would
|
|
|
f8ded1 |
be AES-CBC. Removes some TODOs.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Refactor so that getWrappingParams is only defined on the StorageUnit,
|
|
|
f8ded1 |
which is where it makes sense in any case.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Part of Bugzilla BZ# 1386303
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.../src/com/netscape/certsrv/security/IEncryptionUnit.java | 2 --
|
|
|
f8ded1 |
.../src/com/netscape/certsrv/security/IStorageKeyUnit.java | 6 ++++++
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/AsymKeyGenService.java | 11 +++--------
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/EncryptionUnit.java | 2 --
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/EnrollmentService.java | 2 +-
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 7 +++++--
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 2 +-
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/StorageKeyUnit.java | 12 +++++++++++-
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/SymKeyGenService.java | 7 +++++--
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/TransportKeyUnit.java | 4 ----
|
|
|
f8ded1 |
10 files changed, 32 insertions(+), 23 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
|
|
|
f8ded1 |
index add15cb..e55713d 100644
|
|
|
f8ded1 |
--- a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
|
|
|
f8ded1 |
+++ b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
|
|
|
f8ded1 |
@@ -63,7 +63,5 @@ public interface IEncryptionUnit extends IToken {
|
|
|
f8ded1 |
SymmetricKey.Usage usage, WrappingParams params) throws Exception;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public WrappingParams getWrappingParams() throws Exception;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
public WrappingParams getOldWrappingParams();
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
diff --git a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
|
|
|
f8ded1 |
index cd94143..bfc6012 100644
|
|
|
f8ded1 |
--- a/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
|
|
|
f8ded1 |
+++ b/base/common/src/com/netscape/certsrv/security/IStorageKeyUnit.java
|
|
|
f8ded1 |
@@ -174,4 +174,10 @@ public interface IStorageKeyUnit extends IEncryptionUnit {
|
|
|
f8ded1 |
public PrivateKey unwrap(byte privateKey[], PublicKey pubKey, boolean temporary,
|
|
|
f8ded1 |
WrappingParams params) throws Exception;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ /**
|
|
|
f8ded1 |
+ * Get the wrapping parameters for this storage unit
|
|
|
f8ded1 |
+ *
|
|
|
f8ded1 |
+ */
|
|
|
f8ded1 |
+ public WrappingParams getWrappingParams(boolean encrypt) throws Exception;
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
|
|
|
f8ded1 |
index 7351d50..cfee504 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
|
|
|
f8ded1 |
@@ -20,7 +20,6 @@ package com.netscape.kra;
|
|
|
f8ded1 |
import java.math.BigInteger;
|
|
|
f8ded1 |
import java.security.KeyPair;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
-import org.mozilla.jss.crypto.CryptoToken;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.KeyPairGeneratorSpi;
|
|
|
f8ded1 |
import org.mozilla.jss.crypto.PrivateKey;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -68,7 +67,7 @@ public class AsymKeyGenService implements IService {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@Override
|
|
|
f8ded1 |
public boolean serviceRequest(IRequest request) throws EBaseException {
|
|
|
f8ded1 |
- IConfigStore cs = CMS.getConfigStore();
|
|
|
f8ded1 |
+ IConfigStore configStore = CMS.getConfigStore();
|
|
|
f8ded1 |
String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
|
|
|
f8ded1 |
String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -77,7 +76,7 @@ public class AsymKeyGenService implements IService {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
String realm = request.getRealm();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
|
|
|
f8ded1 |
+ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
KeyPairGeneratorSpi.Usage[] usageList = null;
|
|
|
f8ded1 |
String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
|
|
|
f8ded1 |
@@ -130,9 +129,6 @@ public class AsymKeyGenService implements IService {
|
|
|
f8ded1 |
String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
|
|
|
f8ded1 |
String auditSubjectID = owner;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- // Get the token
|
|
|
f8ded1 |
- CryptoToken token = kra.getKeygenToken();
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
// Generating the asymmetric keys
|
|
|
f8ded1 |
KeyPair kp = null;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
@@ -162,8 +158,7 @@ public class AsymKeyGenService implements IService {
|
|
|
f8ded1 |
WrappingParams params = null;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
- // TODO(alee) What happens if key wrap algorithm is not supported?
