On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote:
> I took a look at the stuff alee asked for.
>
> CFU even took a quick look when I asked her a couple of questions.
> She was unsure of something (as was I) and she would like to be able
> to take a closer look next week. I will give my quick thoughts.
>
> 1. I agree that HSM support is not in the patch, seems fine to move that
> to a future ticket.
>
> Here is one thing I was kind of worried about:
> This is the code that imports the archive of the desired private key.
>
>
> ublic static PrivateKey importPKIArchiveOptions(
> + CryptoToken token, PrivateKey unwrappingKey,
> + PublicKey pubkey, byte[] data)
> + throws InvalidBERException, Exception {
> + ByteArrayInputStream in = new ByteArrayInputStream(data);
> + PKIArchiveOptions options = (PKIArchiveOptions)
> + (new PKIArchiveOptions.Template()).decode(in);
> + EncryptedKey encKey = options.getEncryptedKey();
> + EncryptedValue encVal = encKey.getEncryptedValue();
> + AlgorithmIdentifier algId = encVal.getSymmAlg();
> + BIT_STRING encSymKey = encVal.getEncSymmKey();
> + BIT_STRING encPrivKey = encVal.getEncValue();
>
> This the wrapper object that is build off of the caSigningUnit key gotten
> in the other patch, the RetrieverThread like this:
>
>
>
> PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey();
>
>
>
> The code below works fine if said key is RSA. I talked over with CFU and she
> said there
> could be a chance this key is ECC for an ECC CA.
>
> We both think the rest of the code in this routine is fine, except for
> possibly that.
> She is also not even sure if JSS can support an ECC private key wrapper.
>
> She requests you guys give her a day or two to look at it.
>
> Except for the hsm issue, the code that calls this routine in the thread
> seems fine too.
>
> +
> + KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
> + wrapper.initUnwrap(unwrappingKey, null);
>
>
>
>
>
>
> + SymmetricKey sk = wrapper.unwrapSymmetric(
> + encSymKey.getBits(), SymmetricKey.Type.DES3, 0);
> +
> + ASN1Value v = algId.getParameters();
> + v = ((ANY) v).decodeWith(new OCTET_STRING.Template());
> + byte iv[] = ((OCTET_STRING) v).toByteArray();
> + IVParameterSpec ivps = new IVParameterSpec(iv);
> +
> + wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD);
> + wrapper.initUnwrap(sk, ivps);
> + PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC")
> + ? PrivateKey.Type.EC
> + : PrivateKey.Type.RSA;
> + return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey);
> + }
>
Pushed to master.
Christina, I know you were were/are very busy so thanks for spending
some time looking at these patches. If you have any other questions
or concerns let me know ASAP.
24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema
changes
dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method
CryptoUtil.importPKIArchiveOptions
e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command
94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval
framework
a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add
IPACustodiaKeyRetriever
Cheers,
Fraser
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
