[Pki-devel] [PATCH] 0084..0086 Lightweight CA replication support
Fraser Tweedale
ftweedal at redhat.com
Tue May 3 02:59:09 UTC 2016
On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote:
> I took a look at the stuff alee asked for.
>
> CFU even took a quick look when I asked her a couple of questions.
> She was unsure of something (as was I) and she would like to be able
> to take a closer look next week. I will give my quick thoughts.
>
> 1. I agree that HSM support is not in the patch, seems fine to move that
> to a future ticket.
>
> Here is one thing I was kind of worried about:
> This is the code that imports the archive of the desired private key.
>
>
> ublic static PrivateKey importPKIArchiveOptions(
> + CryptoToken token, PrivateKey unwrappingKey,
> + PublicKey pubkey, byte[] data)
> + throws InvalidBERException, Exception {
> + ByteArrayInputStream in = new ByteArrayInputStream(data);
> + PKIArchiveOptions options = (PKIArchiveOptions)
> + (new PKIArchiveOptions.Template()).decode(in);
> + EncryptedKey encKey = options.getEncryptedKey();
> + EncryptedValue encVal = encKey.getEncryptedValue();
> + AlgorithmIdentifier algId = encVal.getSymmAlg();
> + BIT_STRING encSymKey = encVal.getEncSymmKey();
> + BIT_STRING encPrivKey = encVal.getEncValue();
>
> This the wrapper object that is build off of the caSigningUnit key gotten
> in the other patch, the RetrieverThread like this:
>
>
>
> PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey();
>
>
>
> The code below works fine if said key is RSA. I talked over with CFU and she said there
> could be a chance this key is ECC for an ECC CA.
>
> We both think the rest of the code in this routine is fine, except for possibly that.
> She is also not even sure if JSS can support an ECC private key wrapper.
>
> She requests you guys give her a day or two to look at it.
>
> Except for the hsm issue, the code that calls this routine in the thread seems fine too.
>
> +
> + KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
> + wrapper.initUnwrap(unwrappingKey, null);
>
>
>
>
>
>
> + SymmetricKey sk = wrapper.unwrapSymmetric(
> + encSymKey.getBits(), SymmetricKey.Type.DES3, 0);
> +
> + ASN1Value v = algId.getParameters();
> + v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
> + byte iv[] = ((OCTET_STRING) v).toByteArray();
> + IVParameterSpec ivps = new IVParameterSpec(iv);
> +
> + wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
> + wrapper.initUnwrap(sk, ivps);
> + PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC")
> + ? PrivateKey.Type.EC
> + : PrivateKey.Type.RSA;
> + return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey);
> + }
>
Pushed to master.
Christina, I know you were were/are very busy so thanks for spending
some time looking at these patches. If you have any other questions
or concerns let me know ASAP.
24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema changes
dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method CryptoUtil.importPKIArchiveOptions
e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command
94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval framework
a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add IPACustodiaKeyRetriever
Cheers,
Fraser
More information about the Pki-devel
mailing list