Re: [Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support
On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote:
I took a look at the stuff alee asked for.
CFU even took a quick look when I asked her a couple of questions.
She was unsure of something (as was I) and she would like to be able
to take a closer look next week. I will give my quick thoughts.
1. I agree that HSM support is not in the patch, seems fine to move that
to a future ticket.
Here is one thing I was kind of worried about:
This is the code that imports the archive of the desired private key.
ublic static PrivateKey importPKIArchiveOptions(
+ CryptoToken token, PrivateKey unwrappingKey,
+ PublicKey pubkey, byte[] data)
+ throws InvalidBERException, Exception {
+ ByteArrayInputStream in = new ByteArrayInputStream(data);
+ PKIArchiveOptions options = (PKIArchiveOptions)
+ (new PKIArchiveOptions.Template()).decode(in);
+ EncryptedKey encKey = options.getEncryptedKey();
+ EncryptedValue encVal = encKey.getEncryptedValue();
+ AlgorithmIdentifier algId = encVal.getSymmAlg();
+ BIT_STRING encSymKey = encVal.getEncSymmKey();
+ BIT_STRING encPrivKey = encVal.getEncValue();
This the wrapper object that is build off of the caSigningUnit key gotten
in the other patch, the RetrieverThread like this:
PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey();
The code below works fine if said key is RSA. I talked over with CFU and she said there
could be a chance this key is ECC for an ECC CA.
We both think the rest of the code in this routine is fine, except for possibly that.
She is also not even sure if JSS can support an ECC private key wrapper.
She requests you guys give her a day or two to look at it.
Except for the hsm issue, the code that calls this routine in the thread seems fine too.
+
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
+ wrapper.initUnwrap(unwrappingKey, null);
+ SymmetricKey sk = wrapper.unwrapSymmetric(
+ encSymKey.getBits(), SymmetricKey.Type.DES3, 0);
+
+ ASN1Value v = algId.getParameters();
+ v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
+ byte iv[] = ((OCTET_STRING) v).toByteArray();
+ IVParameterSpec ivps = new IVParameterSpec(iv);
+
+ wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
+ wrapper.initUnwrap(sk, ivps);
+ PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC")
+ ? PrivateKey.Type.EC
+ : PrivateKey.Type.RSA;
+ return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey);
+ }
Pushed to master.
Christina, I know you were were/are very busy so thanks for spending
some time looking at these patches. If you have any other questions
or concerns let me know ASAP.
24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema changes
dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method CryptoUtil.importPKIArchiveOptions
e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command
94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval framework
a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add IPACustodiaKeyRetriever
Cheers,
Fraser