Skip to content

Commit

Permalink
https://fedorahosted.org/pki/ticket/362 RFE: CMC ECC
Browse files Browse the repository at this point in the history
  • Loading branch information
@ladycfu
ladycfu committed Jan 10, 2013
1 parent 3765615 commit 93e6bfc
Show file tree
Hide file tree
Showing 14 changed files with 927 additions and 500 deletions.
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caCMCUserCert.cfg
View file
Expand Up @@ -31,7 +31,7 @@ policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
policyset.cmcUserCertSet.3.constraint.params.keyType=-
policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
View file
Expand Up @@ -29,7 +29,7 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
policyset.cmcUserCertSet.3.constraint.params.keyType=-
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caOtherCert.cfg
View file
Expand Up @@ -76,7 +76,7 @@ policyset.otherCertSet.7.constraint.name=No Constraint
policyset.otherCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.otherCertSet.7.default.name=Extended Key Usage Extension Default
policyset.otherCertSet.7.default.params.exKeyUsageCritical=false
policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.otherCertSet.8.constraint.name=No Constraint
policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
Expand Down
2 changes: 1 addition & 1 deletion base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
View file
Expand Up @@ -28,7 +28,7 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
policyset.cmcUserCertSet.3.constraint.params.keyType=-
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
Expand Down
66 changes: 59 additions & 7 deletions base/common/src/com/netscape/cms/authentication/CMCAuth.java
View file
Expand Up @@ -35,6 +35,7 @@
import com.netscape.certsrv.logging.ILogger;

import com.netscape.cmsutil.util.*;
import netscape.security.util.DerValue;
import netscape.security.x509.*;

/* java sdk imports */
Expand Down Expand Up @@ -346,6 +347,10 @@ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredent
String uid = "defUser";
if (checkSignerInfo) {
IAuthToken agentToken = verifySignerInfo(authToken,cmcFullReq);
if (agentToken == null) {
CMS.debug("CMCAuth: authenticate() agentToken null");
throw new EBaseException("CMCAuth: agent verifySignerInfo failure");
}
userid = agentToken.getInString("userid");
uid = agentToken.getInString("cn");
} else {
Expand Down Expand Up @@ -479,7 +484,7 @@ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredent
TaggedRequest.Type type = taggedRequest.getType();

if (type.equals(TaggedRequest.PKCS10)) {
CMS.debug("CMCAuth: in PKCS10");
CMS.debug("CMCAuth: type is PKCS10");
TaggedCertificationRequest tcr =
taggedRequest.getTcr();
int p10Id = tcr.getBodyPartID().intValue();
Expand All @@ -494,9 +499,31 @@ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredent
new ByteArrayOutputStream();

p10.encode(ostream);
boolean sigver = true;
boolean tokenSwitched = false;
CryptoManager cm = null;
CryptoToken signToken = null;
CryptoToken savedToken = null;
sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
try {
cm = CryptoManager.getInstance();
if (sigver == true) {
String tokenName =
CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
savedToken = cm.getThreadToken();
if (tokenName.equals("internal")) {
signToken = cm.getInternalCryptoToken();
} else {
signToken = cm.getTokenByName(tokenName);
}
if (!savedToken.getName().equals(signToken.getName())) {
cm.setThreadToken(signToken);
tokenSwitched = true;
}
}

PKCS10 pkcs10 =
new PKCS10(ostream.toByteArray());
new PKCS10(ostream.toByteArray(), sigver);

// xxx do we need to do anything else?
X509CertInfo certInfo =
Expand Down Expand Up @@ -542,10 +569,14 @@ public IAuthToken authenticate(IAuthCredentials authCred) throws EMissingCredent

e.printStackTrace();
throw new EBaseException(e.toString());
} finally {
if ((sigver == true) && (tokenSwitched == true)){
cm.setThreadToken(savedToken);
}
}
} else if (type.equals(TaggedRequest.CRMF)) {

CMS.debug("CMCAuth: in CRMF");
CMS.debug("CMCAuth: type is CRMF");
try {
CertReqMsg crm =
taggedRequest.getCrm();
Expand Down Expand Up @@ -852,16 +883,26 @@ protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq)
CMS.debug("CMCAuth: verifying signature");
si.verify(digest, id);
} else {
CMS.debug("CMCAuth: found signing cert... verifying");
PublicKey signKey = cert.getPublicKey();
PrivateKey.Type keyType = null;
String alg = signKey.getAlgorithm();

PK11PubKey pubK = null;
if (alg.equals("RSA")) {
CMS.debug("CMCAuth: signing key alg=RSA");
keyType = PrivateKey.RSA;
pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey());
} else if (alg.equals("EC")) {
CMS.debug("CMCAuth: signing key alg=EC");
keyType = PrivateKey.EC;
byte publicKeyData[] = ((X509Key) signKey).getEncoded();
pubK = (PK11PubKey) PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
} else if (alg.equals("DSA")) {
CMS.debug("CMCAuth: signing key alg=DSA");
keyType = PrivateKey.DSA;
pubK = PK11PubKey.fromSPKI(/*keyType,*/ ((X509Key) signKey).getKey());
}
PK11PubKey pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey());