|
|
|
f8ded1 |
- params = storageUnit.getWrappingParams();
|
|
|
f8ded1 |
+ params = storageUnit.getWrappingParams(allowEncDecrypt_archival);
|
|
|
f8ded1 |
privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params);
|
|
|
f8ded1 |
} catch (Exception e) {
|
|
|
f8ded1 |
CMS.debug("Failed to generate security data to archive: " + e);
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
|
|
|
f8ded1 |
index 02a4ca1..b460c9e 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
|
|
|
f8ded1 |
@@ -67,8 +67,6 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
public abstract PrivateKey getPrivateKey(org.mozilla.jss.crypto.X509Certificate cert);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public abstract WrappingParams getWrappingParams() throws Exception;
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
public WrappingParams getOldWrappingParams() {
|
|
|
f8ded1 |
return new WrappingParams(
|
|
|
f8ded1 |
SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
f8ded1 |
index a200c34..e413a06 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
f8ded1 |
@@ -396,7 +396,7 @@ public class EnrollmentService implements IService {
|
|
|
f8ded1 |
WrappingParams params = null;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
- params = mStorageUnit.getWrappingParams();
|
|
|
f8ded1 |
+ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
|
|
|
f8ded1 |
if (allowEncDecrypt_archival == true) {
|
|
|
f8ded1 |
privateKeyData = mStorageUnit.encryptInternalPrivate(unwrapped, params);
|
|
|
f8ded1 |
} else {
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
f8ded1 |
index f068a4a..636e93e 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
f8ded1 |
@@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
+import com.netscape.certsrv.base.IConfigStore;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.MetaInfo;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.SessionContext;
|
|
|
f8ded1 |
import com.netscape.certsrv.dbs.keydb.IKeyRecord;
|
|
|
f8ded1 |
@@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService {
|
|
|
f8ded1 |
|
|
|
f8ded1 |
IVParameterSpec algParam = new IVParameterSpec(iv);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ IConfigStore configStore = CMS.getConfigStore();
|
|
|
f8ded1 |
+ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
wrapped_des_key = null;
|
|
|
f8ded1 |
boolean archive = true;
|
|
|
f8ded1 |
byte[] publicKeyData = null;
|
|
|
f8ded1 |
@@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService {
|
|
|
f8ded1 |
WrappingParams params = null;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
- // TODO(alee) What happens if key wrap algorithm is not supported?
|
|
|
f8ded1 |
- params = mStorageUnit.getWrappingParams();
|
|
|
f8ded1 |
+ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
|
|
|
f8ded1 |
privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
|
|
|
f8ded1 |
} catch (Exception e) {
|
|
|
f8ded1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
f8ded1 |
index 701b611..95d07c4 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
f8ded1 |
@@ -217,7 +217,7 @@ public class SecurityDataProcessor {
|
|
|
f8ded1 |
boolean doEncrypt = false;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
- params = storageUnit.getWrappingParams();
|
|
|
f8ded1 |
+ params = storageUnit.getWrappingParams(allowEncDecrypt_archival);
|
|
|
f8ded1 |
if (securitySymKey != null && unwrapped == null) {
|
|
|
f8ded1 |
privateSecurityData = storageUnit.wrap(securitySymKey, params);
|
|
|
f8ded1 |
} else if (unwrapped != null && allowEncDecrypt_archival == true) {
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/StorageKeyUnit.java b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
|
|
|
f8ded1 |
index 3e7f1de..1df30f6 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/StorageKeyUnit.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/StorageKeyUnit.java
|
|
|
f8ded1 |
@@ -133,7 +133,7 @@ public class StorageKeyUnit extends EncryptionUnit implements
|
|
|
f8ded1 |
throw new EBaseException(CMS.getUserMessage("CMS_INVALID_OPERATION"));
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public WrappingParams getWrappingParams() throws Exception {
|
|
|
f8ded1 |
+ public WrappingParams getWrappingParams(boolean encrypt) throws Exception {
|
|
|
f8ded1 |
String choice = null;
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
choice = mConfig.getString(PROP_WRAPPING_CHOICE);
|
|
|
f8ded1 |
@@ -177,6 +177,16 @@ public class StorageKeyUnit extends EncryptionUnit implements
|
|
|
f8ded1 |
KeyRecordParser.OUT_PL_WRAP_IV_LEN);
|
|
|
f8ded1 |
if (iv != null) params.setPayloadWrappingIV(new IVParameterSpec(iv));
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ if (encrypt) {
|
|
|
f8ded1 |
+ // Some HSMs have not yet implemented AES-KW. Use AES-CBC-PAD instead
|
|
|
f8ded1 |
+ if (params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP) ||
|
|
|
f8ded1 |
+ params.getPayloadWrapAlgorithm().equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD)) {
|
|
|
f8ded1 |
+ params.setPayloadWrapAlgorithm(KeyWrapAlgorithm.AES_CBC_PAD);
|
|
|
f8ded1 |
+ iv = CryptoUtil.getNonceData(16);
|
|
|
f8ded1 |
+ params.setPayloadWrappingIV(new IVParameterSpec(iv));
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
return params;
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
|
|
|
f8ded1 |
index c1830ec..bf350d5 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
|
|
|
f8ded1 |
@@ -29,6 +29,7 @@ import org.mozilla.jss.crypto.SymmetricKey;
|
|
|
f8ded1 |
|
|
|
f8ded1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
f8ded1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
f8ded1 |
+import com.netscape.certsrv.base.IConfigStore;
|
|
|
f8ded1 |
import com.netscape.certsrv.dbs.keydb.IKeyRecord;
|
|
|
f8ded1 |
import com.netscape.certsrv.dbs.keydb.IKeyRepository;
|
|
|
f8ded1 |
import com.netscape.certsrv.key.KeyRequestResource;
|
|
|
f8ded1 |
@@ -107,6 +108,9 @@ public class SymKeyGenService implements IService {
|
|
|
f8ded1 |
throw new EBaseException("Bad data in SymKeyGenService.serviceRequest");
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ IConfigStore configStore = CMS.getConfigStore();
|
|
|
f8ded1 |
+ boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
CryptoToken token = mStorageUnit.getToken();
|
|
|
f8ded1 |
KeyGenAlgorithm kgAlg = KeyRequestDAO.SYMKEY_GEN_ALGORITHMS.get(algorithm);
|
|
|
f8ded1 |
if (kgAlg == null) {
|
|
|
f8ded1 |
@@ -170,8 +174,7 @@ public class SymKeyGenService implements IService {
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
- // TODO(alee) what happens if key wrap algorithm is not supported?