CMS.debug("CMCAuth: verifying signature with public key");
si.verify(digest, id, pubK);
Expand Down Expand Up @@ -890,9 +931,11 @@ protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq)
return tempToken;

}

// find from internaldb if it's ca. (ra does not have that.)
// find from internaldb usrgrp info

CMS.debug("CMCAuth: how to get here?");
if (cert == null) {
// find from certDB
si.verify(digest, id);
Expand All @@ -901,13 +944,21 @@ protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq)
PrivateKey.Type keyType = null;
String alg = signKey.getAlgorithm();

PK11PubKey pubK = null;
if (alg.equals("RSA")) {
CMS.debug("CMCAuth: signing key alg=RSA");
keyType = PrivateKey.RSA;
pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey());
} else if (alg.equals("EC")) {
CMS.debug("CMCAuth: signing key alg=EC");
keyType = PrivateKey.EC;
byte publicKeyData[] = ((X509Key) signKey).getEncoded();
pubK = (PK11PubKey) PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData);
} else if (alg.equals("DSA")) {
CMS.debug("CMCAuth: signing key alg=DSA");
keyType = PrivateKey.DSA;
} else {
pubK = PK11PubKey.fromSPKI(/*keyType,*/ ((X509Key) signKey).getKey());
}
PK11PubKey pubK = PK11PubKey.fromRaw(keyType, ((X509Key) signKey).getKey());

si.verify(digest, id, pubK);
}
Expand All @@ -919,7 +970,8 @@ protected IAuthToken verifySignerInfo(AuthToken authToken,SignedData cmcFullReq)
} catch (IOException e) {
CMS.debug("CMCAuth: " + e.toString());
} catch (Exception e) {
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
CMS.debug("CMCAuth: " + e.toString());
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")+":"+e.toString());
}
return (IAuthToken) null;

Expand Down
38 changes: 37 additions & 1 deletion base/common/src/com/netscape/cms/profile/common/EnrollProfile.java
View file
Expand Up @@ -613,23 +613,58 @@ public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo
IRequest req)
throws EProfileException {
TaggedRequest.Type type = tagreq.getType();
if (type == null) {
CMS.debug("EnrollProfile: fillTaggedRequest: TaggedRequest type == null");
throw new EProfileException(
CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST")+
"TaggedRequest type null");
}

if (type.equals(TaggedRequest.PKCS10)) {
CMS.debug("EnrollProfile: fillTaggedRequest: TaggedRequest type == pkcs10");
boolean sigver = true;
boolean tokenSwitched = false;
CryptoManager cm = null;
CryptoToken signToken = null;
CryptoToken savedToken = null;
try {
sigver = CMS.getConfigStore().getBoolean("ca.requestVerify.enabled", true);
cm = CryptoManager.getInstance();
if (sigver == true) {
String tokenName =
CMS.getConfigStore().getString("ca.requestVerify.token", "internal");
savedToken = cm.getThreadToken();
if (tokenName.equals("internal")) {
signToken = cm.getInternalCryptoToken();
} else {
signToken = cm.getTokenByName(tokenName);
}
if (!savedToken.getName().equals(signToken.getName())) {
cm.setThreadToken(signToken);
tokenSwitched = true;
}
}

TaggedCertificationRequest tcr = tagreq.getTcr();
CertificationRequest p10 = tcr.getCertificationRequest();
ByteArrayOutputStream ostream = new ByteArrayOutputStream();

p10.encode(ostream);
PKCS10 pkcs10 = new PKCS10(ostream.toByteArray());
PKCS10 pkcs10 = new PKCS10(ostream.toByteArray(), sigver);

req.setExtData("bodyPartId", tcr.getBodyPartID());
fillPKCS10(locale, pkcs10, info, req);
} catch (Exception e) {
CMS.debug("EnrollProfile: fillTaggedRequest " +
e.toString());
} finally {
if ((sigver == true) && (tokenSwitched == true)){
cm.setThreadToken(savedToken);
}
}

} else if (type.equals(TaggedRequest.CRMF)) {
CMS.debug("EnrollProfile: fillTaggedRequest: TaggedRequest type == crmf");
CertReqMsg crm = tagreq.getCrm();
SessionContext context = SessionContext.getContext();
Integer nums = (Integer)(context.get("numOfControls"));
Expand All @@ -651,6 +686,7 @@ public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo

fillCertReqMsg(locale, crm, info, req);
} else {
CMS.debug("EnrollProfile: fillTaggedRequest: unsupported type (not CRMF or PKCS10)");
throw new EProfileException(
CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"));
}
Expand Down
1 change: 1 addition & 0 deletions base/common/src/com/netscape/cms/profile/input/CMCCertReqInput.java
View file
Expand Up @@ -104,6 +104,7 @@ public void populate(IProfileContext ctx, IRequest request)
TaggedRequest msgs[] = mEnrollProfile.parseCMC(getLocale(request), cert_request);

if (msgs == null) {
CMS.debug("CMCCertReqInput: populate - parseCMC returns null TaggedRequest msgs");
return;
}
// This profile only handle the first request in CRMF
Expand Down

0 comments on commit 93e6bfc

Please sign in to comment.