|
|
|
f8ded1 |
- params = mStorageUnit.getWrappingParams();
|
|
|
f8ded1 |
+ params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
|
|
|
f8ded1 |
privateSecurityData = mStorageUnit.wrap(sk, params);
|
|
|
f8ded1 |
} catch (Exception e) {
|
|
|
f8ded1 |
CMS.debug("Failed to generate security data to archive: " + e);
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
|
|
|
f8ded1 |
index 513c0b2..fc66e66 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
|
|
|
f8ded1 |
@@ -115,10 +115,6 @@ public class TransportKeyUnit extends EncryptionUnit implements
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- public WrappingParams getWrappingParams() {
|
|
|
f8ded1 |
- return getOldWrappingParams();
|
|
|
f8ded1 |
- }
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
public CryptoToken getInternalToken() {
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
return CryptoManager.getInstance().getInternalKeyStorageToken();
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From 00c17b3e2f81c9df12e1a89fc85dc2e3d4c3a2b1 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Ade Lee <alee@redhat.com>
|
|
|
f8ded1 |
Date: Fri, 5 May 2017 21:30:15 -0400
|
|
|
f8ded1 |
Subject: [PATCH 09/10] Fix symmetic key retrieval in HSM
|
|
|
f8ded1 |
|
|
|
f8ded1 |
When using an HSM, AES KeyWrapping is not available and so
|
|
|
f8ded1 |
some different code paths were exercised. Fixing bugs in those
|
|
|
f8ded1 |
paths uncovered a case where we were calling unwrapSymmetric()
|
|
|
f8ded1 |
with bits and not bytes for the key length.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
This does not matter for 3DES, where JSS expects a length of 0,
|
|
|
f8ded1 |
but very much matters for AES. Fixing this - and the KeyClient
|
|
|
f8ded1 |
to actually use the returned wrapping algorithm to unwrap, allows
|
|
|
f8ded1 |
us now to return generated symmetric keys correctly.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Bugzilla BZ#1448521
|
|
|
f8ded1 |
Pagure: 2690
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
base/common/src/com/netscape/certsrv/key/KeyClient.java | 4 ++--
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/EncryptionUnit.java | 2 +-
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/SecurityDataProcessor.java | 12 ++++++++++++
|
|
|
f8ded1 |
base/kra/src/com/netscape/kra/TransportKeyUnit.java | 4 ++--
|
|
|
f8ded1 |
base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 4 ++--
|
|
|
f8ded1 |
5 files changed, 19 insertions(+), 7 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
|
|
|
f8ded1 |
index 2c99e1c..9a69372 100644
|
|
|
f8ded1 |
--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
|
|
|
f8ded1 |
+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
|
|
|
f8ded1 |
@@ -429,7 +429,7 @@ public class KeyClient extends Client {
|
|
|
f8ded1 |
bytes = crypto.unwrapSymmetricKeyWithSessionKey(
|
|
|
f8ded1 |
data.getEncryptedData(),
|
|
|
f8ded1 |
sessionKey,
|
|
|
f8ded1 |
- wrapAlgorithm,
|
|
|
f8ded1 |
+ KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()),
|
|
|
f8ded1 |
data.getNonceData(),
|
|
|
f8ded1 |
data.getAlgorithm(),
|
|
|
f8ded1 |
data.getSize());
|
|
|
f8ded1 |
@@ -446,7 +446,7 @@ public class KeyClient extends Client {
|
|
|
f8ded1 |
bytes = crypto.unwrapAsymmetricKeyWithSessionKey(
|
|
|
f8ded1 |
data.getEncryptedData(),
|
|
|
f8ded1 |
sessionKey,
|
|
|
f8ded1 |
- wrapAlgorithm,
|
|
|
f8ded1 |
+ KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()),
|
|
|
f8ded1 |
data.getNonceData(),
|
|
|
f8ded1 |
pubKey);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java
|
|
|
f8ded1 |
index b460c9e..eb8a2f8 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/EncryptionUnit.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java
|
|
|
f8ded1 |
@@ -84,7 +84,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit {
|
|
|
f8ded1 |
return CryptoUtil.unwrap(
|
|
|
f8ded1 |
token,
|
|
|
f8ded1 |
params.getSkType(),
|
|
|
f8ded1 |
- 0,
|
|
|
f8ded1 |
+ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(),
|
|
|
f8ded1 |
usage, wrappingKey,
|
|
|
f8ded1 |
encSymmKey,
|
|
|
f8ded1 |
params.getSkWrapAlgorithm());
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
f8ded1 |
index 95d07c4..344f376 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
f8ded1 |
@@ -411,6 +411,18 @@ public class SecurityDataProcessor {
|
|
|
f8ded1 |
String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME);
|
|
|
f8ded1 |
String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm();
|
|
|
f8ded1 |
|
|
|
f8ded1 |
+ if (allowEncDecrypt_recovery) {
|
|
|
f8ded1 |
+ if (payloadWrapName == null) {
|
|
|
f8ded1 |
+ // assume old client
|
|
|
f8ded1 |
+ payloadWrapName = "DES3/CBC/Pad";
|
|
|
f8ded1 |
+ } else if (payloadWrapName.equals("AES KeyWrap/Padding") ||
|
|
|
f8ded1 |
+ payloadWrapName.equals("AES KeyWrap")) {
|
|
|
f8ded1 |
+ // Some HSMs have not implemented AES-KW yet
|
|
|
f8ded1 |
+ // Make sure we select an algorithm that is supported.
|
|
|
f8ded1 |
+ payloadWrapName = "AES/CBC/PKCS5Padding";
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+ }
|
|
|
f8ded1 |
+
|
|
|
f8ded1 |
byte[] iv = null;
|
|
|
f8ded1 |
byte[] iv_wrap = null;
|
|
|
f8ded1 |
try {
|
|
|
f8ded1 |
diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
|
|
|
f8ded1 |
index fc66e66..d0ad8b3 100644
|
|
|
f8ded1 |
--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
|
|
|
f8ded1 |
+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
|
|
|
f8ded1 |
@@ -289,7 +289,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
|
|
|
f8ded1 |
SymmetricKey sk = CryptoUtil.unwrap(
|
|
|
f8ded1 |
token,
|
|
|
f8ded1 |
params.getSkType(),
|
|
|
f8ded1 |
- 0,
|
|
|
f8ded1 |
+ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(),
|
|
|
f8ded1 |
SymmetricKey.Usage.DECRYPT,
|
|
|
f8ded1 |
wrappingKey,
|
|
|
f8ded1 |
encSymmKey,
|
|
|
f8ded1 |
@@ -360,7 +360,7 @@ public class TransportKeyUnit extends EncryptionUnit implements
|
|
|
f8ded1 |
SymmetricKey sk = CryptoUtil.unwrap(
|
|
|
f8ded1 |
token,
|
|
|
f8ded1 |
params.getSkType(),
|
|
|
f8ded1 |
- 0,
|
|
|
f8ded1 |
+ params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(),
|
|
|
f8ded1 |
SymmetricKey.Usage.UNWRAP,
|
|
|
f8ded1 |
wrappingKey,
|
|
|
f8ded1 |
encSymmKey,
|
|
|
f8ded1 |
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
f8ded1 |
index d22856d..e529a0f 100644
|
|
|
f8ded1 |
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
f8ded1 |
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
f8ded1 |
@@ -2346,7 +2346,7 @@ public class CryptoUtil {
|
|
|
f8ded1 |
KeyWrapAlgorithm wrapAlgorithm, IVParameterSpec wrappingIV) throws Exception {
|
|
|
f8ded1 |
KeyWrapper wrapper = token.getKeyWrapper(wrapAlgorithm);
|
|
|
f8ded1 |
wrapper.initUnwrap(wrappingKey, wrappingIV);
|
|
|
f8ded1 |
- return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength);
|
|
|
f8ded1 |
+ return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Type keyType,
|
|
|
f8ded1 |
@@ -2355,7 +2355,7 @@ public class CryptoUtil {
|
|
|
f8ded1 |
KeyWrapper keyWrapper = token.getKeyWrapper(wrapAlgorithm);
|
|
|
f8ded1 |
keyWrapper.initUnwrap(wrappingKey, null);
|
|
|
f8ded1 |
|
|
|
f8ded1 |
- return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength);
|
|
|
f8ded1 |
+ return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8);
|
|
|
f8ded1 |
}
|
|
|
f8ded1 |
|
|
|
f8ded1 |
public static PrivateKey unwrap(CryptoToken token, PublicKey pubKey, boolean temporary,
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|
|
|
f8ded1 |
|
|
|
f8ded1 |
From c0bb0ee8e36a85673e30352a7205414b215196a5 Mon Sep 17 00:00:00 2001
|
|
|
f8ded1 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
f8ded1 |
Date: Mon, 8 May 2017 18:53:26 +0200
|
|
|
f8ded1 |
Subject: [PATCH 10/10] pkispawn: wait after final restart
|
|
|
f8ded1 |
|
|
|
f8ded1 |
The finalization scriptlet now waits after service has been restarted.
|
|
|
f8ded1 |
|
|
|
f8ded1 |
Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de
|
|
|
f8ded1 |
Bugzilla: BZ#1446364
|
|
|
f8ded1 |
Pagure: 2644
|
|
|
f8ded1 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
f8ded1 |
---
|
|
|
f8ded1 |
.travis/40-spawn-ca | 5 -----
|
|
|
f8ded1 |
.travis/50-spawn-kra | 5 -----
|
|
|
f8ded1 |
.../server/python/pki/server/deployment/scriptlets/finalization.py | 7 +++++++
|
|
|
f8ded1 |
3 files changed, 7 insertions(+), 10 deletions(-)
|
|
|
f8ded1 |
|
|
|
f8ded1 |
diff --git a/.travis/40-spawn-ca b/.travis/40-spawn-ca
|
|
|
f8ded1 |
index d6771db..d57e6b7 100755
|
|
|
f8ded1 |
--- a/.travis/40-spawn-ca
|
|
|
f8ded1 |
+++ b/.travis/40-spawn-ca
|
|
|
f8ded1 |
@@ -2,8 +2,3 @@
|
|
|
f8ded1 |
set -e
|
|
|
f8ded1 |
|
|
|
f8ded1 |
pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s CA
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
-echo "Waiting for port 8080"
|
|
|
f8ded1 |
-for i in {1..20}; do
|
|
|
f8ded1 |
- curl http://localhost:8080 && break || sleep 1
|
|
|
f8ded1 |
-done
|
|
|
f8ded1 |
diff --git a/.travis/50-spawn-kra b/.travis/50-spawn-kra
|
|
|
f8ded1 |
index 93f2f4c..f7e8fc1 100755
|
|
|
f8ded1 |
--- a/.travis/50-spawn-kra
|
|
|
f8ded1 |
+++ b/.travis/50-spawn-kra
|
|
|
f8ded1 |
@@ -2,8 +2,3 @@
|
|
|
f8ded1 |
set -e
|
|
|
f8ded1 |
|
|
|
f8ded1 |
pkispawn -vv -f ${BUILDDIR}/pki/.travis/pki.cfg -s KRA
|
|
|
f8ded1 |
-
|
|
|
f8ded1 |
-echo "Waiting for port 8080"
|
|
|
f8ded1 |
-for i in {1..20}; do
|
|
|
f8ded1 |
- curl http://localhost:8080 && break || sleep 1
|
|
|
f8ded1 |
-done
|
|
|
f8ded1 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py
|
|
|
f8ded1 |
index 3dc7f66..941691c 100644
|
|
|
f8ded1 |
--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py
|
|
|
f8ded1 |
+++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py
|
|
|
f8ded1 |
@@ -57,6 +57,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
f8ded1 |
# Optionally, programmatically 'restart' the configured PKI instance
|
|
|
f8ded1 |
if config.str2bool(deployer.mdict['pki_restart_configured_instance']):
|
|
|
f8ded1 |
deployer.systemd.restart()
|
|
|
f8ded1 |
+ # wait for startup
|
|
|
f8ded1 |
+ status = deployer.instance.wait_for_startup(60)
|
|
|
f8ded1 |
+ if status is None:
|
|
|
f8ded1 |
+ config.pki_log.error(
|
|
|
f8ded1 |
+ "server failed to restart",
|
|
|
f8ded1 |
+ extra=config.PKI_INDENTATION_LEVEL_1)
|
|
|
f8ded1 |
+ raise RuntimeError("server failed to restart")
|
|
|
f8ded1 |
|
|
|
f8ded1 |
# Optionally, 'purge' the entire temporary client infrastructure
|
|
|
f8ded1 |
# including the client NSS security databases and password files
|
|
|
f8ded1 |
--
|
|
|
f8ded1 |
1.8.3.1
|
|
|
f8ded1 |
|